As always we start by scanning for open ports using nmap. 3 ports are available 22(ssh), 80(http), 8089(ssl/https).
Once I visit the ip on my browser I get a webpage.
The only information I get from this is a hostname
doctors.htb from the send us a message section. I enter this on my hosts file.
I have a login page, but also I have the functionality to register. After registering:
My app does log me in automatically. Also there is a message which let’s me know that a time limit of twenty minutes for my account is in place. Using the
New Message button we can send a message to something which looks like a board.
After providing a url as the
Content to an url which is mine.
And I got a request back, which means we have something like a command injection. Let’s try to execute a wget command by using
But I get
link posted is not valid.
Let’s try to execute a command using
http://IP/$(id) so we get back the result of id as the requested file.
Now I can execute commands inside
$(). Let’s execute a reverse shell.
Nothing happend. I will try to add $IFS instead of spaces, but again it didn’t work, I had to find the nc binary inside the machine and then use single quote to get it work. This is the complete command:
After the shell I try to look for passwords to escalate to another user, but after a little bit I found inside /var/log/apache2/ there is a backup file. I find a password inside of it.
I use it with shaun which gives me user.txt.
Inside /opt/ folder I find
splunkforwarder. Searching for this I find that this forwarder is used to collect data and then forward it to the splunk software, which seems to be something like a visualization software. Reading
README-splunk.txt I get the version but didn’t manage to find an exploit for the exact version.I also find github repo
https://github.com/cnotin/SplunkWhisperer2 which has a script to exploit this. I get the local exploit and upload it to the target machine. I get an error about not found modules, and I can’t installed them using pip. I try the remote exploit on my local machine.
I create a file inside /tmp/ which includes a reverse shell and then execute the script. Also I listen on the specified port.
And I get root access.