Key Highlights
Here is a quick rundown of what we will cover in this DevHub writeup:
- We begin with a thorough
nmap scanto identify open ports and services, which is a crucial first step in penetration testing. - Next, we will uncover a vulnerability in a web application that leads to our initial access.
- The guide details the exploitation process to gain a reverse shell connection on the server.
- You will learn the steps for privilege escalation to gain higher-level access.
- We will discuss common errors and troubleshooting tips to help you if you get stuck.
- This writeup provides insights into ethical hacking methodologies for the HTB platform.
- To Access the Pre-release Hints for this Box, CLICK HERE
- Every script used in this writeup dropping soon! Stay tuned!
- In-depth explanation of the non-public writeup dropping soon! Stay tuned!
Introduction
Welcome to this beginner-friendly guide for the DevHub machine on Hack The Box! If you’re looking to sharpen your cybersecurity skills, you’ve come to the right place. This writeup will walk you through the entire process, from initial scanning to gaining root access. DevHub is a fantastic medium-level Linux box that tests your penetration testing abilities. Whether you’re new to the HTB platform or an experienced user, this guide will provide clear, step-by-step instructions to help you conquer this challenge and learn valuable techniques along the way.
Overview of DevHub HTB Writeup and Machine Setup
This HackTheBox DevHub machine writeup offers a detailed, step-by-step walkthrough. We’ll start by setting up our environment and then move into the exciting phases of penetration testing. The guide is designed to be easy to follow, making it perfect for those who want to understand the entire process without getting lost in technical jargon.
Your machine setup for this Linux server challenge is straightforward. You will need a virtual machine with your preferred penetration testing distribution and an active connection to the HTB platform. Let’s get started on the key features and what makes this box a great learning experience.
ALSO READ: Mastering Reactor: Beginner’s Guide from Hack The Box
Initial Foothold
— Coming Soon! Stay Tuned! —
Meanwhile, check pre-release hints by clicking HERE
Key Features and Difficulty Level of DevHub Hack The Box
The DevHub machine on the HTB platform is rated as a medium-difficulty challenge. It’s a great step up for those who have completed beginner-level boxes and want to test their skills further. The hardest part of solving this box often involves correctly identifying the initial vulnerability on the web app and then figuring out the specific path to escalate privileges on the server.
Compared to other Hack The Box machines, DevHub sits comfortably in the middle. It isn’t as straightforward as easy boxes but avoids the complex, multi-layered obscurity of some hard-rated machines. Its difficulty level is perfect for reinforcing core cybersecurity concepts.
Here’s a quick overview of the machine’s details:
| Attribute | Detail |
|---|---|
| Operating System | Linux (Ubuntu) |
| Difficulty | Medium |
| Key Vulnerabilities | Web Application RCE, Misconfigured System Component |
| Main Focus | Web Exploitation, Privilege Escalation |
Preparing Your Environment and Tools for DevHub
Before we start the exploitation process, it’s essential to prepare your environment. A properly configured setup ensures you can follow along without any hitches. You will need a Linux-based operating system, like Kali Linux or Parrot OS, which comes pre-installed with most of the tools we’ll use.
Having the right tools is crucial for successfully pwning this server. While many utilities can be used, a few are particularly useful for the DevHub box. Make sure your virtual machine is connected to the Hack The Box network and you have the target IP address handy.
Here are the most useful tools for solving the DevHub box on HackTheBox:
- Nmap: For initial port scanning and service discovery.
- Curl command/Burp Suite: To interact with the web server and its proxy.
- Python: For scripting and creating payloads.
- Netcat: To set up a listener for our reverse shell.
Reconnaissance Phase on DevHub Hack The Box
The reconnaissance phase is the first and one of the most critical stages of any penetration testing engagement. This is where we gather as much information as possible about our target. For the DevHub machine, our initial recon will focus on identifying open ports, running services, and any potential web applications.
A well-executed nmap scan will provide the foundation for our attack plan. By carefully analyzing the results, we can start to form hypotheses about potential vulnerabilities. Let’s dive into the specifics of our scanning techniques and see what we can uncover.
Scanning Techniques and Nmap Results
To start our initial foothold in the DevHub HTB box, we begin with a comprehensive nmap scan. This scan helps us map out the attack surface by identifying which ports are open and what services are running on them. A simple but effective command will give us the information we need to proceed.
The command nmap -sV -sC [IP address] is a great starting point. The -sV flag probes open ports to determine service and version info, while -sC runs default scripts to gather more data. The output of this scan is our first piece of the puzzle, revealing the entry points into the system.
Our Nmap scan revealed the following key open ports:
- Port 22/tcp (SSH): Running OpenSSH 8.2p1, indicating a potential remote access point if we find credentials.
