Devzat - HackTheBox

 

Devzat Machine(10.10.11.118)

It was a medium linux machine with a command injection vulnerability and required source code review & exploiting outdated influxdb to escalate privilege on machine.

Recon:

Starting with the nmap scan using rustscan, rustscan -a 10.10.11.118 -u 5000 -- -A. This will scan for open ports at very high speed and also do nmap scan on them.

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    syn-ack Apache httpd 2.4.41
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: devzat - where the devs at
8000/tcp open  ssh     syn-ack (protocol 2.0)
| fingerprint-strings: 
|   FourOhFourRequest, GenericLines, GetRequest, NULL, Socks4, Socks5, X11Probe: 
|_    SSH-2.0-Go
| ssh-hostkey: 
|   3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTPm8Ze7iuUlabZ99t6SWJTw3spK5GP21qE/f7FOT/P+crNvZQKLuSHughKWgZH7Tku7Nmu/WxhZwVUFDpkiDG1mSPeK6uyGpuTmncComFvD3CaldFrZCNxbQ/BbWeyNVpF9szeVTwfdgY5PNoQFQ0reSwtenV6atEA5WfrZzhSZXWuWEn+7HB9C6w1aaqikPQDQSxRArcLZY5cgjNy34ZMk7MLaWciK99/xEYuNEAbR1v0/8ItVv5pyD8QMFD+s2NwHk6eJ3hqks2F5VJeqIZL2gXvBmgvQJ8fBLb0pBN6xa1xkOAPpQkrBL0pEEqKFQsdJaIzDpCBGmEL0E/DfO6Dsyq+dmcFstxwfvNO84OmoD2UArb/PxZPaOowjE47GRHl68cDIi3ULKjKoMg2QD7zrayfc7KXP8qEO0j5Xws0nXMll6VO9Gun6k9yaXkEvrFjfLucqIErd7eLtRvDFwcfw0VdflSdmfEz/NkV8kFpXm7iopTKdcwNcqjNnS1TIs=
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.60%I=7%D=3/8%Time=62277583%P=x86_64-pc-linux-gnu%r(NUL
SF:L,C,"SSH-2\.0-Go\r\n")%r(GenericLines,C,"SSH-2\.0-Go\r\n")%r(GetRequest
SF:,C,"SSH-2\.0-Go\r\n")%r(X11Probe,C,"SSH-2\.0-Go\r\n")%r(FourOhFourReque
SF:st,C,"SSH-2\.0-Go\r\n")%r(Socks5,C,"SSH-2\.0-Go\r\n")%r(Socks4,C,"SSH-2
SF:\.0-Go\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

nmap identified two ssh services, on port 22 & 8000. Port 80 is webs server running Apache 2.4.41. Entering ip in browser will redirect to devzat.htb.

So let's add that to our /etc/hosts file i.e 10.10.11.118 devzat.htb.

Let's also run vhost fuzzing in background along with other scans, and it finds pets subdomain.

ffuf -u http://devzat.htb/ -w ~/wordlist/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.devzat.htb" -fw 18

Let also add that to hosts file 10.10.11.118 devzat.htb pets.devzat.htb.

There is one potential user on contact page of devzat.htb. Other than that web fuzzing doesn't reveal much except assets, images etc. directory.

Fuzzing on pets.devzat.htb a build directory. Which has a js file on unminifying that js code. we can notice an api endpoint api/pet where some post request is sent. so fuzzing /api can be a potential thing in future.

Foothold: Command injection

Exploring the functionalities on pets domain. There is option to add pets on this page and GET request is made to /api/pet endpoitn tp fetch all pets details. And post request is made to same endpoint to add another pet. While Delete options is not implemented yet.

As our input is reflected we can think of different injection vulnerabilities. But all attempts failed either pet was not added or exit status 1.

As this was going nowhere, let's do little fuzzing which reveals there is a .git directory exposed. But that's not how i found it first time. I have this extension called DotGit which sends .git/HEAD and .env request to every website i visit and if it find something it notifies. I think everyone should have it. Let's look into this .git directory using GitTools, i always use this.

1. ./gitdumper.sh http://pets.devzat.htb/.git/ /tmp/devzat Dumping the git repository in devzat directory on my machine.
2. ./extractor.sh /tmp/devzat/ /tmp/devzat_ext now this new directory will have all the source code that have been commited in that git repo.

Looks like author of this git repo. is same user we saw on contact page i.e patrick. Also this application is written in go langauge. Although this was also hinted with header in http response My genious go pet server.

Looking into source code, we find something interesting in file main.go.

func loadCharacter(species string) string {
	cmd := exec.Command("sh", "-c", "cat characteristics/"+species)
	stdoutStderr, err := cmd.CombinedOutput()
	if err != nil {
		return err.Error()
	}
	return string(stdoutStderr)
}

To load the characteristics for pets, it passing it in a exec() function with sh shell without any filtering. Looks like we have a command injection vulnerability through species parameter. Let's add a pet and modify the request.

Getting user:

As command injection is confirmed let's get reverse shell from here, lso looks like nc binary is not installed on server.

I struggled to make any reverse shell work here. But we have other ways to work around as application is running under Patrick user we can read Patrick's ssh-keys or we can place ours into ssh directory as then we don't have to crack it if it's password protected.

this key needed to be correctly line break formatted

Now we can login as patrick user on machine with key. ssh -i key patrick@devzat.htb. Don't forget to change key's permission(-rw-------) before logging in.

