HackTheBox Writeup — DevOops

Hello Guys , I am Faisal Husaini. My username on HTB is “smoke” .

The IP of this box is

We begin with the NMAP Scan by the command nmap -sC -sV -oA devoops

# Nmap 7.70 scan initiated Wed Jun 6 02:35:31 2018 as: nmap -sV -sV -oA nmap
Nmap scan report for
Host is up (0.19s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
5000/tcp open http Gunicorn 19.7.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 6 02:36:14 2018–1 IP address (1 host up) scanned in 42.71 seconds

As we see the 2 ports are open ,i.e, Port 22 running SSH and Port 5000 running http

HTTP Services

Now as we see http service running on port 5000 , we open this IP on a web browser and check the web application running

Here we see nothing interesting , lets run dirb on it

Now we run our dirb scan


Dirb result shows two subdirectories , /feed and /upload

If you face issues running dirb , it might be due to blocked USER-AGENT or something

Use dirsearch tool (download from Github) which has additional parameter “-random-agents”

We try to access , we get


Nothing interesting in /feed , so we move to /upload

Now we try to access


Here we see we can upload some files , at first I thought it might have file upload vulnerability , so I uploaded a random photo file(.png , .jpeg or anything) and I get

Upload doesn’t work

And as we choose file and then click on the Upload button , it doesn't gets upload

As we see there is something written as XML elements: Author, Subject , Content , which strikes directly to XXE Injection , so we give it a try

For more details on XXE , refer to OWASP TOP 10

Below is the code which we will use to exploit the XXE

<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file:///etc/passwd” >]>

<! — We have edited <user> and <pass>(as referenced in the link of the XXE code) to <Author> , <Subject> , <Content> as we
clearly see that in the /upload directory says XML Elements: Author, Subject, Content which is a clear indication to use this
as the XML tags →

Result of the above XXE Code

We intercept the traffic through Burp and see the results

Uploading our XML File (Exploit)

After choosing the exploit.xml file which contains the XXE Injection code , we click on Upload and intercept its traffic through Burp Suite and then send the request to Repeater

Burp Interception

Sending this to Repeater and clicking Go , we get

Burp Repeater

Boom , we get the contents of the /etc/passwd file as we gave in the code above , now lets check the users from the contents of the /etc/passwd file


As we see there is an user name “roosa”

Now we will get the ssh authentication key of the roosa user as we know from the NMAP scan that SSH is open

Below is the XML Code to get the ssh authentication key for “roosa” user

<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file:///home/roosa/.ssh/id_rsa” >]>

<! — We just replaced /etc/passwd from the previous code by /home/roosa/.ssh/id_rsa →

Now we just modify the code in the Burp Repeater and click Go

Getting SSH Key

Here we get the ssh in the response body , now we copy the part from — — — — BEGIN to — — — — END RSA….. and save it to a file named “id_rsa”

But yeah change the permission of id_rsa file to 600 using “chmod 600 id_rsa”

Now we open a terminal and connect through ssh using command “ssh roosa@ -i id_rsa”

SSH Connection Successful

Boom !!! We are in , now lets dig further

The user flag was in the same directory to which we were login through ssh , just type the command ls and you will see


Privilege Escalation

Privilege Escalation was little tough and tricky on this machine , so lets move forward to it

There was a script on the directory , which is a in the SS below


After searching more , this wasn't useful, but yeah then we saw 2 directories which was odd , i.e , work and deploy

We got a .git folder , so lets try the git log command on it and see the results

Now running “git log” command on the .git folder , we get

Git Log

Here we dont get anything interesting , lets check further by “git log -r” command and scroll down , we get

git log -r

It says “reverted accidental commit with proper key” which was the hint , so after googling about “git revert” and more like that , i got that using
the command “git log -p -6” , so lets run this command and then check the results

After scrolling down and down , we see something like ssh keys , one of them in green color and one of them in red

The red one was the old which was reverted accidentally to the new one(which is in green color)

So lets copy the red section and then save it to a file name “id_rsa2” , this is probably the ssh key to root

Don’t forget to change the permissions of the id_rsa2 file to 600 using chmod

Now we login to root using ssh , use the command “ssh root@ -i id_rsa2”

SSH to Root

We are now root , bingo.!!

Now getting the root flag which is on the same directory to which we were logged


This machine was very cool , getting user was easy but root was very tough for me

XXE Injection → Low Privileges

Git → Root Privileges


XXE Injection Exploitation → https://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store