This is my write up for TryHackMe's HaskHell Room.
Enumeration
Nmap scan shows that SSH is running. We also see that port 5001 is open and running an HTTP server on it.
Opening the website, we see the following:
We then check the homework:
The first thing that comes to mind is a file upload vulnerability. The problem is that the link leads to nowhere.
Using dirb, we see another directory.
Checking it out, we see a way to upload files.
Exploitation
Trying to upload any random file leads nowhere. Let's look again at the homework page:
So it only accepts Haskell files and it will be ran and executed. Let's test it out then.
From https://www.schoolofhaskell.com/user/dshevchenko/cookbook/call-system-command, we see that it's possible to make system calls through Haskell.
Let's try if the following works:
Uploading the file, we get to see the files in the directory:
We can then get a shell.
And we got a shell.
Privilege Escalation
Checking for other users, we see that we have access to user prof's files.
Using prof's id_rsa file, let's ssh to the machine and see if we can use his account.
We see that we can run flask as root.
First we need to set the FLASK_APP variable and write the script.
Running flask should give us root!
No comments:
Post a Comment