Key Highlights

Here is a quick rundown of what we will cover in this DevHub writeup:

Introduction

Welcome to this beginner-friendly guide for the DevHub machine on Hack The Box! If you’re looking to sharpen your cybersecurity skills, you’ve come to the right place. This writeup will walk you through the entire process, from initial scanning to gaining root access. DevHub is a fantastic medium-level Linux box that tests your penetration testing abilities. Whether you’re new to the HTB platform or an experienced user, this guide will provide clear, step-by-step instructions to help you conquer this challenge and learn valuable techniques along the way.

Hack The Box DevHub
Hack The Box DevHub

Overview of DevHub HTB Writeup and Machine Setup

This HackTheBox DevHub machine writeup offers a detailed, step-by-step walkthrough. We’ll start by setting up our environment and then move into the exciting phases of penetration testing. The guide is designed to be easy to follow, making it perfect for those who want to understand the entire process without getting lost in technical jargon.

Your machine setup for this Linux server challenge is straightforward. You will need a virtual machine with your preferred penetration testing distribution and an active connection to the HTB platform. Let’s get started on the key features and what makes this box a great learning experience.

ALSO READ: Mastering Reactor: Beginner’s Guide from Hack The Box

Initial Foothold

— Coming Soon! Stay Tuned! —

Meanwhile, check pre-release hints by clicking HERE

Key Features and Difficulty Level of DevHub Hack The Box

The DevHub machine on the HTB platform is rated as a medium-difficulty challenge. It’s a great step up for those who have completed beginner-level boxes and want to test their skills further. The hardest part of solving this box often involves correctly identifying the initial vulnerability on the web app and then figuring out the specific path to escalate privileges on the server.

Compared to other Hack The Box machines, DevHub sits comfortably in the middle. It isn’t as straightforward as easy boxes but avoids the complex, multi-layered obscurity of some hard-rated machines. Its difficulty level is perfect for reinforcing core cybersecurity concepts.

Here’s a quick overview of the machine’s details:

AttributeDetail
Operating SystemLinux (Ubuntu)
DifficultyMedium
Key VulnerabilitiesWeb Application RCE, Misconfigured System Component
Main FocusWeb Exploitation, Privilege Escalation

Preparing Your Environment and Tools for DevHub

Before we start the exploitation process, it’s essential to prepare your environment. A properly configured setup ensures you can follow along without any hitches. You will need a Linux-based operating system, like Kali Linux or Parrot OS, which comes pre-installed with most of the tools we’ll use.

Having the right tools is crucial for successfully pwning this server. While many utilities can be used, a few are particularly useful for the DevHub box. Make sure your virtual machine is connected to the Hack The Box network and you have the target IP address handy.

Here are the most useful tools for solving the DevHub box on HackTheBox:

Reconnaissance Phase on DevHub Hack The Box

The reconnaissance phase is the first and one of the most critical stages of any penetration testing engagement. This is where we gather as much information as possible about our target. For the DevHub machine, our initial recon will focus on identifying open ports, running services, and any potential web applications.

A well-executed nmap scan will provide the foundation for our attack plan. By carefully analyzing the results, we can start to form hypotheses about potential vulnerabilities. Let’s dive into the specifics of our scanning techniques and see what we can uncover.

Scanning Techniques and Nmap Results

To start our initial foothold in the DevHub HTB box, we begin with a comprehensive nmap scan. This scan helps us map out the attack surface by identifying which ports are open and what services are running on them. A simple but effective command will give us the information we need to proceed.

The command nmap -sV -sC [IP address] is a great starting point. The -sV flag probes open ports to determine service and version info, while -sC runs default scripts to gather more data. The output of this scan is our first piece of the puzzle, revealing the entry points into the system.

Our Nmap scan revealed the following key open ports:

Analyzing Open Ports and Discovered Services

After our Nmap scan, the next logical step is to analyze the open ports and services. The most interesting finding is the HTTP server on port 80. Web applications are often a rich source of vulnerabilities, so this is where we will focus our attention first. The SSH port is also noteworthy, but we’ll need credentials to make use of it.

