Today we are going to solve
another CTF challenge “DevOops”. DevOops is a retired vulnerable lab presented
by Hack the Box for helping pentester’s to perform online penetration testing
according to your experience level; they have a collection of vulnerable labs
as challenges, from beginners to Expert level.
Level: Medium
Task: To find user.txt and
root.txt file
Note: Since these labs are online
available therefore they have a static IP. The IP of DevOops is
10.10.10.91
Walkthrough
Let’s start off with our
basic nmap command to find out the open ports and services.
nmap -p- -A 10.10.10.91
--open
From Nmap scanning, we have enumerated port 22 and 5000 are
only open ports on the target’s network, therefore firstly, let’s
navigate to port 5000 through a web browser. By exploring given URL,
it puts up following web page as shown in the below image.
http://10.10.10.91:5000
Since we didn’t get any remarkable clue from the home page,
therefore, we have opted DIrb for directory enumeration and execute the
following command.
dirb http://10.10.10.91:5000
Hmm!! Here I received HTTP response 200 for /feed and
/upload directories.
So we explore http://10.10.10.91:5000/upload in the URL and further welcomed
by following web Page given below. The following web page lets you
upload an XML file, including XML elements Author, Subject and
content. For that reason, we have created an XML file with the
help of following code and saved as 1.xml.
]>
Then browse the xml file, which you have created and
intercept the browser request with the help of breast while uploading.
Now send the intercepted data to the repeater.
Inside XXE file, we have injected malicious code to make
call for /etc/passwd file, thus, we need to its analysis its result with the
help of repeater.
And as you can observe from given below image, the xml code
is working wonderfully and throwing the content of /etc/passwd file to us.
Similar, we extract the SSH RSA key by modifying XXE entry
as show in the below image. Now copy the whole key and save in a text file.
Since we have copied RSA Private KEY in a text file named as
“key” then set permission 600 and try to login to the help of following
command.
chmod 600 key
ssh -i key roosa@10.10.10.91
Boom!! We have spawn a shell of target machines, let’s go
for user.txt file.
cd /home
ls
cd roosa
ls
cat user.txt
Great!!! We have completed the first task but for
obtaining root.txt file we need to escalate the root privilege and to do so we
traversed so many directories and files to get next clue.
cd work
ls
cd blogfeed/
ls
cat
run-gunicorn.sh
cd resource
ls
There is a problem with your internet connection, please try
again later.
git log
And we obtain so many string as shown in the following image
which may perhaps SSH key for root login.
So we try some key along git show command to demonstrate the
output result. And obtain RSA Private Key which was not working properly.
And finally obtain original RSA Key which is highlighted in
Red text, now copy the red color text a file and remove ‘-’ used in each line instead add “-----END RSA PRIVATE KEY-----”
Since we have copied RSA Private KEY in a text file named as
“rootkey” then set permission 600 and try to login with the help of following
command.
chmod 600 key
ssh -i key root@10.10.10.91
ls
cat rootr.txt
Congrats!! We have found root.txt and from the image below
you can see we have obtained the value of root.txt.
0 comments:
Post a Comment