Hack The Box:Doctor(Linux)

 We will start our journey with an nmap scan.

nmap scan

With the nmap scan we can understand there is splunk and the other thing is we have a web page .

web page

When we access the web page it doesn’t have anything special to exploit. But we get to know about doctors.htb which is also a web page tied with this machine. To accesss it we need to modify the /etc/hosts file and add doctors.htb with ip address 10.10.10.209 .

We start with directory busting of this address.

directory busting

There is an interesting directory named login. We see a login page there but nothing works over there.

login page

So we register a user which we can easily do.

register page

Now if we login we get to see the home page with new message option.

home page

If we type a message and see it in the archive page we get something like this.

new message
archive page

So basically if we want we can send a command for reverse shell and using the archive page we can run it.

There are different types of server-side templates available but we need to check which one applies for this because this one has SSTI vulnerability. When we write in the title it gets reflected in the archive page.

We can check for SSTI by writing in the title field {5*5} -> {{5*5}} -> {{5*’5'}} -> Result 55555. This one is Jinja2.

reverse shell

We try to get a reverse shell using the command and that works. We just need to go to the 10.10.10.209/archive page and make sure we have a listener working on our machine.

initial shell

There is a folder named backup which might be interesting for us.

backup file

We try to see if there is any password in this file using grep.

Got another password

There is another user named shaun we can use this password with that user.

user flag

Now there is splunk and we can use tool for splunk to get shell as root.We need a listener on our machine and then we just need to run the tool.

running pysplunk whisper

We got the shell and the root flag.

root flag

Happy Hacking!!!!

Comments

Post a Comment

Popular posts from this blog

HackTheBox:Blunder(Linux)

Image
  Lets hit this off with nmap scan. nmap scan We see that port 80 is open and certainly that’s where we will start but the site doesn’t have much for us. port 80 So we need to explore this a bit and do the directory busting for this target. directory busting We found the admin page , now again we hit a dead end since we don’t have credentials. login page So we do directory busting again. directory busting The other directories are not so interesting but this todo.txt is promising. todo.txt First thing, its written that they need to update the CMS which means that this version is definitely vulnerable and the other thing is that this fergus user needs to do something about uploading images. So we have a username but no password. For password we can brute force our way in but for that we can’t have a random list so we can use  cewl  tool to generate the wordlist. custom wordlist using cewl Now since we know its Bludit ,we should find some  exploit  which can help ...
Read more

HackTheBox:Tabby(Linux)

Image
  This was an amazing box with lots to learn. So lets start this with nmap scan with this machine. nmap scan Now with this we have a website in which we are not able to access news.php. So lets add megahosting.htb to /etc/hosts . After this when we try to access news.php we are able to do it. website Now the interesting part is the url ,it has file parameter. We can check if this has LFI vulnerability. lfi check This certainly has lfi so we need to see what kind of file might have something important for us. Upon researching about tomcat we get to know that tomcat stores users information in /usr/share/tomcat9/etc/tomcat-users.xml tomcat-users.xml So now we have a username and password and the roles of this user are admin-gui and manager-script. admin-gui is accessible to us but it has nothing to take us forward. So we need to work on manager-script which isn’t accessible directly ,we do directory busting of this directory. directory busting We get manager/text and we search about ...
Read more

Legacy:Hack The Box(Windows)

Image
  The nmap scan for this target shows the open ports and if we perform an aggressive scan we get to know that the target is vulnerable to MS17–010 and MS08–067. nmap scans We have a github  exploit  available for MS08–067. In this exploit we just need to change the payload . So we need to first generate the payload using msfvenom. payload generation We just need to copy and paste the payload in the POC. updating the POC Now we need to open the netcat listener on our machine and run the exploit. netcat connection We got a connection on our machine. And we can easily get the user flag and root flag. Flags Happy Hacking!!!!
Read more