Hackthebox — Doctor
Summary
Today we have another machine is retired with IP 10.10.10.209
Enumeration
Nmap
Web
Open on port 8089
On port 80
Here we have nothing to check so lets go further and add doctors.htb to our hosts file
I register first and login
Login
After enumeration i found new post page, So i think that i can find XSS or SSTI, But i didn’t find XSS, SO i tried SSTI
When i take a look on source page, I found /archive directory
- Nice it is vulnerable to SSTI
- I tried to find way to get RCE from SSTI and i found it!
- While using command for shell we are not allowed to use spaces so to bypass that we have a command $IFS for spaces tabs and all
Listening on port 9000
Let’s run LinEnum.sh to do some enumeration on machine
[+] Finding passwords inside logs (limit 70)Binary file /var/log/apache2/access.log.11.gz matchesBinary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system.journal matchesBinary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/user-1001.journal matchesBinary file /var/log/kern.log.2.gz matchesBinary file /var/log/kern.log.4.gz matchesBinary file /var/log/syslog.3.gz matches/var/log/apache2/access.log:10.10.14.165 - - [27/Sep/2020:18:25:24 +0200] "GET /reset_password HTTP/1.1" 200 1814 "-" "gobuster/3.0.1"/var/log/apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"/var/log/auth.log.1:Sep 22 13:01:23 doctor sshd[1704]: Failed
So in log files we got some password
Found the password of shaun user Guitar123
Let’s login with credentials
Gain user flag!
Privilege Escalation
Now if we use pspy64 we will see that splunk is running by root
We can find exploit here
We need to download it and modify YWRtaW46Y2hhbmdlbWUK= >> admin:changeme with our credentials shaun:Guitar123 >> c2hhdW46R3VpdGFyMTIz Encode it to base64
Upload it
Run It
Gain root flag!
Ref:
https://raw.githubusercontent.com/tevora-threat/splunk_local_privesc/master/spelunker.sh
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
If u learn any thing useful from write up, Respect me on HackTheBox