I'll be going over a medium level CTF on TryHackMe: Haskhell.
Scanning & Enumeration
As always, we begin with enumerating the machine ports and services. I use my personal script to obtain the open ports with Threader3000 and then scan the open ones with nmap:
nmap -T4 -Pn -p22,5001 -A 10.10.47.194Enumerating Services
Port 22- ssh
Even though ssh is open, I leave that alone for now as I probably won't be able to exploit it.
Port 5001: http
A webserver on a CTF is always very interesting, so let's go visit that.
Interesting, a homework assignment... click on our first homework we find this:
If you read the webpage we can upload and run Haskell files only. Yay, we'll be coding in Haskell :). Let's first try to find that upload page. Clicking on the link doesn't work so we have to enumerate the server a bit more:
python3 /opt/dirsearch/dirsearch.py -u 10.10.47.194:5001 -e * -r
A quick dirsearch finds it for us. Going out to what we found we have the submission link:
Vulnerable WebApp
I figure this webapp is vulnerable cuz it straight up tells us it will compile and run our code for us. Only problem is, I don't know how to code in Haskell! Using some Google I start with a classic 'Hello World' program just to see if the website is telling us the truth:
Uploading it to the submission site:
It works as expected! Great, now let's see if we can figure out how to execute some other commands. Another round of googling and I learned how to read files. So let's see if I can read the /etc/passwd file and find some users:
Uploading:
Cool! Now I know the users on the machine are haskell, flask, and prof
Getting the User Flag
I took a guess that the user flag would be in 'prof' and happened to be right. Appending my code to read from his user.txt file:
Uploading:
And we have the user flag without even needing a shell!
Initial Shell
I tried the same thing to read the root flag, but as expected we get a permission denied, so we are going to need a shell! I was actually able to do this without doing a shell, but I figure I'll show you since that is the logical path to take. After a bit of googling I found a helpful reddit post on how to execute bash commands from a Haskell script. Using that I created my reverse shell:
And after uploading it, got initial shell access:
PrivEsc & Root Flag
Once in as the `flask` user, I looked around a bit to see what I could do:
I had no sudo control, and after running linpeas I couldn't find anything interesting, so I looked in the prof directory to see if I could find something like rsa keys to ssh in.
Hey, lucky me! Let's see if that works to ssh:
We're in! Now enumerating the professor's sudo rights:
Interesting, we're allowed to run a flask application as sudo. Let's try that out:
Something goes wrong when running it. After googling that error, what I found was that the FLASK_APP environment variable needs to be set to a python file which runs a flask app. My guess was that the python file didn't really need to be associated with flask at all and would just run whatever was in it. So I tried setting the environment variable to a python script which simply spawns a shell, thinking it would be run as root. Trying that out:
And we have the root flag!
Bonus
For those curious since I mentioned it:
You could actually just read the rsa key directly from the webApp and from there SSH in as prof, thus skipping over the reverse shell entirely.
Other takeaway: when I did this I didn't even read the blurb in the room task, but you could have used that twitter page to find a Haskell reverse shell, which I believe was the original intent. Worked out in the end, just thought I'd throw some things out there.
I didn't spell out most of the commands I used as I normally do as this is a medium level room. If there are questions or feedback about anything I did, as always, you can read me on the THM website or on their discord server under the name bobloblaw!
That's all for now, thanks for reading :)
Comments