HaskHell TryHackMe Walkthrough

8 min readJun 18, 2020

Hello guys back again with another walkthrough this time am gonna be doing haskhell from tryhackme. What i really liked about the box is the fact that the author of the box left clues on how to tackle the box meaning in each step that you were doing you had a roadmap and if you follow this roadmap you’ll get the root flag in no time. The box start off by finding a website which allows uploading of scripts that are coded in Haskell programming language the scripts get executed knowing this you add a code that allows you to get remote code execution commonly known as RCE through the web sever of the box. With that remote code execute you can execute a bash reverse shell one liner command and get shell on the box. Running linpeas you notice prof left his ssh private key in his home directory .ssh folder you copy the private key back to your box and use it to login to the box as prof USER DONE !!! and then running linpeas again you notice that you can flask application with root privileges then create a python script that execute bash and trick the flask application to execute your python script and with that you are basically root. The author of the box sgtscout really did a great job on the box that left each part of the box interesting on starting the box i had not heard of Haskell programming before but by the end of doing the box i had learn a thing or two about Haskell programming language and to him kudos!!! for that. Without much say let’s jump in

As always we are gonna start of with a nmap scan of the box this will give us a pretty good ideas of the services that are running on the box and if we are lucky we might get an outdated service that has an exploit available and use that to get a shell on the box

Looking at the results we have 2 ports open

SSH and HTTP are running on the box. SSH requires credentials (username and password) which we do not have. The next best thing we could do try to bruteforce the credentials but i opted against doing that since account lockouts are common these day and since we don’t want to get banned we’ll leave SSH for now.

Next we can enumerate HTTP running on port 5001

On Opening the website we get a standard webpage

But from reading the homepage we get that it’s a professor’s webpage that allows students to submit assignments and the professor’s teaches programming. I decided to see if common files like robots.txt existed on the web sever but i wasn’t lucky. Looking at the source code of the homepage nothing really sticks out but we get a link to a webpage called /homework1

I decided to look at that web page and we see that the computer science professor was teaching Haskell programming language and he had left some assignments that had to be submitted online

So we could submit some Haskell scripts which was our “assignment” nothing malicious 😀 and as seen from the above webpage the script will get compiled and ran and the output of the code will be piped to a file in upload directory

But how do we upload our “assignment” since i didn’t have the answer i decided to run gobuster which is a tool used to brute-force URIs including directories and files as well as DNS subdomains

And as you see below one directory came back with a status code of 200 /submit

I decided to visit the URL

And sweet we have a way to upload Haskell scripts which will get compiled and executed. Knowing this my first though was to upload a script that executes system commands on the target system

I though that if i could get a way to execute system commands using Haskell programming language i could use it to get a shell on the box since Haskell scripts are compile and the compiled program is run by the system

So i went to google and searched for how to execute system commands with Haskell Programming language and a stack overflow page came up which demonstrated how to use Haskell programming language to execute system commands

So i decided to write a simple Haskell script and just changed the command a little bit so that the script will only perform a directory listing if it gets executed

I saved the script and uploaded it then intercepted the request using burpsuite which is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

When i ran the code i got a 302 redirect

I followed the redirect which led me to uploads and voila we see that the code executed system command ls -la

Sweet now that we have code execution, we should get a reverse shell back to our box the one liner reverse shells that i normally use is the pentest monkey reverse shell cheat sheet

I copied a bash reverse shell one liner command to burpsuite changed the IP Address

Set Up a netcat listener

And executed the command

But got an error

So i decided to ensure that the bash one liner command was being executed in a bash context by adding a bash -c “” to the command as seen below

bash -c “reverse shell command”

And executed the script again

And i never got any output in burpsuite after running the command which is a good thing

Because going to my netcat listener i got a shell!!!!!!

Sweet now that we have a shell on the box i uploaded linpeas a Linux privilege escalation awesome suite that automatically checks for privilege escalation vector and also outputs the result with really awesome colors. And executed the script and after it ran i got an output that the user prof left his ssh private keys in his .ssh folder and we had access to the folder and the ssh private keys

I copied it to my box and looking at it, it’s not even encrypted meaning we don’t have to bruteforce the passphrase

I gave it the right permissions using the command below

chmod 600 prof.key

And then tried login to the box as prof

And voila we are in the box as user prof and we have access to user.txt flag we can submit it and earn the points

Again i decided to run linpeas And got an output that we could run flask as the root user without supplying the root’s password. And flask are generally used to run python web based application

So i tried running the flask application and got a unique error

You did not provide the FLASK_APP environment variable

I googled on that error and found that we need to specify the python script that flask will run when it’s called and put is as an environment variable. knowing this i created a simple python script called shell.py that calls bash when when it’s executed by the flask application

I added the script to environment variable of flask so that when flask is called it will execute our python script and give us a root shell on the box using the command below