Hack The Box: DevOops




Difficulty: Medium Machine Creator: lokori Tools Used:

NMAP Gobuster Burp Suite Python

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with an NMAP scan.

nmap -sS –min-rate 5000 –max-retries 1 -p- 10.10.10.91

HTTP

The first thing that I always try when I have a port that NMAP cant determine what is running I attempt to open it in a browser.


Gobuster

The webpage does not show any useful information let’s use gobuster to find any directories.

gobuster -u http://10.10.10.91:5000 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40



XML External Entity (XXE)





XXE & LFI

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection/Files

Now that we have the structure of the XML we can hopefully do some Local File Inclusion.





When we run the python script, it returns a base64 encoded hash that we can use in our XXE.

Reverse shell

nc -lvnp 1337




python -c ‘import pty; pty.spawn(“/bin/sh”)’

User.txt


Privilege Escalation









| When trying to find the original posting, I’m getting an error we need to fix this shell.


I was able to find an ssh key for Roosa.






Root.txt




#LocalFileInclusionLFI #XMLExternalEntityXXE