TryHackMe: HaskHell CTF Writeup

In this article, I will be covering my solution to the “HaskHell” Capture The Flag (CTF) room available for free on the TryHackMe platform to members. I have provided a link to the TryHackMe platform in the references below for anyone interested in trying out this CTF. Without any further delay, lets jump in to the writeup!

Disclaimer

I like to add a brief disclaimer before a writeup to encourage people to attempt the room before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the CTF more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint!

Background

In this CTF, we have apparently been tasked with showing our computer science professor that his PhD isn’t in security. To complete this CTF, I need to find a user and root flag stored on the target machine. For this writeup, I will be using Kali Linux and some tools that come pre-installed with Kali.

Enumeration

I started by scanning the target machine for any open ports and services running on those ports.

The NMAP command can be broken down as follows:

• -Pn: Disables host discovery.
• -sV: Performs version detection for the services.
• -sC: Performs a script scan using default scripts available in NMAP.
• -v: Provides verbose details about the NMAP scan.
• -oN: Outputs scan results to a file.

This scan discovered two ports, which include port 22 (SSH) and port 5001 (HTTP). Port 5001 appears to be hosting a website created by the professor.

Reading this webpage, I discover the class is learning about a functional programming language called Haskell and has been provided a link to a homework assignment. Visiting this link presents a new webpage.

Reading this webpage, I discovered that a Haskell file can be uploaded to the target machine, where it will then be compiled and executed. A link is provided to allow me to submit my Haskell file, but this gives me a not found message.

I figured there was a way to upload a Haskell script and decided to enumerate the website some more using GoBuster to find any hidden directories.

I discovered a single page called “/submit” using GoBuster.

Haskell Reverse Shell

Visiting the “/submit” page provides an upload link where I can submit a Haskell script.

I know that when I upload a Haskell script, it will be compiled and executed. With this in mind, I spent sometime learning about the Haskell programming language. I discovered that I could execute system commands using the Haskell language. I created a “test.hs” Haskell script that uses the “callCommand” which creates a new process to run the specified shell command.

By uploading my “test.hs” script, I was able to successfully list the contents of the current directory my script was uploaded to and executed in.

Based on this response, the next step I took was to upload a Haskell script that would create a reverse shell on the target machine. The script I used can be seen below.

After setting up netcat to listen on port 4444, I uploaded my reverse shell Haskell script. This was compiled and executed, which resulted in a reverse shell being created.

As can be seen in the image above, I am logged in as the user “flask”. Listing the contents of the “/home” directory, I can see there are two other users called “haskell” and “prof”.

Looking in the “/prof” users directory, I found the user flag for this CTF 😃!

Privilege Escalation

I continued performing some manual enumeration and discovered the private SSH key used to login as the user “prof” in their home directory.

I copied this RSA private key to my host device and used “chmod” to give the file 600 permissions. I can then use this key to SSH into the target machine as the user prof.

Root Privilege Escalation

Once logged in as the user “prof”, I check to see what commands can be run with root privileges using sudo.

It appears I can execute “/usr/bin/flask run” command with root privileges using sudo. However, when I try running this command I receive an error.

Some searching online revealed that the “FLASK_APP” environment variable is used to specify how to load the application. I can use this environment variable to specify a script which will then be executed with root privileges when I run the “/usr/bin/flask run” command. I created a simple python script that spawns a tty shell when executed and will hopefully have root privileges.

I then set the “FLASK_APP” environment variable to load my “root.py” script.

Once the environment variable is set, I execute the the “/usr/bin/flask run” command and I will have a new shell with root privileges.

Navigating to the “/root” directory, I found the root flag 😆!

Closing Remarks

This was a another fun CTF available on the TryHackMe platform. I’ve been having a lot of fun on the TryHackMe platform recently, which is an excellent place to learn new skills and have fun playing CTF’s. Thanks for reading till the end and keep hacking😄!

References

• https://tryhackme.com/
• https://stackoverflow.com/questions/3470955/executing-a-system-command-in-haskell
• http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
• https://flask.palletsprojects.com/en/1.1.x/cli/
• https://netsec.ws/?p=337