# Devoops

## Gaining Access

Nmap scan:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-f9d6d240fae8a79667a9bcd66ee4a6d13182ffaa%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

There's only one port open on this machine.

### XXE Injection

On port 5000, this is what we see:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-c354755fde51524e0338d0da8af916cbdaca161c%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

We can use `gobuster` on this to find more directories.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-df2cd3d1fd268700d346b32368064247043de6fc%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

`/feed` would bring us here:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-29101f2a10a48bcca30fb93dc1d5976dab1a3196%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

XML Injection is pretty helpful, and i noticed that when we upload a file using this API, a POST request would be sent to the `/upload` directory with HTTP form data.

However, trying to send any XML files that I created results in a Internal Server Error message being returned. Turns out, there are specific elements that we need to use for this endpoint:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-46394e7a8b35409eea9f999c1446edb66bf3d28d%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

With these, we can wrap them in another tag and start getting successful uploads through.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-7cbf8a5b39880307c39974e443c845580e0d6fc2%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

From this, we identified that we have a user called `roosa`. Then, we can attempt some basic XXE LFI payloads to read the user's private SSH key.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-bf5cd7d89fc4a5039b011c36572448f001b693b4%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Afterwards, we can simply SSH into the machine.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-d3400f969e09f7198752fab5df4c85af76f8af72%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Git Logs

When checking the `id` of this user, we see that we are part of the `sudo` group.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-1e3ab4af11a5e2046174e410ac939ceeb6a68d40%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Within the home directory of the user, we also find some Git repository files.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-49ac15944d6c8db5f9ed7162cd3840e920df5dfb%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Using `find /home -name .git`, we can find the specific location of the Git repository to read its logs.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-74f563b6b964b8197d8d73d92deabd315c0f0f05%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

After heading to that directory, we would find an SSH key after using `git log -p -2`:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-cce020f2e73e72965b81911dbc4a5daadbed2e52%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-9df1381b170eeb25a229443cb28fd22042c13573%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Surprisingly, this was the root SSH key.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-639ccb86e82d501e19c18020f53eccc6169f52a5%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>