Jan 8, 2021
The first thing I did, was to add the machine IP to the /etc/hosts file.
Then, I tried to get a first look on the website.
I saw there was an email on the home page : ‘info@doctors.htb’.
So, I changed the host name in the /etc/hosts file. (doctor.htb => doctors.htb)
Enumeration
I started this phase with a port scan. I used Nmap, to learn more about the host and the technologies which are running on ports.
- -sC : Equivalent to — script=default
- -sV : Probe open ports to determine service/version info
- -p- : Scan all ports
There were 3 open ports :
- SSH on port 22.
- A web server which runs Apache httpd 2.4.41 — Werkzeug 1.0.1 — Python 3.8.2 on port 80.
- Another web server (SSL) which runs Splunk on port 8089. We can see a robots.txt too.
I tried to get a second look to the website, with the new host name. And… I found a login page.
I saw it was possible to create an account. I first tried to create an admin account without success.
After creating a “test” account, I saw there was a time limit for my account.
Twenty minutes of time limit.
Here was the /home page when I was logged in.
Then, I displayed the source code…
Something was interesting here.
“Archive still under beta testing”
So I opened up gobuster to find if there was interesting pages. And at the same time, checked this /archive page.
- dir : Enumerate directories
- -u : The URL to enumerate
- -w : The word-list to use
- -x : The extensions of the files you want to find
Accessing to /archive, gave me a blank page…
After being stuck for some minutes, I tried to send a message with HTML tags in it.
Here was the result… Nothing good, there was a blank page which is the source code :
Server-Side Template Injection
I tried another thing, just by modifying my first attempt.
And then, I got a result..
That made me think about a Server-Side Template injection. (SSTI)
According to Port Swigger, here is a little explanation about what it is :
“Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server. As the name suggests, server-side template injection payloads are delivered and evaluated server-side, potentially making them much more dangerous than a typical client-side template injection.”
After some research about this vulnerability, I learnt how to try if the app was vulnerable to it.
So, I tried it…
IT WORKED PERFECTLY !
I began to look for an exploit and found this :
For obvious reasons, I will not show you how I exploited it, but I think I gave you all you need to know.
Exploit
After exploiting this vulnerability, I was able to spawn a reverse shell.
I looked for the user.txt and found a user named shaun, which owns the user.txt. So I wasn’t able to read it.
The thing I tried after the initial foothold was to know if I could find an interesting backup file (A lot of theses files have passwords stored in them).
- -type = the type of object you are looking for (file, directory…)
- -name = the name of the object
Then, I found an interesting one.
As this file contains a lot of data, I used the grep command to make my reading easier.
And I found shaun’s password…
After being logged as shaun, and found the user.txt, I immediately tried to use LinPeas for the privilege escalation part.
Privilege Escalation
I opened a python server on my machine to transfer LinPeas to the victim machine.
When LinPeas finished his work, I was not able to find a nice privilege escalation vector, but I found a user named Splunk.
After few research, I found SplunkWhisperer2. It’s a python script for local/remote privilege escalation.
I downloaded the script with git clone and used it on remote mode.
PWNED !!!
Thank you for reading this write-up, I hope it helped you.
