Hello everyone,
Todey will explain to you how i pwned “Devzat” Machine from HTB.
Introduction
This is a great machine it’s not easy at all and need you to focus in each step before execute.
In this machine you will learn many new things:
RCE from parsing Json Data “Deserialization”
Port Forwarding
Source code review
[01] Recon
First I started with nmap to check open ports on the machine.
by nmap -sV 10.10.11.118 I got 4 ports open.
Let’s start with web port 80/tcp
Don’t forget to add IP to /etc/hosts
By Check the domain devzat.htb i found it’s only one page, but found a valuable Information.
It show me an example of how to connect to port 8000/tcp
Here Let’s connect to port 8000 as we see on website.
ssh -l test devzat.htb -p 8000
I found that it’s a chat bot with specific commands.
tried to get RCE, Path Traversal, File Reading but no thing worked with this bot.
So, I decided to let it running until i can get another solution for it.
Now, Let’s back to website …. I tried to check for directories to see if there any hidden dirs.
i got only those dirs and checked them, but no thing important in them.
So, I decided to check if there any VHOSTS for this domain using FFUF
And i got one xD pets , so Let’s add to /etc/hosts too and try access it.
I accessed the VHOST and it’s like a pet Inventory with a form to add a new pet.
I started to check for hidden dirs
And, I found a /.git folder was public xD
by using wget -r http://pets.devzat.htb/.git/ we can download all the repo and check it locally.
I Checked them but nothing important & no source code.
Now, I checked next dir /build and found main.js file. started to check it.
and found valuable informatios.
Found that this page send data as json & deserializate it. So Let’s Check it.
[02] Foot-hold
By checking the Form in http://pets.devzat.htb and tried to send data as json.
i found that all data i sent didn’t apper in response. So maybe it’s a Blind ?!!!
I made a python server on my machine, then tried to connect on it from the request.
and it works !!!!! it’s really an Insecure Deserialization Vuln.
Now it’s time to get a rev shell from machine by running our connection cmd.
After some tries for rev shell commands and all didn’t work, I released that any special char will make this command failed > & /.
To bypass this step i convert my command to b64 and send it then reverse it on the machine it self and run it.
Now i’m connected to machine as patrick but when checking /home dir i found another user which have a user.txt file.
[03] Patrick Recon
So start to recon machine as patrick user to see permissions to this user and what i can do in the machine.
First checked SUID, found nothing for real i found pwnKit exploit but didn't use it, just for let machine be funny xD
Then Checked for passwords and ssh keys, found that patrick have a ssh key.
After some Enumerating in the machine i found some ports running Locally.
Here we have 2 options, first is to try to use them from terminal, second is to make a Port forwarding.
First, i started to curl with each port to see service working on it.
After checking all ports, i decided to connect to 8086 , 8443 because 5000 is the website i open before.
I started to make ssh port forwarding for port 8086
using ssh -i id_rsa -L 8086:127.0.0.1:8086 -N patrick@devzat.htb will forwarding a port to my local port.
Tried to connect from browser, but it give me not found. but it works.
So, i Checked this with nmap -sV to know what service running on this port.
I found that there is a DB running on this port locally.
By searching for exploit for this version of DB, i got one on Github
So I Downloaded & run it.
Now i’m connected to DB, This type of DB new for me so i searched for commands to see if there is a different from default databases command.
Here from HackTrick i found some commands for this DB Link
After checking for Tables with show measurements, then getting data from user table.
I got the password for catherine user which is another user in machine.
[04] Low User Access
I connected to the user from the shell i opened su catherine and provide passwd i got.
Started to Enum the machine to see the privilage to this user.
First i tried sudo -l but found that user not sudoer.
Then, tried searching in SUID and nothing too.
For cron tabs, Sudo version, Kernal version nothing important for all of them.
Tried to search for passwd for root but nothing too.
After some Enumerating i found folder /var/backups which contain backup code for devzat
I running a python server on machine and transfer those 2 files to my machine.
Starting to Enum 2 folders, and both have same files. so what changed ?!!
I used diff and running on same file from both folders to see difference between them.
First, in file commands.go i found that one of them have a file command and have a password for something.
After reading code carefully i released that /file is reading files from the machine but need to get this password with each request.
But, How can i connect to this one?!! i tried /file on port 8000 but give me error.
In another file i found the connection code. xD
It running on Localhost on port 8443 , and another one running 8000 public which we connect on it.
[05] Privilage Escalation
So from the shell i already have i connected to the local port with the same command i found on website just changed IP to localhost and local port .
ssh -l test 127.0.0.1 -p 8443
Now it’s connected successfully, Let’s try /file command.
I tried to read /etc/passwd but it give error and give me Path.
So, what i need now is Path Traversal not more xD …
By running /file ../../etc/passwd CeilingCatStillAThingIn2021? it will read the file successfully.
We can read ../root.txt very easy now.
But I tried to get full access as root, so i searched for ssh key.
by running /file ../.ssh/id_rsa CeilingCatStillAThingIn2021?
whoops !!!! root have ssh key and i read it…
Now, I can connect as Root with full access via ssh.
