Doctor from HTB is an Easy CTF style box featuring Server-Side Template Injection( SSTI) and some privilege escalation via Splunk. I begin every scan using AutoRecon:

After finishing the scans I noticed Port 80/8089 were open. Visiting the website I was able see a static HTML website running. Attempting to go to .PHP resulted in a page not found. I navigated around the interface and saw nothing interesting. The email address on the website was info@doctors.htb so I edited my host file and re-visited the website.

Static HTML website showing info@doctors.htb

Splunk Atom Feed running on 8089

I was presented with a Doctors Secure Messaging Page. I launched Burp Suite and registered for an account. After logging in I noticed the New Message functionality.

Doctor Secure Messaging Registration

Viewing the source code I was able to see an additional page Archive which upon visiting loaded an empty page.

Archive still under beta testing…

Eventually I found out that the New Post area was susceptible to SSTI (server-side template injection). More information regarding it can be found HERE. By submitted a reverse shell as the Title and navigating to the Archive executes the command to open a shell.

SSTI in the Header.

The first thing I check on every box is web configuration files and log files. Web configuration files turned up nothing but the logs provided me a password to sign in as shaun.

Logged in as shaun and capped the user flag. Earlier in the Scans I noticed 8089 open which deals with a Splunk web interface. I found two different routes to take with the final privilege escalation. One can be done remotely from your Attacking Box and the other can be done within the previously established web shell.

Using the credentials I got from shaun I used SplunkWhisperer2 and the guide found HERE to grab the flag directly.

PySplunkWhisperer2 from my Attack machine

Pulling the HTB Doctor root flag.

Using the credentials I got from shaun I used spelunker and WGET to run the exploit locally. I changed Line 46 of the spelunker script before downloading to remote machine with shaun:passwordfoundearlier in Base64 as default will not work.

spelunker.sh running locally.