Nmap scan:
The website revealed a basic corporate page:
There was nothing interesting, until I added doctors.htb to the /etc/hosts file (as per standard HTB practice) and visited that site.
Here, we can create an account and test this service. When logged in, we can see a few functions.
When examining the page source, we can find an /archive endpoint.
When visiting it, it returns nothing but the posts that we have made.
Initially, I tested other vulnerabilities like SSTI on the username and the message posting functions but it didn't return any positives.
When I visited the /archive endpoint, we would actually see that it works!
For SSTI, we can follow this table on HackTricks to determine which framework is being used.
For this specific box, we can determine that it's Jinja2 or Twig. On PayloadAllTheThings, there's a payload that works in spawning a reverse shell.
When we submit this as a message, it would spawn a reverse shell.
I ran LinPEAS to enumerate all files for me, it found a credential for me.
When checking for other users, there was only the user shaun.
We can try using su with this credential, and it works.
I checked the /opt directory, and found that there were some splunkforwarder related files within it.
Normally, Splunk runs on port 8089, and we did find that port open on the machine earlier. Furthermore, this version of Splunk is vulnerable to an RCE exploit called SplunkWhisperer.
We can easily run the exploit to give us a reverse shell as root.
