Ahmed Samir

Feb 6, 2021

3 min read

Hackthebox — Doctor

Summary

Enumeration

Nmap

Web

  • Nice it is vulnerable to SSTI
  • I tried to find way to get RCE from SSTI and i found it!
  • While using command for shell we are not allowed to use spaces so to bypass that we have a command $IFS for spaces tabs and all
[+] Finding passwords inside logs (limit 70)Binary file /var/log/apache2/access.log.11.gz matchesBinary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system.journal matchesBinary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/user-1001.journal matchesBinary file /var/log/kern.log.2.gz matchesBinary file /var/log/kern.log.4.gz matchesBinary file /var/log/syslog.3.gz matches/var/log/apache2/access.log:10.10.14.165 - - [27/Sep/2020:18:25:24 +0200] "GET /reset_password HTTP/1.1" 200 1814 "-" "gobuster/3.0.1"/var/log/apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"/var/log/auth.log.1:Sep 22 13:01:23 doctor sshd[1704]: Failed

Privilege Escalation

THX for ur time!