Doctor: HackTheBox Walkthrough
Description
Doctor is a nice VM on HackTheBox. I must say the easy boxes on HTB are tougher and knowledgeable than medium boxes on TryHackMe. Just add doctors.htb in your /etc/hosts file and you are good to goo.
Knowledge Gained
- Enumeration
- Server-Side Template Injection
- Gaining reverse shell in two ways
- Enumerating adm related files
- Privilege escalation using SplunkWhisperer2
Port Scanning
As usual start with scanning the network with Nmap for open ports and services.
Web Reconnaissance
So Let’s first enumerate port 80. I decided to start a gobuster scan and got something useful.
So we have a login portal.
I tried SQL injection first but nothing happened. Then I registered a new account and this time I was lucky.
Now if you remember we got URI /archive in directory scan. I opened it but nothing there but the page source has something useful. Whatever I typed in the “New message” -> title field it gets reflected in the /archive page source.
Understanding Server-Side Template Injection
Web applications frequently use template systems such as Twig and FreeMarker to embed dynamic content in web pages and emails. Template Injection occurs when user input is embedded in a template in an unsafe manner. Unsafely embedding user input in templates enables Server-Side Template Injection, a frequently critical vulnerability that is extremely easy to mistake for Cross-Site Scripting (XSS) or miss entirely. Template Injection can arise both through developer error, and through the intentional exposure of templates in an attempt to offer rich functionality, as commonly done by wikis, blogs, marketing applications, and content management systems. Some of the server-side template engines that are most frequently used are Smarty, Mako, Twig, and Jinja2.
So till now, we know it’s vulnerable to SSTI Vulnerability but we don’t know which template is being used here.
Identifying template- Methode 1
This image shows the steps on how to identify the template type.
Enter in the title fiels {5*5} -> {{5*5}} -> {{5*’5'}} -> Result 55555. This proves that we have Jinja2.
Identifying template- Methode 2
This time we have a tool that can do this for us but we should know the manual process also https://github.com/epinna/tplmap
Just enter the command ./tplmap.py -u ‘http://doctors.htb/home\?page\=1' and you will be able to know the template name used. From here we can get the reverse shell also but I failed. You can try this.
Gaining reverse shell- Method 1
Now we have enough information for the reverse shell. Use the python payload and only modify the IP_address. Post the message…
…and refresh the URI /archive and start a new terminal and listen for the connection.
Gaining reverse shell- Method 2
Searching for the Writeup’s I came across a youtube video on it which shows exploiting the content field to gain a reverse shell.
I don’t know-how but if anyone knows this pls explain to me in the comment section.
Moving on I enumerated the machine which shows we have a user name shaun. One thing to be noticed that we have (adm) in the groups.
I searched on the internet and got to know that adm is a group on Ubuntu that is only good for viewing all the log files in /var/log (which historically used to be called /var/adm).
Navigated to the /var/log/apache2 path and got the file backup.
Since it’s a backup file I tried to get the credentials for the user shaun through grep.
Privilege Escalation
Switched to the shaun account and tried if any sudo privilege he has but nothing useful but first access the first flag /home/shaun path.
Searching the internet on how to abuse Splunk for Privilege escalation I founded a nice blog which directs me to use PySplunkWhisper2.
Clone the tool and specify the payload as I did and listen for the incoming connection in a new terminal.
So here we go, we have now root access. Navigate to the /root directory for the final flag.
For more walkthroughs stay tuned…
Before you go
Visit my Funbox series walkthrough’s:-
and clap 👏 if you like what you read. Feedback is always welcomed.