The main vulnerabilities exploited in the HackTheBox DevHub machine begin with the web server. Upon navigating to the website, we find a tool for building AI models. This kind of custom application can sometimes lack proper security hardening, making it a prime target. We’ll explore its functionality to see if we can find a weakness.

The service running is an Nginx server on a Linux machine. The application itself appears to involve Python and TensorFlow, given its function as a model builder. This technology stack gives us clues about what kind of exploits to look for. Our next goal is to interact with this web app and probe for weaknesses.

Gaining Initial Foothold in DevHub

Now we move to the exciting part: gaining our initial foothold. Based on our reconnaissance, the web application is the most promising vector for initial access. Our goal is to leverage a vulnerability in the application to achieve remote code execution (RCE).

This will allow us to run commands on the server and establish a reverse shell connection. The exploitation process here requires a bit of research and careful payload construction, but it’s a classic example of how a seemingly benign feature can be turned into a critical security flaw. Let’s break down how we find and exploit this vulnerability.

Identifying Vulnerabilities Leading to Access

To start the initial foothold, we need to identify the specific vulnerability. After creating an account on the web application, we discover an upload form that accepts TensorFlow models in the .h5 file format. This is a major clue. A quick search reveals that .h5 files can contain arbitrary Python code that gets executed on the server when the model is loaded. This is a classic RCE vulnerability.

The main vulnerability exploited in the HackTheBox DevHub machine is this insecure file upload functionality. The application does not properly sanitize the uploaded model file, allowing an attacker to embed a malicious payload within it. When the application processes the model, our code runs, giving us control.

The key steps to identifying this vulnerability are:

Exploitation Steps and Payload Execution

With the vulnerability identified, we can proceed with exploitation. A walkthrough of the exploitation techniques starts with creating a malicious .h5 model file. We can use a Python script, like the one found in public exploit repositories, to craft this file. The script will embed a payload that initiates a reverse shell connection back to our machine.

The payload itself is a simple command, but to avoid filters, it’s best to encode it in Base64. This payload will execute a bash command to connect to our IP address on a specific port. Before uploading the file, we need to set up a Netcat listener on our machine to catch the incoming connection. The nc -lnvp [port] command works perfectly for this.

After setting up the listener, we upload the malicious .h5 file through the web interface and trigger the execution by clicking the “View Predictions” button. The server loads the model, runs our embedded Python code, and executes the reverse shell payload. If everything is configured correctly, we will see a connection on our Netcat listener, giving us our initial shell on the server.

Privilege Escalation Paths within DevHub

Gaining a foothold is a great first step, but our access is limited. The next phase in our ethical hacking journey is privilege escalation. Our goal is to move from a low-privilege user to the root user, giving us complete control over the Linux system. This process requires careful enumeration of the target machine to find misconfigurations or weaknesses.

This part of the challenge is often where OSCP-style methodologies shine. We need to be systematic and thorough in our search for escalation vectors. Let’s begin by enumerating the system to uncover any potential weaknesses that we can exploit.

Enumerating System Weaknesses

To escalate privileges on the DevHub machine, we must first enumerate the system for weaknesses. Once we have a shell, the first thing to do is look around the file system. We can start by checking the application’s directory, where we might find configuration files or databases containing sensitive information.

In the application directory, we find a users.db file. This is a significant finding. By examining this database, we can extract user password hashes. Cross-referencing these usernames with the /etc/passwd file helps us identify valid users on the server. We can then attempt to crack these hashes using online tools like CrackStation or a local tool like Hashcat.

This enumeration process reveals the credentials for another user on the system. Successfully cracking the hash gives us a valid username and password. We can then use the su command to switch to this new user account, which may have more privileges than our initial shell, bringing us one step closer to root access.

Techniques to Achieve Root Access

After escalating to the user gael, our next step is to find a path to root access. To escalate privileges further, we run an enumeration script like LinPEAS. This script automates the search for common misconfigurations, vulnerable software versions, and other weaknesses on the Linux server.