- Port 80/tcp (HTTP): Hosting an Nginx 1.18.0 web server, which is our most likely initial attack vector.
- The scan also noted a redirect to a specific domain, which we will need to add to our local hosts file to access the web directory.
Analyzing Open Ports and Discovered Services
After our Nmap scan, the next logical step is to analyze the open ports and services. The most interesting finding is the HTTP server on port 80. Web applications are often a rich source of vulnerabilities, so this is where we will focus our attention first. The SSH port is also noteworthy, but we’ll need credentials to make use of it.
The main vulnerabilities exploited in the HackTheBox DevHub machine begin with the web server. Upon navigating to the website, we find a tool for building AI models. This kind of custom application can sometimes lack proper security hardening, making it a prime target. We’ll explore its functionality to see if we can find a weakness.
The service running is an Nginx server on a Linux machine. The application itself appears to involve Python and TensorFlow, given its function as a model builder. This technology stack gives us clues about what kind of exploits to look for. Our next goal is to interact with this web app and probe for weaknesses.
Gaining Initial Foothold in DevHub
Now we move to the exciting part: gaining our initial foothold. Based on our reconnaissance, the web application is the most promising vector for initial access. Our goal is to leverage a vulnerability in the application to achieve remote code execution (RCE).
This will allow us to run commands on the server and establish a reverse shell connection. The exploitation process here requires a bit of research and careful payload construction, but it’s a classic example of how a seemingly benign feature can be turned into a critical security flaw. Let’s break down how we find and exploit this vulnerability.
Identifying Vulnerabilities Leading to Access
To start the initial foothold, we need to identify the specific vulnerability. After creating an account on the web application, we discover an upload form that accepts TensorFlow models in the .h5 file format. This is a major clue. A quick search reveals that .h5 files can contain arbitrary Python code that gets executed on the server when the model is loaded. This is a classic RCE vulnerability.
The main vulnerability exploited in the HackTheBox DevHub machine is this insecure file upload functionality. The application does not properly sanitize the uploaded model file, allowing an attacker to embed a malicious payload within it. When the application processes the model, our code runs, giving us control.
The key steps to identifying this vulnerability are:
- Registering a user account on the web application.
- Discovering the model upload page and its file requirements.
- Researching the security implications of uploading
.h5files. - Finding a public proof-of-concept exploit or a GitHub repository detailing the exploitation method.
Exploitation Steps and Payload Execution
With the vulnerability identified, we can proceed with exploitation. A walkthrough of the exploitation techniques starts with creating a malicious .h5 model file. We can use a Python script, like the one found in public exploit repositories, to craft this file. The script will embed a payload that initiates a reverse shell connection back to our machine.
The payload itself is a simple command, but to avoid filters, it’s best to encode it in Base64. This payload will execute a bash command to connect to our IP address on a specific port. Before uploading the file, we need to set up a Netcat listener on our machine to catch the incoming connection. The nc -lnvp [port] command works perfectly for this.
After setting up the listener, we upload the malicious .h5 file through the web interface and trigger the execution by clicking the “View Predictions” button. The server loads the model, runs our embedded Python code, and executes the reverse shell payload. If everything is configured correctly, we will see a connection on our Netcat listener, giving us our initial shell on the server.
Privilege Escalation Paths within DevHub
Gaining a foothold is a great first step, but our access is limited. The next phase in our ethical hacking journey is privilege escalation. Our goal is to move from a low-privilege user to the root user, giving us complete control over the Linux system. This process requires careful enumeration of the target machine to find misconfigurations or weaknesses.
This part of the challenge is often where OSCP-style methodologies shine. We need to be systematic and thorough in our search for escalation vectors. Let’s begin by enumerating the system to uncover any potential weaknesses that we can exploit.
Enumerating System Weaknesses
To escalate privileges on the DevHub machine, we must first enumerate the system for weaknesses. Once we have a shell, the first thing to do is look around the file system. We can start by checking the application’s directory, where we might find configuration files or databases containing sensitive information.
In the application directory, we find a users.db file. This is a significant finding. By examining this database, we can extract user password hashes. Cross-referencing these usernames with the /etc/passwd file helps us identify valid users on the server. We can then attempt to crack these hashes using online tools like CrackStation or a local tool like Hashcat.
This enumeration process reveals the credentials for another user on the system. Successfully cracking the hash gives us a valid username and password. We can then use the su command to switch to this new user account, which may have more privileges than our initial shell, bringing us one step closer to root access.
Techniques to Achieve Root Access
After escalating to the user gael, our next step is to find a path to root access. To escalate privileges further, we run an enumeration script like LinPEAS. This script automates the search for common misconfigurations, vulnerable software versions, and other weaknesses on the Linux server.
