Doctor from HTB is an Easy CTF style box featuring Server-Side Template Injection( SSTI) and some privilege escalation via Splunk. I begin every scan using AutoRecon:
After finishing the scans I noticed
Port 80/8089 were open. Visiting the website I was able see a static HTML website running. Attempting to go to
.PHP resulted in a page not found. I navigated around the interface and saw nothing interesting. The email address on the website was [email protected]
doctors.htb so I edited my host file and re-visited the website.
Static HTML website showing [email protected]
Splunk Atom Feed running on
I was presented with a Doctors Secure Messaging Page. I launched Burp Suite and registered for an account. After logging in I noticed the New Message functionality.
Doctor Secure Messaging Registration
Viewing the source code I was able to see an additional page
Archive which upon visiting loaded an empty page.
Archive still under beta testing…
Eventually I found out that the New Post area was susceptible to SSTI (server-side template injection). More information regarding it can be found HERE. By submitted a reverse shell as the Title and navigating to the Archive executes the command to open a shell.
The first thing I check on every box is web configuration files and log files. Web configuration files turned up nothing but the logs provided me a password to sign in as
Logged in as shaun and capped the user flag. Earlier in the Scans I noticed 8089 open which deals with a Splunk web interface. I found two different routes to take with the final privilege escalation. One can be done remotely from your Attacking Box and the other can be done within the previously established web shell.
Using the credentials I got from shaun I used SplunkWhisperer2 and the guide found HERE to grab the flag directly.
PySplunkWhisperer2 from my Attack machine
Pulling the HTB Doctor root flag.
Using the credentials I got from shaun I used
WGET to run the exploit locally. I changed
Line 46 of the spelunker script before downloading to remote machine with
Base64 as default will not work.
spelunker.sh running locally.