Doctor is an easy linux box where we need to exploit WebApp using Command Injection, Path Traversal
ENUMERATION
NMAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Nmap scan report for 10.10.10.209
Host is up (0.040s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
| 256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_ 256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-title: Doctor
8089/tcp open ssl/http Splunkd httpd
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-06T15:57:27
| Not valid after: 2023-09-06T15:57:27
| MD5: db23 4e5c 546d 8895 0f5f 8f42 5e90 6787
|_SHA-1: 7ec9 1bb7 343f f7f6 bdd7 d015 d720 6f6f 19e2 098b
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
WebServer/VHOST Port 80 (manual - no tools)
Checking the webserver an Email info@doctors.htb was found therefore the domain doctors.htb was put into /etc/hosts. Nothing else was found.
GOBUSTER
Gobuster was able to find few pages.
.png)
WebServer/VHOST Port 8089 - splunkd (manual - no tools)
It shows splunk tools but they need a login.
EXPLOITATION
Registering on doctors.htb
After putting doctors.htb to /etc/hosts and visiting it, page automatically redirects to login portal where we can login or/and register. So let’s register:
.png)
Path Traversal (no exploitation)
We can view other users posts but it is nothing there
.png)
Command Injection
Apparently creating posts executes command that are inserted into the content - only caveat is that we have to avoid bad characters - spaces and double quotes (“).
.png)
Content can be also viewed in /archive
Shell has been popped
.png)
PRIVILEGE ESCALATION
Member of ADM group
Being member of ADM group makes it possible to read logs. Apparently password was typed into wrong field (email). (Password was found by grepping password in apache2 logs and checking results line by line.
.png)
To find possible usernames to work with the password found, i’ve checked /etc/passwd and the password worked with shaun.
.png)
WebServer#2 - splunkd
There is another vhost running on port 8089. It was found during initial enumeration but now it is apparent that it works as root.
1
root 1141 0.0 0.3 77664 15944 ? Ss 15:25 0:00 [splunkd pid=1139] splunkd -p 8089 start [process-runner]
After searching for a while it became clear that shaun’s credentials work for that service and there was also an exploit found (https://github.com/cnotin/SplunkWhisperer2)
.png)
Running PySplunkWhisperer2_remote.py setting up credentials results in an reverse shell which also proves that that vulnerability can be exploited remotely
.png)