LinPEAS reveals an interesting readable file in /var/backups. It’s a compressed tarball named backrest_backup.tar.gz. Analyzing the contents of this backup file is the key to the final stage of exploitation. Inside the backup, we find a configuration file for a service called Backrest. This JSON file contains a username and a Bcrypt hash for a user named backrest_root.

Cracking this hash reveals a password. Further enumeration shows that the Backrest service is running locally on port 9898. To achieve root access, we follow these steps:

Common Pitfalls and Troubleshooting in DevHub HTB Writeup

Even with a detailed guide, you might run into some roadblocks while working on the DevHub machine. It’s common for beginners in penetration testing to encounter frustrating errors or get stuck in a rabbit hole. For instance, a common issue is the reverse shell not connecting or a payload not executing as expected.

This section is dedicated to helping you navigate those challenges. We’ll discuss some typical mistakes and provide solutions to common problems you might face, from environment setup issues to a tricky privilege escalation path.

Avoiding Typical Mistakes as a Beginner

When working on the DevHub HTB machine, there are a few common pitfalls that can cause significant delays. One of the most frequent mistakes is an environment mismatch. The initial RCE requires a specific version of TensorFlow, and if your local environment doesn’t support it, the exploit creation will fail.

Another typical error is related to the reverse shell. A simple typo in the IP address or port number, or a firewall blocking the connection, can prevent your shell from connecting. It’s always a good practice to double-check your payload and listener settings before execution. Rushing through the enumeration phase is another mistake that can cause you to miss the privilege escalation path entirely.

To avoid these challenges, remember these tips:

Solutions to Frequent Challenges Faced

If you get stuck during the DevHub HTB writeup, don’t worry. The most common challenge is getting the initial TensorFlow exploit to work. If you’re having trouble with your local machine, the best solution is to use Google Colab or a Docker container to set up the specific Python environment required.

Another frequent issue is the reverse shell connection being unreliable. Sometimes it takes multiple attempts to get a stable shell. If it fails, don’t assume your payload is wrong. Re-upload the file and trigger the exploit again. A good troubleshooting tip is to verify your listener is working by trying to connect to it from another terminal on your own machine.

Here are some solutions to common problems:

ALSO READ: Mastering Helix: Beginner’s Guide from Hack The Box

WRITEUP COMING SOON!

COMPLETE IN-DEPTH PICTORIAL WRITEUP OF DEVHUB ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL NON-PUBLIC WRITEUP RIGHT NOW, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!

Essential Tools and Techniques for DevHub Hack The Box

Success on the DevHub machine hinges on using the right tools and applying a solid methodology. This challenge tests your skills in both web exploitation and Linux privilege escalation, so a versatile toolkit is essential. The techniques you’ll use here are fundamental to many penetration tests.

From initial enumeration with Nmap to gaining root access by abusing a misconfigured service, each step requires a specific tool. We’ll highlight the most effective utilities for this box and explain how to use them efficiently to navigate the challenge.

For the DevHub box, a few tools are particularly useful for enumeration and exploitation. Your journey will start with Nmap to discover open ports and services. Once you identify the web server, interacting with it using your browser and tools like Burp Suite or the curl command is essential.

When it comes to exploitation, Python is your best friend. You’ll need it to generate the malicious TensorFlow model file. For the privilege escalation phase, an automated enumeration script like LinPEAS is invaluable. It quickly highlights potential vectors that would be tedious to find manually. Finally, Hashcat or an online service is needed for cracking passwords.

Here are the most useful tools for solving DevHub:

Effective Use of Linux Tools for the Challenge

Beyond the specialized tools, your proficiency with standard Linux command-line utilities will make a huge difference on the DevHub server. Once you gain a shell, commands like ls, cat, find, and grep are essential for manual enumeration. For instance, using find to search for files with specific permissions or names can quickly lead you to interesting targets.