Lateral Movement: Exploitng outdated influxdb

After log-in as patrick user, we can see there is another user catherine on machine. Now it's little enumeration time on box.

Let's check apache files. cat /etc/apache2/sites-enabled/000-default.conf

on port listening for devxat.htb and vhost pets.devzat.htb which is proxeid to port 5000. ProxyPass / http://127.0.0.1:5000/.

In patrick's home directory there is another application called devzat which is a chatting application for devs, hence name devzat.

Now port 8000 is for this application. looking around in devchat.go file we can notice some mention of influxdb.

Let's try to connect to this chat system. nc devzat.htb 8000 from our machine as there is no netcat on machine. It's banner tells SSH-2.0-Go. But nothing useful. As it's ssh let's try to connect with ssh to it. ssh patrick@devzat.htb -p 8000.

Also this code tells why it aksing for new username in devchat.go

if u.id != "12ca17b49af2289436f303e0166030a21e525d266e209267433801a8fd4071a0" {
                for possibleName == "patrick" || possibleName == "admin" || possibleName == "catherine" {
                        u.writeln("", "Nickname reserved for local use, please choose a different one.")
                        u.term.SetPrompt("> ")
                        possibleName, err = u.term.ReadLine()

Let's pick test username for this and explore this application.

Running /help shows which github application it's exactly running and possible commands to run.

You can run commands on this with /command.

For now i didn't find anything interesting here, let's look into influxdb as it was mentioned earlier. Port 8086 is open which is influxdb. As there is no influxdb client installed on machine. we would have to find another way to communicate with it. Turns out we can send http request to influxb.

curl 127.0.0.1:8086 gives 404 not found, let's look for header received. curl -sL -I localhost:8086/ping ping endpoint gives health of influxdb.

headers reveal influxdb version 1.7.5 which is vulnerable to an authentication bypass vulnerability. Let's search for an exploit for it and download this CVE-2019-20933. It needs a list of username which it comes with a default also but we can create our own.

i created a list of usernames i have seen in devchat.go file and /etc/passwd file.

catherine
patrick
devzat
admin

Also as port 8086 is not accessibble from outside, i port forwarded it to my localhost

ssh -i key -L 8086:127.0.0.1:8086 patrick@devzat.htb

Now let's run the exploit & we get access as admin user.

Now let's use devzat database and qery for tables and it's records. In influxdb we refer tables as measurements. so instead of show tables we use SHOW measurements. OR maybe i got it wrong but compared to MySql i understood it like this.

Let's see all records from user table.

{
    "results": [
        {
            "series": [
                {
                    "columns": [
                        "time",
                        "enabled",
                        "password",
                        "username"
                    ],
                    "name": "user",
                    "values": [
                        [
                            "2021-06-22T20:04:16.313965493Z",
                            false,
                            "WillyWonka2021",
                            "wilhelm"
                        ],
                        [
                            "2021-06-22T20:04:16.320782034Z",
                            true,
                            "woBeeYareedahc7Oogeephies7Aiseci",
                            "catherine"
                        ],
                        [
                            "2021-06-22T20:04:16.996682002Z",
                            true,
                            "RoyalQueenBee$",
                            "charles"
                        ]
                    ]
                }
            ],
            "statement_id": 0
        }
    ]
}

it reveals catherine's password. Which is actually her password on machine.

Now you can read user flag.

Privilege Escaltion: Exploiting Devchat

Now i remember while enumerating for catherine i saw something interesting in /var/backups which at the moment was only accessible by catherine.

Now there are two version of devchat here backuped, let's copy them somewhere temporarily or transfer to your machine and unzip it. Turns out there is another version of devchat available on this machine. Also looking into listening ports

we know that

• 80 & 5000 is webserver
• 8086 is inluxdb
• 22 is ssh
• 8000 is devchat over ssh
  
• what is 8443???

Looking into unzipped files.

Another version of devchat is running which is only accessiblt from localhost and has more functionalities in it.

Interesting, let's do port forward to be able to ssh on this port.

+ ssh -i key -L 8443:127.0.0.1:8443 patrick@devzat.htb

+ ssh test@127.0.0.1 -p 8443

To access a file it needs some password to verification. Again it's source code review time and we find this fileCommand function in commands.go file, password is hardcoded for verification.

func fileCommand(u *user, args []string) {
	if len(args) < 1 {
		u.system("Please provide file to print and the password")
		return
	}

	if len(args) < 2 {
		u.system("You need to provide the correct password to use this function")
		return
	}

	path := args[0]
	pass := args[1]

	// Check my secure password
	if pass != "CeilingCatStillAThingIn2021?" {
		u.system("You did provide the wrong password")
		return
	}

	// Get CWD
	cwd, err := os.Getwd()
	if err != nil {
		u.system(err.Error())
	}

Apparently it's running as root and in /root/devzat directory.

But we can always move back in directories with ../. so now we can read root flag and root ssh keys by /../root.txt & /../.ssh/id_rsa respectively.

And that's how we got root on this machine.

ssh -i root.key root@devzat.htb

Thank you for reading and feedbacks are always welcome. 

Twitter: Avinashkroy