Hello everyone, in this post I will be sharing my writeup for HTB-Devzat which was a medium rated linux machine, starting with our nmap scan we found 2 ports open ssh and http. The web server was hosting a page where it was talking about a tool named devzat for chatting through ssh, enumerating for subdomains we found cats which was hosting a application which was made using golang and was vulnerable to command injection giving us remote code execution and getting a shell as patrick . Enumerating the machine we can see local port 8086 which was using influxdb which was vulnerable to authentication bypass (CVE 2019-20933) and looking for a password in the database we were able to escalate our privileges to catherine and then looking into /var/backups we can see the dev version of devzat tool which can allow us to read files as devzat on the target machine was running with root privileges we can read almost any file.
NMAP
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://devzat.htb/
8000/tcp open ssh syn-ack ttl 63 (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-Go
| ssh-hostkey:
| 3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTPm8Ze7iuUlabZ99t6SWJTw3spK5GP21qE/f7FOT/P+crNvZQKLuSHughKWgZH7Tku7Nmu/WxhZwVUFDpkiDG1mSPeK6uyGpuTmncComFvD
3CaldFrZCNxbQ/BbWeyNVpF9szeVTwfdgY5PNoQFQ0reSwtenV6atEA5WfrZzhSZXWuWEn+7HB9C6w1aaqikPQDQSxRArcLZY5cgjNy34ZMk7MLaWciK99/xEYuNEAbR1v0/8ItVv5pyD8QMFD+s
2NwHk6eJ3hqks2F5VJeqIZL2gXvBmgvQJ8fBLb0pBN6xa1xkOAPpQkrBL0pEEqKFQsdJaIzDpCBGmEL0E/DfO6Dsyq+dmcFstxwfvNO84OmoD2UArb/PxZPaOowjE47GRHl68cDIi3ULKjKoMg2Q
D7zrayfc7KXP8qEO0j5Xws0nXMll6VO9Gun6k9yaXkEvrFjfLucqIErd7eLtRvDFwcfw0VdflSdmfEz/NkV8kFpXm7iopTKdcwNcqjNnS1TIs=
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
SF-Port8000-TCP:V=7.80%I=7%D=10/19%Time=616E50EC%P=x86_64-pc-linux-gnu%r(N
SF:ULL,C,"SSH-2\.0-Go\r\n");
Service Info: Host: devzat.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernelPORT 80 (HTTP)
On visit the web server it will be redirected to a domain name so let’s add this to our /etc/hosts file
After adding the domain name the web site will be loaded
We don’t find anything interesting other than this , which is telling us to connect to port 8000 where we can use ssh client to kinda chat around with people and this tools name is devzat
So we can chat around with this , do some fun stuff like changing clolors , sneding emojis , playing tic tac toe , hangman and etc.
There wasn’t anything that we can do here so I moved on and started running gobuster for fuzzing files and directories and wfuzz to finding subdomains. Gobuster only returned html template files
But from wfuzz I found a subdomain pets
So again let’s add this to our hosts file
We can see here that there’s a list pets here and if I click to delete any one of them it’s going to show that it’s not yet implemented
Other than that we can add a pet
So I tried to figure out what technology it is using , I tried to include a php file it returned me the same page without any error , tried including html file and it returned the same page again so here I thought it’s either node js or flask as we can specify routes so we would need to specify a correct route (I could be wrong here but let’s see).
In order to run gobuster here , since it would return the response no matter what we try to request for so we need to blacklist the 200 status response along with 404 , after running gobuster it showed me .git folder
We can use git dumper tool to download the folder and extract the important bits from it
After it has done downloading the files we can use git extractor to extract the files
So it’s using golang as it’s backend language and the interesting thing in this code is that there’s an os library being used which is used for reading the characteristics of the species from the directory named characteristics.
This function is being called on our input for adding pet name , so this is vulnerable to command injection
Intercept the request for adding a pet name and in species add the command like this ;id
To get a shell we can use python3 reverse shell , base64 encoded it and decode it by piping it to bash
And with python3 we can stabilize our shell to get tab completion, using bash history and clear terminal screen
We get get the private key for patrick user if we want a more stabilized shell
With ss -tulpn we can which ports are open on the machine
We have already seen port 8000 (devzat) and 5000 (pets application) , checking port 8443 I wasn’t sure what it was
But port 8086 gave me a 404 error page
So maybe we have to do some port forwarding here
I didn’t know what was on this port so I started to run gobuster and found few endpoints
On visiting /query it asks for a password but I didn't found any password so decided to intercept the request with burp suite and see what response headers I am getting
So this tells us that it’s running influx db 1.7.5 on this port , I tried to locate the folder where influxdb is but I don’t have permissions to view the contents
Privilege Escalation (Catherine)
I found an exploit for this version which bypassing authentication , there were some dependencies for this script , make sure use the requirements.txt file
The word lists that I used here was the top usernames from seclists’s github repo, after running the exploit it gives us two database , influxdb a slight different than other databases , it’s a time based database and is used in cloud , in influxdb tables are referenced as measurements , so in order to list the measurements in a database
Now here we know the measurement name is user we can list the data from it using the query select * from user
And we can get the password for Catherine
Privilege Escalation (root)
Now if we try connecting as Catherine on port 8443 we can see a conversation telling us to look into default backups directory
On running diff command on main and dev directory we can see the difference in the files
It seems that we can run the command /file which can read any file we want by providing the correct password
And in this way we can read /etc/shadow file and ssh key of root user
