HTB-Devzat 10.10.11.118

Initial Scanning

# Nmap 7.91 scan initiated Wed Nov 17 16:11:05 2021 as: nmap -Pn -sCV -p22,80,8000 -oN nmap/Basic_10.10.11.118.nmap 10.10.11.118
Nmap scan report for 10.10.11.118
Host is up (0.18s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c2:5f:fb:de:32:ff:44:bf:08:f5:ca:49:d4:42:1a:06 (RSA)
|   256 bc:cd:e8:ee:0a:a9:15:76:52:bc:19:a4:a3:b2:ba:ff (ECDSA)
|_  256 62:ef:72:52:4f:19:53:8b:f2:9b:be:46:88:4b:c3:d0 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://devzat.htb/
8000/tcp open  ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-Go
| ssh-hostkey:
|_  3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.91%I=7%D=11/17%Time=6194B920%P=x86_64-pc-linux-gnu%r(N
SF:ULL,C,"SSH-2\.0-Go\r\n");
Service Info: Host: devzat.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov 17 16:11:48 2021 -- 1 IP address (1 host up) scanned in 43.50 seconds

Only port 80 and 8000 are open, port 80 host a normal web service.
The service on port 8000 are not able to view via browser directly.

Enum The Web Service

Additonal host need to be added in order to view the http service.

vim /etc/hosts

10.10.11.118    devzat.htb

It’s a ssh online chat room hosted on the port 8000.

After perform some basic enumeration on the online ssh chatroom, there are not to much interseting things.

Time to have some more web enumeration.

Sub-domain Enum

wfuzz -c -u "http://devzat.htb" -H "Host: FUZZ.devzat.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --hc 302

http://pets.devzat.htb

Enum on the new web application

It have two input boxes, pet’s name and pet’s species.

Nothing will happen if the submit buttom has been clicked.

Let’s do more enum on the web application.

Due to all the web directory bruteforcing will get the HTTP 200 code, so the normal dir bruteforce tool will not work, we will use wfuzz for this.

http://pets.devzat.htb/.git has been founded

Manually enum the .git dir was not cool, some tool need to be used.

https://github.com/internetwache/GitTools

The following tool could be used to extract .git content to use git repo.

https://stackoverflow.com/questions/29217859/what-is-the-git-folder

the .git folder contains all the necessary history commits information.
All this information could be use to assemble a entire git repo.

bash gitdumper.sh http://pets.devzat.htb/.git/ /root/HTB/10.10.11.118/git

bash extractor.sh /root/HTB/10.10.11.118/git/ /root/HTB/10.10.11.118/git-decrypt/

Please refer to the following snapshot, the main.go use exec.command function to put user input command together, it will cause a vulnerability which is command injection.

So we could use Burpsuit to generate a malicious http request.

The command has been executed successfully, the attcker machine get the icmp package.

generate the malicious cmdline.
PS: some special character will having some issue with HTTP encode, so we need to use base64 to encode the payload.

By useing linpeas.sh we got the ssh id_rsa login key.

Using the ps -auxww we got the malicious process.
We found a background docker container was running and it’s 8086 port has been forwarded to the localhost:8086.