Hackthebox — Devzat Walkthrough

Atalay Samet Ergen

8 min readMar 12, 2022

We start with nmap scan to find which ports are open and which services running on those ports.

-sC : to run default nmap scripts
-sV: to detect service versions

We get back the following result showing that three ports are open.

Port 22 is for SSH service
Port 80 is for HTTP service
Port 8000 is for SSH service

We add “devzat.htb” into our hosts file.

We visit the HTTP service.

We note that we can connect to the service by using ssh.

There is an user called patrick. We also take a note that.

We check the page source but it does not reveal anything useful.

We run a ffuf scan but do not get any directories.

Let’s perform virtual host scanning. It will show that if there is more than one web site available.

We get “pets” which is subdomain of devzat.htb. Let’s add it into the hosts file.

We visit the page.

And check the page source. Nothing is useful here.

We continue to enumerate this subdomain by using ffuf but one we start to run we see too much gibrish output. Let’s enumerate them by using “-fs” parameter.

-fs: filters out all the responses of a size we specified while fuzzing the host

Afterwards we get “.git” directory which might be useful.

We navigate it. There are many subdirectories and files in the directories.

We will pull all the git source code available recursively. To do this; we use the wget command.

wget -r -np -R “index.html*” http://pets.devzat.htb/.git

We successfully get the git folder.

We check the repo by typing “status” parameter. Some files have been deleted. Let’s roll it back to the last commit by using “git checkout — . “

We examine the main source code and see that “exec” command. This might lead us to the command injection vulnerability.

We prepare the reverse shell payload.

We send the payload by encoding to avoid some conflictions.

netcat is ready for listening on port 7070

We send the reverse shell payload bu using curl command.

We successfully get the reverse shell due to the command injection vulnerability.

We see the ssh directory. SSHing to the box is always preferred. Let’s SSH as user patrick.

We will use the private key of user patrick. We copy it to our machine .

And we login.

During performing enumeration we check the netstat connections and see some services are running on the localhost. In order to access and see what services running on those ports we need to do network pivoting.

We use a tool called chisel to port forward back to our machine.

Firstly, run a HTTP service in order to send chisel to the machine.

We get the tool into the box.

We run the chisel server on our machine.

Afterwards, we run the chisel on the target machine in order to connect back to our chisel server on the machine. We port forward the 8086 to our machine 127.0.0.1:8086

And we get the connection!

Let’s check what service is running on port 8086.

The nmap result reveals that there is a InfluxDB http services running on port 8086.

We ask Google to show if there are vulnerabilities for this database implementation.

Let’s check the first web site.

We clone the exploit code into our machine.

And run the exploit code. We hit enter localhost and port 8086 which are default and add a dictionary that consist of usernames.

It reveals that the host is vulnerable!

We search how to show tables in the database.

Thank you Philb!

We type the command and see a table called “user”.

We query the table and see some credentials. The user “catherine” takes our attention because we have seen it on the box as a user.

We successfully switch the user as catherine and get the user flag!

Time to get root! But how?

After some enumeration and digging in, we see a folder called “backups”. We see dev and main zip files. Let’s download them to our machine and see what are inside these files.