Hack the Box: DevOops Walkthrough

Today we are going to solve another CTF challenge “DevOops”. DevOops is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of DevOops is


Let’s start off with our basic nmap command to find out the open ports and services.

From Nmap scanning, we have enumerated port 22 and 5000 are only open ports on the target’s network, therefore firstly, let’s navigate to port 5000 through a web browser. By exploring given URL, it puts up following web page as shown in the below image.

Since we didn’t get any remarkable clue from the home page, therefore, we have opted DIrb for directory enumeration and execute the following command.

Hmm!! Here I received HTTP response 200 for /feed and /upload directories.

So we explore in the URL and further welcomed by following web Page given below. The following web page lets you upload an XML file, including XML elements Author, Subject and content. For that reason, we have created an XML file with the help of following code and saved as 1.xml.

Then browse the xml file, which you have created and intercept the browser request with the help of breast while uploading.

Now send the intercepted data to the repeater.

Inside XXE file, we have injected malicious code to make call for /etc/passwd file, thus, we need to its analysis its result with the help of repeater.

And as you can observe from given below image, the xml code is working wonderfully and throwing the content of /etc/passwd file to us.

Similar, we extract the SSH RSA key by modifying XXE entry as show in the below image. Now copy the whole key and save in a text file.

Since we have copied RSA Private KEY in a text file named as “key” then set permission 600 and try to login to the help of following command.

Boom!! We have spawn a shell of target machines, let’s go for user.txt file.

Great!!! We have completed the first task but for obtaining root.txt file we need to escalate the root privilege and to do so we traversed so many directories and files to get next clue.


There is a problem with your internet connection, please try again later.

And we obtain so many string as shown in the following image which may perhaps SSH key for root login.