🔎🦶Enumeration/Foothold

Devzat is a Medium box from HTB created by cisco. You start by finding a sub-domain, which is susceptible to command injection and reviewing a .git folder with git-dumper highlights this. You use the command injection to get a foothold on the box as the Patrick user. On the box you find the devzat chat from earlier has chats specifically tied to the Patrick user mentioning InfluxDB. After pivoting and exploiting the InfluxDB you are able to find the password for the final user, Catherine. As Catherine you enter the chat once again to find a chats specific to her mentioning a backup of the chat and a ‘cool feature’. You find the backup to see the cool feature allows the reading of files with the /file command while in chat which you can use to read the root flag.

Before I begin each machine I kick off a full port scan with RustScan and pipe the open ports found into NMAP:

Copy

Once it completes I take the scan and convert it to HTML. I do this as force of habit from client engagements:

Copy

Reviewing the results I head over to Port 80 which states http://devzat.htb/. I add it to my host file:

Copy

Viewing the site I see Devzat which appears to be a messenger client you access via port forwarding on SSH. I short Google later I find a GitHub repo Quackduck – Devzat for the app. I login and review the app as well as the source code but see nothing useful.

Devzat website showing an SSH messaging app.

devzat.htb showing an SSH messaging app.

I decide to kick off some directory/sub-domain enumeration to see if there is any additional folders or sites. I use the same ffuf command from the previous box Shibboleth and find a new sub-domain:

Copy

I add pets to my host file and navigate to the link. I try adding a pet which works. When I delete the pet I get the error ‘Not implemented yet.’. Running this through Burp Suite I was able to test and exploit command injection and got escalation but here is the easier approach:

Kick off a directory scan with FeroxBuster:

Copy

Results show a .git directory which means you can use Arthaud – Git-Dumper:

Copy

Reviewing the extracted Git you can confirm inside main.go that species is executing commands without proper code sanitization:

By adding a ; and putting a second command I am able to use command injection to execute malicious code. I opened Burp and intercepted the request. I tried using wget to pull a non-existent file:

Copy

After getting a response I then tried using a bash one-liner to get a reverse shell on the box. I kept running into issues so I base64 encoded it:

After receiving the response I was successfully on the box as the patrick user. I went to his home directory and grabbed his SSH key:

Copy

I copied it to my machine and logged in as Patrick:

Copy

Navigating around as Patrick I can see the user flag sits in the Catherine user directory so she will be who I aim for next. I grab the latest copy of LinPEAS to my box and copy it to the victim:

🔪 Attacker Machine
Copy

🎯 Victim Machine

Copy

Well LinPEAS was running I logged into an additional SSH session and logged back into the chat, this time as the Patrick user:

Copy

The chat mentions an Influxdb but I hadn’t run into it thus far. Reviewing the LinPEAS I can see another service running within a docker on the box:

I use SSH to forward each port to my box. Port 8086 gives an HTML page with 404 – Page Not Found so I use NMAP to fingerprint the service:

🔪 Attacker Machine
Copy

I Googled ‘InfluxDB http admin 1.7.5’ and it came back with a GitHub exploit result – LorenzoTullini – InfluxDB-Exploit-CVE-2019-20933. I grabbed the exploit and ran it:

Copy

🔝Escalation to Root

Finally we use Catherine’s password to escalate and grab the user flag. As I did earlier with Patrick, I log into the chat service as Catherine to see if there is another hint. I see a conversation between her and Patrick:

Copy

They mention a ‘cool feature’, ‘password’, ‘backup’ and Port 8443. I begin looking for the backup and run LinPEAS again with extended flags in the background. I find two files in /var/backups which LinPEAS also highlights:

I copy them both into a temporary directory and unzip them. Doing ls -la on both directories shows a 4 file difference. I run a diff command against both directories and see something interesting:

Copy

I log into the chat on Port 8443 which has the special function. I run the command /file from the script above and get the root flag.

Copy

As this isn’t an ‘official’ root as I did not login as the root user I began running hashcat against the root users hash 😢.

Rooted

Published On: June 8th, 2022 / Categories: HTB, Technology / Tags: , , , , , , , /

Leave A Comment