Walkthrough of Hackthebox DevOops system

Hello Guys, it been a while since I have wrote a blog. Well without wasting any time lets dig into the devoops system of hackthebox as the title describes.

Let fireup the namp on ip of devoops which is 10.10.10.91 and wait for port scan results.



So we have 2 port open ssh(22) and http(5000)
Lets check whats there on http as it may contain the door (vulnerabilities) which may allow us to get initial foothold.



Hmm! Nothing interesting let fireup our favorite directory buster (gobuster).



We Found 2 directory let view upload directory as the name looks very interesting.
Well it seems the application allow us to upload xml file. Interestingly whenever I think of xml I always remember XXE attack. But in our case we need to craft the complete xml file with proper required elements.



So we have crafted the xml with our payload to view the /etc/passwd file and boom 🎆 we got the passwd file.



Now as we know that the XXE can be exploited so lets find some way to gain RCE on the server so that we have control on the server.
After struggling for hours I remember that I haven't enumerated user home directory on the System :( So I started to view the files present in the users home directory and found the ssh key which can be used to login via ssh on the system.
So here we goo /home/roosa/.ssh/id_rsa :) Let log into roosa account using the ssh key which I found.



Finally got the shell so lets start to enumerate the box. While enumerating I notice one interesting user "gituser". So I started enumerating about it and found git application was running as root user and accessible by current user (roosa) and there are some project under git.While enumerating I found an bash script which point to /home/roosa/work/bloogfeed/src



It confirm that there is something related to git for privilege escalation but what???
After searching on google for some time about git and its command, and reading the man page of git I found out about "git log" command which looked interesting so though of exploring the same.



There was a comment in the commit reverted accident commit with proper key . Now I got a feeling that somehow I need to retrieve the key. Well once again google to rescue. But I failed to find anything on google so at the end I asked one of my friend for hint and explained all the situation and current status were exactly I am stuck. I got very interesting hint Time machine use freaking Time machine, I was like Okay!!!!!
Again started to search on google like git time machine, git travel back , git past , git code past , git history, git commit history and git code history.
At the end searching yield me fruit.
git log -p origin/master At that point I felt like I should read man pages and it's parameter details with my eyes open.
And after many many hours of struggle found ssh key from git log.



Well Now I formatted the ssh key and used it to logged as root.



Thanks for reading the post.
Special Thanks to all my friends who help / supported / motivated me for writing blogs. 🙏

Comments

Post a Comment

Popular posts from this blog

Information Disclosure - Internal Path Disclosure (PHPWCMS) - CVE-2018-12990

Introduction to Callidus

Process Injection - Part I