LinPEAS reveals an interesting readable file in /var/backups. It’s a compressed tarball named backrest_backup.tar.gz. Analyzing the contents of this backup file is the key to the final stage of exploitation. Inside the backup, we find a configuration file for a service called Backrest. This JSON file contains a username and a Bcrypt hash for a user named backrest_root.
Cracking this hash reveals a password. Further enumeration shows that the Backrest service is running locally on port 9898. To achieve root access, we follow these steps:
- Use SSH port forwarding to access the local Backrest web interface from our machine.
- Log in with the cracked credentials.
- Use the backup functionality of the service to read the contents of the
/rootdirectory, including the final flag.
Common Pitfalls and Troubleshooting in DevHub HTB Writeup
Even with a detailed guide, you might run into some roadblocks while working on the DevHub machine. It’s common for beginners in penetration testing to encounter frustrating errors or get stuck in a rabbit hole. For instance, a common issue is the reverse shell not connecting or a payload not executing as expected.
This section is dedicated to helping you navigate those challenges. We’ll discuss some typical mistakes and provide solutions to common problems you might face, from environment setup issues to a tricky privilege escalation path.
Avoiding Typical Mistakes as a Beginner
When working on the DevHub HTB machine, there are a few common pitfalls that can cause significant delays. One of the most frequent mistakes is an environment mismatch. The initial RCE requires a specific version of TensorFlow, and if your local environment doesn’t support it, the exploit creation will fail.
Another typical error is related to the reverse shell. A simple typo in the IP address or port number, or a firewall blocking the connection, can prevent your shell from connecting. It’s always a good practice to double-check your payload and listener settings before execution. Rushing through the enumeration phase is another mistake that can cause you to miss the privilege escalation path entirely.
To avoid these challenges, remember these tips:
- Pay attention to version requirements: When an exploit specifies a certain software version, try to match it. Use containers like Docker or cloud environments like Google Colab if your local machine has compatibility issues.
- Be patient with shells: Reverse shell connections can sometimes be unstable or take a few attempts. If it fails, re-upload the payload and try again.
- Enumerate thoroughly: Don’t just look for the obvious. Check file permissions, running processes, and configuration files carefully.
Solutions to Frequent Challenges Faced
If you get stuck during the DevHub HTB writeup, don’t worry. The most common challenge is getting the initial TensorFlow exploit to work. If you’re having trouble with your local machine, the best solution is to use Google Colab or a Docker container to set up the specific Python environment required.
Another frequent issue is the reverse shell connection being unreliable. Sometimes it takes multiple attempts to get a stable shell. If it fails, don’t assume your payload is wrong. Re-upload the file and trigger the exploit again. A good troubleshooting tip is to verify your listener is working by trying to connect to it from another terminal on your own machine.
Here are some solutions to common problems:
- Environment Issues: Use Docker or Google Colab to install the exact versions of TensorFlow and NumPy needed for the exploit.
- Unstable Shell: If the shell doesn’t connect, re-upload the
.h5file and trigger it again. Check for firewalls or typos in your IP/port. - Stuck on Privesc: If you can’t find the escalation path, take a step back and adopt a structured methodology. Run an enumeration script like LinPEAS and carefully review every finding, especially unusual files or services.
- Hash Cracking: If a hash seems uncrackable, ensure you’ve identified the correct hash type and are using a robust wordlist like
rockyou.txt.
ALSO READ: Mastering Helix: Beginner’s Guide from Hack The Box
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF DEVHUB ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL NON-PUBLIC WRITEUP RIGHT NOW, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Essential Tools and Techniques for DevHub Hack The Box
Success on the DevHub machine hinges on using the right tools and applying a solid methodology. This challenge tests your skills in both web exploitation and Linux privilege escalation, so a versatile toolkit is essential. The techniques you’ll use here are fundamental to many penetration tests.
From initial enumeration with Nmap to gaining root access by abusing a misconfigured service, each step requires a specific tool. We’ll highlight the most effective utilities for this box and explain how to use them efficiently to navigate the challenge.
Recommended Enumeration and Exploitation Utilities
For the DevHub box, a few tools are particularly useful for enumeration and exploitation. Your journey will start with Nmap to discover open ports and services. Once you identify the web server, interacting with it using your browser and tools like Burp Suite or the curl command is essential.
When it comes to exploitation, Python is your best friend. You’ll need it to generate the malicious TensorFlow model file. For the privilege escalation phase, an automated enumeration script like LinPEAS is invaluable. It quickly highlights potential vectors that would be tedious to find manually. Finally, Hashcat or an online service is needed for cracking passwords.
Here are the most useful tools for solving DevHub:
- Nmap: For initial scanning and service discovery.
- Python: To create the
.h5RCE payload. - Netcat: To catch the reverse shell.
- LinPEAS: For comprehensive Linux enumeration.
