HaskHell — TryHackMe — Writeup

Hello. I’m Rahmos. Here is my HaskHell — TryHackMe — Writeup. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -p- -T4 -v <ip>

nmap

There are 2 ports opened: 22 (SSH) and 5001 (HTTP). First, let’s access the website.

website

There’s a link under homework here. Let’s access it.

/homework1

However, when I try to upload the “homework”, the page returns “not found”.

/upload

So, let’s find more hidden dirs using gobuster

gobuster dir -u http://<ip>:5001 -w /path-to-wordlist

gobuster

Ah ha! Now I’ve found where to upload file.

/submit

When I upload the hashkell code, it will be compiled and run directly. So, I google “how to execute command hashkell” and found this on stackoverflow:

Now I’ll write a simple hashkell program and upload it.

example.hs

This hashkell code will exec command “ls -la” on the target machine once it’s compiled and run. Let’s upload it and use Burpsuite to intercept and read the response.

burpsuite

So, when I upload the file, I will be redirected to /uploads.

response

And here is the response! The command has executed successfully. So, instead of “ls -la”, I will change the command to spawn a reverse shell for me.

The red box will be your VPN ip. Then start a listener on your machine using nc:

nc -lvnp 4444

And upload the file again.

reverse shell

Bingo! Now I’ve had the shell into the target. Spawn a tty shell for stability using python:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Move around and find the 1st flag. It will be in /home/prof

user.txt

Now I’ll find a way to own root and get the final flag.

There is a private ssh key inside prof home folder. So let’s transfer this key to our machine and ssh to the target as prof.

private ssh key

First, start a http server from target machine using python:

python -m SimpleHTTPServer 9000

Then from your machine:

wget <target-ip>:9000/id_rsa

wget

Now the key has been transferred to my machine. Let’s ssh using this key:

ssh -i id_rsa prof@<ip>

prof ssh

Now I’m prof! Again spawn a tty shell using python like above.

Let’s see if prof can run sudo using sudo -l:

sudo -l

Well prof can run /usr/bin/flask run as root without password needed. Let’s see what’s inside flask:

flask

However, only root has the right to modify this file:

Let’s run this bin:

So, in order to run this script, you need to set the environment FLASK_APP.

Create a flaskapp.py inside prof home, inside this .py I will spawn a shell:

flaskapp.py

then set the environment FLASK_APP to flaskapp.py:

export FLASK_APP=flaskapp.py

Then run:

sudo /usr/bin/flask run

root

Boom! Now I’m root. Get the final flag.

root.txt

The end.

HAPPY HACKING