Devzat - [HTB]

Cover Image for Devzat - [HTB]
Marmeus
Marmeus

Introduction

Devzat is a easy-medium machine from HackTheBox that requires folder and subdomain enumeration, code analysis, influxdb knowledge, path traversal and CVE exploitation.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

Then, we continue with a deeper scan of every opened port getting more information about each service.

As we can see above, nmap has obtained the domain devzat.htb that once added to /etc/hosts we can see how to access to an IRC chat on port 8000.

devzat.htb

Furthermore, we can use the username in the contact section for accessing the chat. This will provide us a chat with an administrator letting us know that an influxdb database exist somewhere in the machine.

Enumerating subdomains with ffuz we obtain the subdomain pets.devzat.htb.

This new web page is a simple Pet Inventory where we can add a new pet sending its name and specie.

Pets devzat inventory

Enumerating its folders appears a .git, hence we can download its source code.

For doing so we can use git-dumper.

Analysing the file main.go, we can see that when a new pet is added it is executing a bash command passing the specie as a parameter.

If we intercept the request, we can send the following payload obtaining a reverse shell as Patrick.

Privilege Escalation 1

Looking for listening ports we can see that the port 8086 is opened, which uses influxdb by default.

We can do port forwarding with SSH using patrick's ssh private key.

Note: Because there isn't netcat, you can download it by coping the key into the web server directory /var/www/html/assets/ and changing its permissions.

However, we need some credentials in order to access to the database.

Nonetheless, influxdb has an associated vulnerability (CVE-2019-20933) which allow bypassing the login. Plus, exist a working exploit for this particular vulnerability.

Looking, at the documentation we can retrieve the contents of the devzat database.

Between all the users, we get catherine's credentials obtaining the user flag.

Privilege Escalation 2

Now, if we access to the IRC server as catherine once we are inside the machine; we obtain the following chat with patrick.

Looking for those backups we can obtain patrick's password.

Moreover, we can see that the dev server has a new command and it is listening on port 8443 which is being executed by root.

Analysing, its code we can see that the file command is vulnerable to path traversal allowing us to retrieve the root's flag.

At first we can not access to the server because we need some public key, but this can be resolved quickly by generating a new one.

Finally, accessing once again and executing the new command we can obtain the root flag.