The curl command is also incredibly versatile. You can use it not only to interact with web pages but also to download your enumeration scripts (like LinPEAS) onto the target machine from a web server you host locally. Similarly, understanding how to use python -m http.server to quickly set up a web server is a crucial skill.

Finally, SSH port forwarding is the technique that unlocks the final stage of this challenge. Knowing how to forward a local port on the target machine to your own machine (ssh -L [local_port]:localhost:[remote_port] [user]@[target_ip]) is a powerful skill that allows you to access services that aren’t exposed to the public network.

Insights and Key Takeaways for Beginners

Conquering the DevHub machine offers more than just flags; it provides valuable insights for anyone starting in penetration testing. This box reinforces the importance of a structured approach, from thorough reconnaissance to methodical privilege escalation. It’s a perfect example of how a misconfiguration in one part of a system can lead to a full compromise.

The experience gained from DevHub is directly applicable to real-world scenarios and other challenges on the HTB platform. Let’s reflect on the lessons learned and how you can apply them to future boxes.

Lessons Learned from the DevHub Box

One of the most important lessons from the DevHub box is to never underestimate file upload functionalities. What seems like a harmless feature can be a gateway for remote code execution if not properly secured. This challenge is a practical lesson in why input validation and file sanitization are critical in web application development.

Another key takeaway is the power of enumeration in privilege escalation. The path to root wasn’t a direct exploit of a kernel vulnerability but rather a chain of discoveries: finding a database, cracking a password, analyzing a backup file, and abusing a legitimate service. This highlights a core principle of ethical hacking: persistence pays off.

Finally, DevHub teaches the value of being adaptable. When one exploit path fails (like a kernel exploit), you must be ready to pivot and look for other weaknesses. This machine rewards a creative and methodical penetration testing mindset, a crucial skill for any cybersecurity professional.

Tips for Success on Similar Hack The Box Machines

If you enjoyed DevHub and want to tackle similar Hack The Box machines, there are a few tips that can help you succeed. First, always follow a consistent methodology. Start with thorough reconnaissance, enumerate services deeply, and don’t rush into exploitation without understanding the target.

Second, get comfortable with scripting and customizing public exploits. Many challenges, like DevHub, require you to modify a proof-of-concept script to fit the specific environment. Understanding the code you’re running is crucial. The difficulty of DevHub is representative of many medium-rated boxes, so the skills you learn here are highly transferable.

Here are some tips for beginners tackling similar HTB boxes:

Conclusion

In conclusion, conquering DevHub on Hack the Box is a rewarding journey that sharpens your skills and enhances your problem-solving abilities. By following the outlined steps, from meticulous reconnaissance to effective exploitation and privilege escalation, you’ll not only overcome challenges but also deepen your understanding of cybersecurity concepts. Remember, practice makes perfect, and learning from your mistakes is part of the process. As you tackle similar machines, keep these insights in mind to boost your confidence and improve your techniques. If you found this guide helpful, don’t forget to subscribe for more tips and tricks on your hacking journey!

Frequently Asked Questions

What are the main vulnerabilities exploited in DevHub HTB?

The main vulnerabilities in DevHub include an insecure file upload function in a web application, which allows for remote code execution (RCE) via a malicious TensorFlow model file. Privilege escalation is achieved by exploiting information found in a world-readable backup directory, leading to the abuse of a misconfigured local service.

How difficult is DevHub compared to other Hack The Box machines?

DevHub is rated as a medium-difficulty machine on the HTB platform. It is more complex than easy-rated boxes, requiring a multi-step exploitation and privilege escalation path. However, it’s a great stepping stone before tackling hard-rated machines, as it solidifies core penetration testing concepts without being overly obscure.

What should I do if I get stuck during the DevHub HTB writeup?

If you get stuck, first, revisit your enumeration notes. Often, the solution is hidden in a detail you may have missed. Try running automated enumeration scripts again. If you’re still stuck, take a break and return with a fresh perspective. A structured troubleshooting methodology is key to finding the right path.

This post first appeared at - The CyberSec Guru