8 min readMar 12, 2022

Hello everyone, in this post I will be sharing my writeup for HTB-Devzat which was a medium rated linux machine, starting with our nmap scan we found 2 ports open ssh and http. The web server was hosting a page where it was talking about a tool named devzat for chatting through ssh, enumerating for subdomains we found cats which was hosting a application which was made using golang and was vulnerable to command injection giving us remote code execution and getting a shell as patrick . Enumerating the machine we can see local port 8086 which was using influxdb which was vulnerable to authentication bypass (CVE 2019-20933) and looking for a password in the database we were able to escalate our privileges to catherine and then looking into /var/backups we can see the dev version of devzat tool which can allow us to read files as devzat on the target machine was running with root privileges we can read almost any file.


PORT     STATE SERVICE REASON         VERSION                             
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://devzat.htb/
8000/tcp open ssh syn-ack ttl 63 (protocol 2.0)
| fingerprint-strings:
|_ SSH-2.0-Go
| ssh-hostkey:
| 3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTPm8Ze7iuUlabZ99t6SWJTw3spK5GP21qE/f7FOT/P+crNvZQKLuSHughKWgZH7Tku7Nmu/WxhZwVUFDpkiDG1mSPeK6uyGpuTmncComFvD
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
Service Info: Host: devzat.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel


On visit the web server it will be redirected to a domain name so let’s add this to our /etc/hosts file

After adding the domain name the web site will be loaded

We don’t find anything interesting other than this , which is telling us to connect to port 8000 where we can use ssh client to kinda chat around with people and this tools name is devzat

So we can chat around with this , do some fun stuff like changing clolors , sneding emojis , playing tic tac toe , hangman and etc.

There wasn’t anything that we can do here so I moved on and started running gobuster for fuzzing files and directories and wfuzz to finding subdomains. Gobuster only returned html template files

But from wfuzz I found a subdomain pets

So again let’s add this to our hosts file

We can see here that there’s a list pets here and if I click to delete any one of them it’s going to show that it’s not yet implemented

Other than that we can add a pet

So I tried to figure out what technology it is using , I tried to include a php file it returned me the same page without any error , tried including html file and it returned the same page again so here I thought it’s either node js or flask as we can specify routes so we would need to specify a correct route (I could be wrong here but let’s see).

In order to run gobuster here , since it would return the response no matter what we try to request for so we need to blacklist the 200 status response along with 404 , after running gobuster it showed me .git folder

We can use git dumper tool to download the folder and extract the important bits from it

After it has done downloading the files we can use git extractor to extract the files

So it’s using golang as it’s backend language and the interesting thing in this code is that there’s an os library being used which is used for reading the characteristics of the species from the directory named characteristics.

This function is being called on our input for adding pet name , so this is vulnerable to command injection

Intercept the request for adding a pet name and in species add the command like this ;id

To get a shell we can use python3 reverse shell , base64 encoded it and decode it by piping it to bash

And with python3 we can stabilize our shell to get tab completion, using bash history and clear terminal screen

We get get the private key for patrick user if we want a more stabilized shell

With ss -tulpn we can which ports are open on the machine

We have already seen port 8000 (devzat) and 5000 (pets application) , checking port 8443 I wasn’t sure what it was

But port 8086 gave me a 404 error page

So maybe we have to do some port forwarding here

I didn’t know what was on this port so I started to run gobuster and found few endpoints

On visiting /query it asks for a password but I didn't found any password so decided to intercept the request with burp suite and see what response headers I am getting

So this tells us that it’s running influx db 1.7.5 on this port , I tried to locate the folder where influxdb is but I don’t have permissions to view the contents

Privilege Escalation (Catherine)

I found an exploit for this version which bypassing authentication , there were some dependencies for this script , make sure use the requirements.txt file

The word lists that I used here was the top usernames from seclists’s github repo, after running the exploit it gives us two database , influxdb a slight different than other databases , it’s a time based database and is used in cloud , in influxdb tables are referenced as measurements , so in order to list the measurements in a database

Now here we know the measurement name is user we can list the data from it using the query select * from user

And we can get the password for Catherine

Privilege Escalation (root)

Now if we try connecting as Catherine on port 8443 we can see a conversation telling us to look into default backups directory

On running diff command on main and dev directory we can see the difference in the files

It seems that we can run the command /file which can read any file we want by providing the correct password

And in this way we can read /etc/shadow file and ssh key of root user