Devzat from HTB features a sub-domain with command injection. On the box you find an exploitable InfluxDB running and a dev chat with a file command for root.
Devzat is a Medium box from HTBcreated by cisco. You start by finding a sub-domain, which is susceptible to command injection and reviewing a .git folder with git-dumper highlights this. You use the command injection to get a foothold on the box as the Patrick user. On the box you find the devzat chat from earlier has chats specifically tied to the Patrick user mentioning InfluxDB. After pivoting and exploiting the InfluxDB you are able to find the password for the final user, Catherine. As Catherine you enter the chat once again to find a chats specific to her mentioning a backup of the chat and a ‘cool feature’. You find the backup to see the cool feature allows the reading of files with the /file command while in chat which you can use to read the root flag.
Before I begin each machine I kick off a full port scan with RustScan and pipe the open ports found into NMAP:
Once it completes I take the scan and convert it to HTML. I do this as force of habit from client engagements:
Reviewing the results I head over to Port 80 which states http://devzat.htb/. I add it to my host file:
Viewing the site I see Devzat which appears to be a messenger client you access via port forwarding on SSH. I short Google later I find a GitHub repo Quackduck – Devzat for the app. I login and review the app as well as the source code but see nothing useful.
devzat.htb showing an SSH messaging app.
I decide to kick off some directory/sub-domain enumeration to see if there is any additional folders or sites. I use the same ffuf command from the previous box Shibboleth and find a new sub-domain:
I add pets to my host file and navigate to the link. I try adding a pet which works. When I delete the pet I get the error ‘Not implemented yet.’. Running this through Burp Suite I was able to test and exploit command injection and got escalation but here is the easier approach:
Finally we use Catherine’s password to escalate and grab the user flag. As I did earlier with Patrick, I log into the chat service as Catherine to see if there is another hint. I see a conversation between her and Patrick:
They mention a ‘cool feature’, ‘password’, ‘backup’ and Port 8443. I begin looking for the backup and run LinPEAS again with extended flags in the background. I find two files in /var/backups which LinPEAS also highlights:
I copy them both into a temporary directory and unzip them. Doing ls -la on both directories shows a 4 file difference. I run a diff command against both directories and see something interesting:
I log into the chat on Port 8443 which has the special function. I run the command /file from the script above and get the root flag.
As this isn’t an ‘official’ root as I did not login as the root user I began running hashcat against the root users hash 😢.