Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add extract_ctf_writeup as a new pattern #938

Merged
merged 1 commit into from
Sep 12, 2024
Merged

add extract_ctf_writeup as a new pattern #938

merged 1 commit into from
Sep 12, 2024
+48 −0

Conversation

mrtnrdl
Copy link
Contributor

@mrtnrdl mrtnrdl commented Sep 9, 2024
edited
Loading

What this Pull Request (PR) does

I've recently started to use this as a way to decide, if i want to invest the time and watch a full video e.g. of IPPSEC doing a hackthebox machine.

Example output

Source: https://www.youtube.com/watch?v=tQ34Ntkr7H4v

## SUMMARY

In this Hack The Box walkthrough, IPSec demonstrates exploiting a DevOps-themed box, highlighting common developer mistakes. The main vulnerabilities include an XML External Entity (XXE) injection and an exposed SSH key, which allowed unauthorized access to the system. Learnings include the importance of securing sensitive files and validating file uploads.

## VULNERABILITIES

- **Local File Inclusion (LFI) via XXE Injection**: No specific CVE mentioned.
- **Exposed SSH Key**: No specific CVE mentioned.
- **Insecure Direct Object Reference (IDOR)**: No specific CVE mentioned.
- **Unintended SSH Key in Git History**: No specific CVE mentioned.

## TIMELINE

- **Initial Scanning**
  - `nmap -SC -SV -oA nmap/DevOps 10.10.10.91`
  - Ports found: 22 (SSH), 5000 (HTTP)

- **HTTP Enumeration**
  - Accessed `http://10.10.10.91:5000`
  - Found `/feed` endpoint returning an image
  - Ran GoBuster: `gobuster -u http://10.10.10.91:5000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log`
  - Found `/upload` endpoint

- **Exploit XXE Injection**
  - Uploaded XML file with XXE payload to `/upload`
  - Used payload to read `/etc/passwd` and other files

- **Source Code Analysis**
  - Read `feed.py` via XXE
  - Identified vulnerable `pickle` deserialization

- **Pickle Exploitation**
  - Created exploit script using Python pickle to get a reverse shell
  - `nc -lvnp 9001` to catch the reverse shell

- **Privilege Escalation**
  - Found SSH key in `/home/russa/.ssh/id_rsa`
  - SSH into the box as `russa`
  - Found another SSH key in the git history
  - SSH into the box as `root` using the key from git history

## REFERENCES

- **Tools Used**
  - `nmap`
  - `gobuster`
  - `burpsuite`
  - `nc (netcat)`
  - `git`
  - `python`
  - `pen-test-monkey reverse shell cheat sheet`

- **Websites and Resources**
  - Hack The Box: https://www.hackthebox.eu
  - Pen Test Monkey Reverse Shell Cheat Sheet: https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
  - GitHub Payloads: https://github.com/swisskyrepo/PayloadsAllTheThings

@danielmiessler danielmiessler merged commit ae4459b into danielmiessler:main Sep 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mrtnrdl @danielmiessler