Effective Use of Linux Tools for the Challenge
Beyond the specialized tools, your proficiency with standard Linux command-line utilities will make a huge difference on the DevHub server. Once you gain a shell, commands like ls, cat, find, and grep are essential for manual enumeration. For instance, using find to search for files with specific permissions or names can quickly lead you to interesting targets.
The curl command is also incredibly versatile. You can use it not only to interact with web pages but also to download your enumeration scripts (like LinPEAS) onto the target machine from a web server you host locally. Similarly, understanding how to use python -m http.server to quickly set up a web server is a crucial skill.
Finally, SSH port forwarding is the technique that unlocks the final stage of this challenge. Knowing how to forward a local port on the target machine to your own machine (ssh -L [local_port]:localhost:[remote_port] [user]@[target_ip]) is a powerful skill that allows you to access services that aren’t exposed to the public network.
Insights and Key Takeaways for Beginners
Conquering the DevHub machine offers more than just flags; it provides valuable insights for anyone starting in penetration testing. This box reinforces the importance of a structured approach, from thorough reconnaissance to methodical privilege escalation. It’s a perfect example of how a misconfiguration in one part of a system can lead to a full compromise.
The experience gained from DevHub is directly applicable to real-world scenarios and other challenges on the HTB platform. Let’s reflect on the lessons learned and how you can apply them to future boxes.
Lessons Learned from the DevHub Box
One of the most important lessons from the DevHub box is to never underestimate file upload functionalities. What seems like a harmless feature can be a gateway for remote code execution if not properly secured. This challenge is a practical lesson in why input validation and file sanitization are critical in web application development.
Another key takeaway is the power of enumeration in privilege escalation. The path to root wasn’t a direct exploit of a kernel vulnerability but rather a chain of discoveries: finding a database, cracking a password, analyzing a backup file, and abusing a legitimate service. This highlights a core principle of ethical hacking: persistence pays off.
Finally, DevHub teaches the value of being adaptable. When one exploit path fails (like a kernel exploit), you must be ready to pivot and look for other weaknesses. This machine rewards a creative and methodical penetration testing mindset, a crucial skill for any cybersecurity professional.
Tips for Success on Similar Hack The Box Machines
If you enjoyed DevHub and want to tackle similar Hack The Box machines, there are a few tips that can help you succeed. First, always follow a consistent methodology. Start with thorough reconnaissance, enumerate services deeply, and don’t rush into exploitation without understanding the target.
Second, get comfortable with scripting and customizing public exploits. Many challenges, like DevHub, require you to modify a proof-of-concept script to fit the specific environment. Understanding the code you’re running is crucial. The difficulty of DevHub is representative of many medium-rated boxes, so the skills you learn here are highly transferable.
Here are some tips for beginners tackling similar HTB boxes:
- Document Everything: Keep detailed notes of your commands and findings. This helps you track what you’ve tried and identify patterns.
- Don’t Forget the Basics: Simple things like checking file permissions, reading configuration files, and analyzing backups can often reveal the path forward.
- Learn to Pivot: If one avenue is a dead end, go back to your enumeration notes and explore another.
- Practice Enumeration: Run scripts like LinPEAS or WinPEAS on every box you root to learn what to look for manually.
Conclusion
In conclusion, conquering DevHub on Hack the Box is a rewarding journey that sharpens your skills and enhances your problem-solving abilities. By following the outlined steps, from meticulous reconnaissance to effective exploitation and privilege escalation, you’ll not only overcome challenges but also deepen your understanding of cybersecurity concepts. Remember, practice makes perfect, and learning from your mistakes is part of the process. As you tackle similar machines, keep these insights in mind to boost your confidence and improve your techniques. If you found this guide helpful, don’t forget to subscribe for more tips and tricks on your hacking journey!
Frequently Asked Questions
What are the main vulnerabilities exploited in DevHub HTB?
The main vulnerabilities in DevHub include an insecure file upload function in a web application, which allows for remote code execution (RCE) via a malicious TensorFlow model file. Privilege escalation is achieved by exploiting information found in a world-readable backup directory, leading to the abuse of a misconfigured local service.
How difficult is DevHub compared to other Hack The Box machines?
DevHub is rated as a medium-difficulty machine on the HTB platform. It is more complex than easy-rated boxes, requiring a multi-step exploitation and privilege escalation path. However, it’s a great stepping stone before tackling hard-rated machines, as it solidifies core penetration testing concepts without being overly obscure.
What should I do if I get stuck during the DevHub HTB writeup?
If you get stuck, first, revisit your enumeration notes. Often, the solution is hidden in a detail you may have missed. Try running automated enumeration scripts again. If you’re still stuck, take a break and return with a fresh perspective. A structured troubleshooting methodology is key to finding the right path.
