Engagement flow
Summary
This was a difficult machine that dealt with some really interesting git repository enumeration flows followed by command injection with a Database CVE to capture root.
Tools used
Sublist3er
Gobuster
SSH
Processes/Techniques
Subdomain enumeration
Git enumeration
Code review
Command injection
Shell upgrading
Port forwarding
References
None beyond generic manual's or CVE's.
Enumeration
We start off with some basic enumeration and reveal three ports. We have our SSH port which is standard for later phases. Then we have port 80 and 8000 which are likely connected to the same webpage. We notice that https is not enabled.
We perform a more in depth nmap scan with the -sC -sV flag for default scripts and version checks. We can see we are running Apache updated on port 80.
From here we add devzat to the etc host file and we browse over to the home page.
We find a clue as we scroll down the website where we are provided instructions to connect to devzat.htb over port 8000 with ssh.
We land in a terminal with an instant messaging or chat type application. There is nothing special to find.
Web enumeration
We start off with some web enumeration in particular dirbusting to start. We use the following command and flags.
gobuster vhost -u devzat.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r
We find pets.devzat.htb and add this to our /etc/hosts file.
The landing page brings us to a pet inventory screen.
As we are possibly using an api function here, it could be the case where a git repository is in use. The way to check for this is to simply browse to /.git/.
Git enumeration
From here we download the .git file in order to allow for proper enumeration.
We call git status to pull information about this git repository. However we notice there are many deleted gits we can explore. The way to do this is by restoring the deleted git files and from there we can review them.
From here we enumerate the repository and look at the main file. Here we see the "cmd = exec" function. This is inherently risky as user input is being passed to our backend host. So if the user can control the input, they can attempt to perform remote code execution.
From here we keep it simple and test for command injection with a dir traversal attempt.
From here we attempt a pingback while utilizing tcp dump to recognize the pingback.
Now we call a bash reverse shell.
From here we grab the ssh key and connect back in as Patrick.
User
Some initial enumeration reveals several internal ports running.
Port forward
From here we forward port 8086 with ssh and perform an nmap scan and learn we have an influx DB server running on port 8086.
We perform some research and learn that there is a known exploit which ends up working.
ssh -L 8086:localhost:8086 -i ~/.ssh/id_rsa patrick@10.10.14.17
We download and run the script and see that it work and provides us access to view the tables of the influx database.
We use the "Show databases" command.
Within the devzat database there was a user table. So we called all objected within the user table and found our credentials.
"woBeeYareedahc7Oogeephies7Aiseci",
"catherine
Root
For this phase we enumerate the chat application locally as user Catherine. We have new access within our chat application where we learn about a disclosed directory with credentials.
We search the backup folder and run diff on /dev/commands.go and find credentials!
CeilingCatStillAThingIn2021?
We jump back into the legacy chat application and use the file command with our new password to cat the root flag.
Comments