First thing first, we will start with nmap scan.
Running Gobuster against the box, we have the following result:
I used ffuf to filter out response size 510 with -fs and found a git repo.
Navigate to the website, scroll down we will find a instruction:
After add devzat.htb to /etc/hosts, I tried to examine around the chat server, but oh well, almost an hour, I still couldn’t do anthing.
Let’s continue with the subdomain we found before.
Remember the GIT repo we found before? I downloaded it using git-dumper. After reading through it, I found the following code inside the file named main.go that vulnerable to command execution:
Set up listener:
I used Burp Suite to do the injection.
Now we are in as patrick
Run netstat we can find a few ports are open:
I used chisel for port forwarding. You can use SSH port forwarding too.
Scan the port with nmap reveals it’s running InfluxDB
Quick Google search can gives us InfluxDb has an exploit which is CVE-2019–20933, you can get the exploit here.
I didn’t know InfluxDB syntax so I struggle a lot to get used to it, you can read more about InfluxDB here:
By some how i could not log in SSH as catherine with the password 😅 But we can use su command to log in as catherine in the reverse shell back then or you can get Patrick’s SSH key and then log in as catherine with su:
Now we can get the user flag:
Go to /var/backups, we found 2 backup files of devzat. I downloaded them by start a python server on the machine and then use wget to save them.
After unzip them, we can use diff command to find the difference between 2 folders:
There is a chat server running on 8443 has /file command and requires a password:
Do a simple Path Traversal I can get the root flag and root SSH key.
Now we are root!
