Introduction

Doctor from HTB is an Easy CTF style box featuring Server-Side Template Injection( SSTI) and some privilege escalation via Splunk. I begin every scan using AutoRecon:

Copy

After finishing the scans I noticed Port 80/8089 were open. Visiting the website I was able see a static HTML website running. Attempting to go to .PHP resulted in a page not found. I navigated around the interface and saw nothing interesting. The email address on the website was [email protected]doctors.htb so I edited my host file and re-visited the website.

Static HTML website showing info@doctors.htb

Static HTML website showing [email protected]doctors.htb

Splunk Atom Feed running on 8089

Splunk Atom Feed running on 8089

Copy

I was presented with a Doctors Secure Messaging Page. I launched Burp Suite and registered for an account. After logging in I noticed the New Message functionality.

Doctor Secure Messaging Registration

Doctor Secure Messaging Registration

Viewing the source code I was able to see an additional page Archive which upon visiting loaded an empty page.

Archive still under beta testing...

Archive still under beta testing…

Eventually I found out that the New Post area was susceptible to SSTI (server-side template injection). More information regarding it can be found HERE. By submitted a reverse shell as the Title and navigating to the Archive executes the command to open a shell.

Copy
SSTI in the Header.

SSTI in the Header.

The first thing I check on every box is web configuration files and log files. Web configuration files turned up nothing but the logs provided me a password to sign in as shaun.

Copy

Logged in as shaun and capped the user flag. Earlier in the Scans I noticed 8089 open which deals with a Splunk web interface. I found two different routes to take with the final privilege escalation. One can be done remotely from your Attacking Box and the other can be done within the previously established web shell.

Privilege Escalation Methods

Method 1

Using the credentials I got from shaun I used SplunkWhisperer2 and the guide found HERE to grab the flag directly.

Copy
PySplunkWhisperer2 from my Attack machine.

PySplunkWhisperer2 from my Attack machine

Pulling the HTB Doctor root flag.

Pulling the HTB Doctor root flag.

Method 2

Using the credentials I got from shaun I used spelunker and WGET to run the exploit locally. I changed Line 46 of the spelunker script before downloading to remote machine with shaun:passwordfoundearlier in Base64 as default will not work.

Copy
spelunker.sh running locally.

spelunker.sh running locally.

Rooted

Published On: February 7th, 2020 / Categories: HTB, Technology / Tags: , , , /

Leave A Comment