Hackthebox Walkthrough — DevOops
Being taking the PWK courses and preparing for the OSCP exam recently. I got inspired a lot from many Hackthebox machines besides the pwk labs. So I decided to start writing some hackthebox retired machines walkthroughs (inspired from hackingarticles, infosec, ippsec’s youtube videos and etc, thanks for all of these amazing materials of Penetration Testing!)
Target: 10.10.10.91
Local IP:10.10.14.13
Nmap Enumeration:
nmap reveals port 22 and port 5000 are open. These services are OpenSSH and Gunicorn
Since port 5000 provide http service, let’s browse the website and run dirb for directories fuzzing
We got an under construction page
Run dirsearch
got two directories /feed and /upload
Since the /upload page allows us uploading XML files, this remind me of the XML External Entities vulnerabilities
google a bit about the XXE and we found a way to exploit this
create an xml file and upload it (while we intercept with burpsuite)
Send the intercepted data to repeater
we could extract the /etc/passwd file
And we found out there’s a user roosa on the box
Let’s see if we could retrieve the SSH RSA key
modify our xml script
and we got the rsa login key
save it to a file on our machine
change the permission of roosa-key and log in with the key through ssh
grab our first user.txt flag!
Now let’s work on privilege escalation for root flag
exam files and directories on the target machine to see where we can find any clues
There is a run-blogfeed.sh script , open it and we found a few words
cd /home/roosa/work/blogfeed
and cat the run-gunicorn.sh file
we found a git directory here
run git log to examine the commit history
we got a few strings. Check some of them and we found it seems like a ssh log in RSA key
The correct RSA key should be the one highlighted in red. Let’s copy and save it as root-key file
change the permission of root-key as we did before and log in through ssh with user root
Now let’s grab our final root flag!
