Hackthebox — Doctor

Summary

Today we have another machine is retired with IP 10.10.10.209

Enumeration

Nmap

Web

Open on port 8089

On port 80

Here we have nothing to check so lets go further and add doctors.htb to our hosts file

I register first and login

Login

After enumeration i found new post page, So i think that i can find XSS or SSTI, But i didn’t find XSS, SO i tried SSTI

When i take a look on source page, I found /archive directory

  • Nice it is vulnerable to SSTI
  • I tried to find way to get RCE from SSTI and i found it!
  • While using command for shell we are not allowed to use spaces so to bypass that we have a command $IFS for spaces tabs and all

Listening on port 9000

Let’s run LinEnum.sh to do some enumeration on machine

[+] Finding passwords inside logs (limit 70)Binary file /var/log/apache2/access.log.11.gz matchesBinary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system.journal matchesBinary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/user-1001.journal matchesBinary file /var/log/kern.log.2.gz matchesBinary file /var/log/kern.log.4.gz matchesBinary file /var/log/syslog.3.gz matches/var/log/apache2/access.log:10.10.14.165 - - [27/Sep/2020:18:25:24 +0200] "GET /reset_password HTTP/1.1" 200 1814 "-" "gobuster/3.0.1"/var/log/apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"/var/log/auth.log.1:Sep 22 13:01:23 doctor sshd[1704]: Failed

So in log files we got some password
Found the password of shaun user Guitar123
Let’s login with credentials

Gain user flag!

Privilege Escalation

Now if we use pspy64 we will see that splunk is running by root
We can find exploit here

We need to download it and modify YWRtaW46Y2hhbmdlbWUK= >> admin:changeme with our credentials shaun:Guitar123 >> c2hhdW46R3VpdGFyMTIz Encode it to base64
Upload it

Run It

Gain root flag!

Ref:
https://raw.githubusercontent.com/tevora-threat/splunk_local_privesc/master/spelunker.sh
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

--

CTFer | Computer Science Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Idle Investor Hack Free Resources Generator

{UPDATE} 忍者大師 閃亂神樂 NEW LINK Hack Free Resources Generator

EpiK Protocol: UNIQUENESS AND PECULIARITIES November 7, 2021 by Ezugwu nnamdi James EpiK Protocol…

Carrots for web Marketplaces and Platforms — how to design non-monetary incentives

Feeling secure?

MZT Token Decentralized file sharing protocol tokenization in the world with MZT

{UPDATE} Puzzledom Hack Free Resources Generator

Facebook Data Leak | Approximately 533 million Facebook users’ personal information got exposed

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student

More from Medium

Gunship (easy) -HTB Writeup

Source {TryHackMe}

Tryhackme Git Happens

Simple CTF Walkthrough — TryHackMe