# DevOops Writeup ![](img/28.png) ## Introduction : DevOops is a Medium linux box released back in June 2018. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. λ nihilist [ 10.10.14.11/23 ] [~] → nmap -F 10.10.10.91 --top-ports 10000 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-19 09:57 GMT Nmap scan report for 10.10.10.91 Host is up (0.050s latency). Not shown: 8318 closed ports PORT STATE SERVICE 22/tcp open ssh 5000/tcp open upnp Nmap done: 1 IP address (1 host up) scanned in 5.09 seconds λ nihilist [ 10.10.14.11/23 ] [~] → nmap -sCV -p22,5000 10.10.10.91 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-19 09:57 GMT Nmap scan report for 10.10.10.91 Host is up (0.039s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 42:90:e3:35:31:8d:8b:86:17:2a:fb:38:90:da:c4:95 (RSA) | 256 b7:b6:dc:c4:4c:87:9b:75:2a:00:89:83:ed:b2:80:31 (ECDSA) |_ 256 d5:2f:19:53:b2:8e:3a:4b:b3:dd:3c:1f:c0:37:0d:00 (ED25519) 5000/tcp open http Gunicorn 19.7.1 |_http-server-header: gunicorn/19.7.1 |_http-title: Site doesn't have a title (text/html; charset=utf-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up port 5000 running http Gunicorn 19 so let's investigate it with dirsearch: λ nihilist [ 10.10.14.11/23 ] [~] → dirsearch -u http://10.10.10.91:5000/ -e txt,php,html,xml -x 403 -t 100 ` ![](prg/28_001.png) Looks like we have a website in construction so let's check out /upload which is a webpage onto which we can upload xml files So just like for [Aragorg](19.md), we will try to do some XXE exploitation, by first trying to print out the /etc/passwd file: ![](prg/28_002.png) What we just did was creating an infected xml file, uploaded it, and intercepted the request with burpsuite, so that we can send it to the repeater (CTRL+R) and then modify it and send it repeatedly: ![](prg/28_003.png) And we get code execution ! we have been able to find the user "roosa" so let's try to print out her flag : ![](prg/28_004.png) And that's it ! we have been able to print out the user flag. ## **Part 3 : Getting Root Access** Now that we know we can print out roosa's files, let's print out her private ssh key (/home/roosa/.ssh/id_rsa): ![](prg/28_005.png) Then we basically save it locally, change it's permissions correctly, and log into the box as the user roosa via the ssh port that our nmap scan picked up earlier. λ nihilist [ 10.10.14.11/23 ] [~/_HTB/DevOops] → nano pkey λ nihilist [ 10.10.14.11/23 ] [~/_HTB/DevOops] → chmod 600 pkey λ nihilist [ 10.10.14.11/23 ] [~/_HTB/DevOops] → ssh -i pkey roosa@10.10.10.91 The authenticity of host '10.10.10.91 (10.10.10.91)' can't be established. ECDSA key fingerprint is SHA256:hbD2D4PdnIVpAFHV8sSAbtM0IlTAIpYZ/nwspIdp4Vg. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.91' (ECDSA) to the list of known hosts. Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 135 packages can be updated. 60 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. roosa@gitter:~$ uname -a Linux gitter 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:02:25 UTC 2018 i686 athlon i686 GNU/Linux From there we navigate around and we stumble upon an interesting directory /home/roosa/work/blogfeed which contains a .git folder for us to enumerate: roosa@gitter:~$ ls deploy Downloads Pictures service.sh user.txt Desktop examples.desktop Public service.sh~ Videos Documents Music run-blogfeed.sh Templates work roosa@gitter:~$ cd work roosa@gitter:~/work$ ls blogfeed roosa@gitter:~/work$ cd blogfeed roosa@gitter:~/work/blogfeed$ ls README.md resources run-gunicorn.sh src roosa@gitter:~/work/blogfeed$ ls -lash total 28K 4.0K drwxrwx--- 5 roosa roosa 4.0K Mar 21 2018 . 4.0K drwxrwxr-x 3 roosa roosa 4.0K Mar 21 2018 .. 4.0K drwxrwx--- 8 roosa roosa 4.0K Mar 26 2018 .git 4.0K -rw-rw---- 1 roosa roosa 104 Mar 19 2018 README.md 4.0K drwxrwx--- 3 roosa roosa 4.0K Mar 19 2018 resources 4.0K -rwxrw-r-- 1 roosa roosa 180 Mar 21 2018 run-gunicorn.sh 4.0K drwxrwx--- 2 roosa roosa 4.0K Mar 26 2018 src Now let's get into the .git directory and see if we can print out the previous git commits just like on the [Canape box](25.md) but this time we specify the -p flag in order to list the changes under each commit: roosa@gitter:~/work/blogfeed$ git log -p And right under commit **d387abf63e05c9628a59195cec9311751bdb283f** we see another private key for us to use : ![](prg/28_006.png) So we save the key locally , give it the proper permissions and use it to login as root via ssh onto the box : λ nihilist [ 10.10.14.24/23 ] [~/_HTB/DevOops] → nano pkey_root λ nihilist [ 10.10.14.24/23 ] [~/_HTB/DevOops] → chmod 600 pkey_root λ nihilist [ 10.10.14.24/23 ] [~/_HTB/DevOops] → ssh -i pkey_root root@10.10.10.91 Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 135 packages can be updated. 60 updates are security updates. Last login: Mon Mar 26 06:23:48 2018 from 192.168.57.1 root@gitter:~# whoami root root@gitter:~# cat /root/root.txt d4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it ! we have been able to print out the root flag on the box. ## **Conclusion** Here we can see the progress graph : ![](img/28_graph.png)