HTB CDSA
Certified Defensive Security Analyst by Academy. Get started now!
Machine Synopsis
Devzat is a medium Linux machine that features a web server and the `Devzat` chat application. Upon enumerating the web server, a new vhost called `pets` can be discovered. The `pets` vhost has a `.git` directory with listing enabled, providing access to the source code of `pets`. Reviewing the source code, a command injection vulnerability is discovered allowing an attacker to gain a reverse shell as the user `patrick`. Logging to the `Devzat` chat application as `patrick` on the remote machine the chat history between `patrick` and `admin` reveals that `InfluxDB` is installed on the remote system. Enumerating `InfluxDB` it is discovered that the version installed is vulnerable to [CVE-2019-20933](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20933), an authentication bypass vulnerability. Exploiting the aforementioned vulnerability an attacker is able to dump the contents of `InfluxDB` revealing the password of the user `catherine`. Switching from `patrick` to `catherine` and logging in to the Devzat chat application as `catherine` the chat history between the two reveals that a `dev` application is running on the remote machine and it's source code is located on the `backups` of `catherine`. Reviewing the source code of the `dev` service, it is revealed that it's the same Devzat chat application with an extra authenticated command to include files on the chat. The credentials to perform this action are hard-coded on the source code and the command is vulnerable to LFI. Meaning that `catherine` can login to the `dev` chat, dump the contents of the SSH key of `root` and ultimately gain a shell as `root` on the remote machine using the SSH key.
Machine Matrix