Doctor: HackTheBox Walkthrough

Doctor is a nice VM on HackTheBox. I must say the easy boxes on HTB are tougher and knowledgeable than medium boxes on TryHackMe. Just add doctors.htb in your /etc/hosts file and you are good to goo.

Image for post
Image for post
  1. Enumeration
  2. Server-Side Template Injection
  3. Gaining reverse shell in two ways
  4. Enumerating adm related files
  5. Privilege escalation using SplunkWhisperer2

As usual start with scanning the network with Nmap for open ports and services.

Image for post
Image for post

So Let’s first enumerate port 80. I decided to start a gobuster scan and got something useful.

Image for post
Image for post

So we have a login portal.

Image for post
Image for post

I tried SQL injection first but nothing happened. Then I registered a new account and this time I was lucky.

Image for post
Image for post

Now if you remember we got URI /archive in directory scan. I opened it but nothing there but the page source has something useful. Whatever I typed in the “New message” -> title field it gets reflected in the /archive page source.

Web applications frequently use template systems such as Twig and FreeMarker to embed dynamic content in web pages and emails. Template Injection occurs when user input is embedded in a template in an unsafe manner. Unsafely embedding user input in templates enables Server-Side Template Injection, a frequently critical vulnerability that is extremely easy to mistake for Cross-Site Scripting (XSS) or miss entirely. Template Injection can arise both through developer error, and through the intentional exposure of templates in an attempt to offer rich functionality, as commonly done by wikis, blogs, marketing applications, and content management systems. Some of the server-side template engines that are most frequently used are Smarty, Mako, Twig, and Jinja2.

So till now, we know it’s vulnerable to SSTI Vulnerability but we don’t know which template is being used here.

This image shows the steps on how to identify the template type.

Image for post
Image for post

Enter in the title fiels {5*5} -> {{5*5}} -> {{5*’5'}} -> Result 55555. This proves that we have Jinja2.

This time we have a tool that can do this for us but we should know the manual process also https://github.com/epinna/tplmap

Just enter the command ./tplmap.py -u ‘http://doctors.htb/home\?page\=1' and you will be able to know the template name used. From here we can get the reverse shell also but I failed. You can try this.

Now we have enough information for the reverse shell. Use the python payload and only modify the IP_address. Post the message…

Image for post
Image for post

…and refresh the URI /archive and start a new terminal and listen for the connection.

Image for post
Image for post

Searching for the Writeup’s I came across a youtube video on it which shows exploiting the content field to gain a reverse shell.

Image for post
Image for post

I don’t know-how but if anyone knows this pls explain to me in the comment section.

Moving on I enumerated the machine which shows we have a user name shaun. One thing to be noticed that we have (adm) in the groups.

Image for post
Image for post

I searched on the internet and got to know that adm is a group on Ubuntu that is only good for viewing all the log files in /var/log (which historically used to be called /var/adm).

Navigated to the /var/log/apache2 path and got the file backup.

Image for post
Image for post

Since it’s a backup file I tried to get the credentials for the user shaun through grep.

Image for post
Image for post

Switched to the shaun account and tried if any sudo privilege he has but nothing useful but first access the first flag /home/shaun path.

Image for post
Image for post

Searching the internet on how to abuse Splunk for Privilege escalation I founded a nice blog which directs me to use PySplunkWhisper2.

Clone the tool and specify the payload as I did and listen for the incoming connection in a new terminal.

Image for post
Image for post

So here we go, we have now root access. Navigate to the /root directory for the final flag.

Image for post
Image for post

For more walkthroughs stay tuned…

Before you go

Visit my Funbox series walkthrough’s:-

and clap 👏 if you like what you read. Feedback is always welcomed.

Written by

Just started writing. Hope you all like it.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store