Hackthebox — Doctor

Ahmed Samir

3 min readFeb 6, 2021

Summary

Today we have another machine is retired with IP 10.10.10.209

Enumeration

Nmap

Web

Open on port 8089

On port 80

Here we have nothing to check so lets go further and add doctors.htb to our hosts file

I register first and login

After enumeration i found new post page, So i think that i can find XSS or SSTI, But i didn’t find XSS, SO i tried SSTI

When i take a look on source page, I found /archive directory

Nice it is vulnerable to SSTI
I tried to find way to get RCE from SSTI and i found it!
While using command for shell we are not allowed to use spaces so to bypass that we have a command $IFS for spaces tabs and all

Listening on port 9000

Let’s run LinEnum.sh to do some enumeration on machine

[+] Finding passwords inside logs (limit 70)Binary file /var/log/apache2/access.log.11.gz matchesBinary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system.journal matchesBinary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/user-1001.journal matchesBinary file /var/log/kern.log.2.gz matchesBinary file /var/log/kern.log.4.gz matchesBinary file /var/log/syslog.3.gz matches/var/log/apache2/access.log:10.10.14.165 - - [27/Sep/2020:18:25:24 +0200] "GET /reset_password HTTP/1.1" 200 1814 "-" "gobuster/3.0.1"/var/log/apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"/var/log/auth.log.1:Sep 22 13:01:23 doctor sshd[1704]: Failed

So in log files we got some password
Found the password of shaun user Guitar123
Let’s login with credentials

Gain user flag!

Privilege Escalation

Now if we use pspy64 we will see that splunk is running by root
We can find exploit here

We need to download it and modify YWRtaW46Y2hhbmdlbWUK= >> admin:changeme with our credentials shaun:Guitar123 >> c2hhdW46R3VpdGFyMTIz Encode it to base64
Upload it