Hackthebox — Doctor

Summary

Today we have another machine is retired with IP 10.10.10.209

Enumeration

Nmap

Web

Open on port 8089

On port 80

Here we have nothing to check so lets go further and add doctors.htb to our hosts file

I register first and login

Login

After enumeration i found new post page, So i think that i can find XSS or SSTI, But i didn’t find XSS, SO i tried SSTI

When i take a look on source page, I found /archive directory

  • Nice it is vulnerable to SSTI
  • I tried to find way to get RCE from SSTI and i found it!
  • While using command for shell we are not allowed to use spaces so to bypass that we have a command $IFS for spaces tabs and all

Listening on port 9000

Let’s run LinEnum.sh to do some enumeration on machine

[+] Finding passwords inside logs (limit 70)Binary file /var/log/apache2/access.log.11.gz matchesBinary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system.journal matchesBinary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/user-1001.journal matchesBinary file /var/log/kern.log.2.gz matchesBinary file /var/log/kern.log.4.gz matchesBinary file /var/log/syslog.3.gz matches/var/log/apache2/access.log:10.10.14.165 - - [27/Sep/2020:18:25:24 +0200] "GET /reset_password HTTP/1.1" 200 1814 "-" "gobuster/3.0.1"/var/log/apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"/var/log/auth.log.1:Sep 22 13:01:23 doctor sshd[1704]: Failed

So in log files we got some password
Found the password of shaun user Guitar123
Let’s login with credentials

Gain user flag!

Privilege Escalation

Now if we use pspy64 we will see that splunk is running by root
We can find exploit here

We need to download it and modify YWRtaW46Y2hhbmdlbWUK= >> admin:changeme with our credentials shaun:Guitar123 >> c2hhdW46R3VpdGFyMTIz Encode it to base64
Upload it

Run It

Gain root flag!

Ref:
https://raw.githubusercontent.com/tevora-threat/splunk_local_privesc/master/spelunker.sh
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student