HackTheBox Writeup — DevOops

Hello Guys , I am Faisal Husaini. My username on HTB is “smoke” .

The IP of this box is

NMAP Results

# Nmap 7.70 scan initiated Wed Jun 6 02:35:31 2018 as: nmap -sV -sV -oA nmap
Nmap scan report for
Host is up (0.19s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
5000/tcp open http Gunicorn 19.7.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 6 02:36:14 2018–1 IP address (1 host up) scanned in 42.71 seconds

As we see the 2 ports are open ,i.e, Port 22 running SSH and Port 5000 running http

HTTP Services

Now as we see http service running on port 5000 , we open this IP on a web browser and check the web application running

Here we see nothing interesting , lets run dirb on it



Dirb result shows two subdirectories , /feed and /upload

If you face issues running dirb , it might be due to blocked USER-AGENT or something

Use dirsearch tool (download from Github) which has additional parameter “-random-agents”



Nothing interesting in /feed , so we move to /upload



Here we see we can upload some files , at first I thought it might have file upload vulnerability , so I uploaded a random photo file(.png , .jpeg or anything) and I get

Upload doesn’t work

And as we choose file and then click on the Upload button , it doesn't gets upload

As we see there is something written as XML elements: Author, Subject , Content , which strikes directly to XXE Injection , so we give it a try

XXE Injection

Below is the code which we will use to exploit the XXE

<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file:///etc/passwd” >]>

<! — We have edited <user> and <pass>(as referenced in the link of the XXE code) to <Author> , <Subject> , <Content> as we
clearly see that in the /upload directory says XML Elements: Author, Subject, Content which is a clear indication to use this
as the XML tags →

Result of the above XXE Code

We intercept the traffic through Burp and see the results

Uploading our XML File (Exploit)

After choosing the exploit.xml file which contains the XXE Injection code , we click on Upload and intercept its traffic through Burp Suite and then send the request to Repeater

Burp Interception

Sending this to Repeater and clicking Go , we get

Burp Repeater

Boom , we get the contents of the /etc/passwd file as we gave in the code above , now lets check the users from the contents of the /etc/passwd file


As we see there is an user name “roosa”

Now we will get the ssh authentication key of the roosa user as we know from the NMAP scan that SSH is open

Below is the XML Code to get the ssh authentication key for “roosa” user

<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file:///home/roosa/.ssh/id_rsa” >]>

<! — We just replaced /etc/passwd from the previous code by /home/roosa/.ssh/id_rsa →

Now we just modify the code in the Burp Repeater and click Go

Getting SSH Key

Here we get the ssh in the response body , now we copy the part from — — — — BEGIN to — — — — END RSA….. and save it to a file named “id_rsa”

But yeah change the permission of id_rsa file to 600 using “chmod 600 id_rsa”

Login Through SSH

Now we open a terminal and connect through ssh using command “ssh roosa@ -i id_rsa”

SSH Connection Successful

Boom !!! We are in , now lets dig further

Getting User Flag


Privilege Escalation

Searching and searching for some clues


After searching more , this wasn't useful, but yeah then we saw 2 directories which was odd , i.e , work and deploy

We got a .git folder , so lets try the git log command on it and see the results

Git Log

Git Log

Here we dont get anything interesting , lets check further by “git log -r” command and scroll down , we get

git log -r

It says “reverted accidental commit with proper key” which was the hint , so after googling about “git revert” and more like that , i got that using
the command “git log -p -6” , so lets run this command and then check the results

After scrolling down and down , we see something like ssh keys , one of them in green color and one of them in red

The red one was the old which was reverted accidentally to the new one(which is in green color)

So lets copy the red section and then save it to a file name “id_rsa2” , this is probably the ssh key to root

Don’t forget to change the permissions of the id_rsa2 file to 600 using chmod

Login To Root Through SSH

SSH to Root

We are now root , bingo.!!

Getting The Root Flag


This machine was very cool , getting user was easy but root was very tough for me

Vulnerabilities Used To Solve This Box :-

XXE Injection → Low Privileges

Git → Root Privileges


Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover