🟢doctor

Recon & Enum

port scan

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8089/tcp open  unknown

directory scan (http://10.10.10.209)

/.html                (Status: 403) [Size: 277]
/contact.html         (Status: 200) [Size: 19848]
/images               (Status: 301) [Size: 313] [--> http://10.10.10.209/images/]
/blog.html            (Status: 200) [Size: 19848]
/.php                 (Status: 403) [Size: 277]
/about.html           (Status: 200) [Size: 19848]
/services.html        (Status: 200) [Size: 19848]
/js                   (Status: 301) [Size: 309] [--> http://10.10.10.209/js/]
/departments.html     (Status: 200) [Size: 19848]
/fonts                (Status: 301) [Size: 312] [--> http://10.10.10.209/fonts/]
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 19848]
/images               (Status: 301) [Size: 313] [--> http://10.10.10.209/images/]
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/about.html           (Status: 200) [Size: 19848]
/contact.html         (Status: 200) [Size: 19848]

directory scan (http://doctors.htb)

Target: http://doctors.htb/

[14:41:07] Starting:
[14:43:06] 302 -  251B  - /account  ->  http://doctors.htb/login?next=%2Faccount
[14:43:07] 404 -    3KB - /account/login.rb
[14:43:07] 404 -    3KB - /account/login.shtml
[14:44:16] 200 -  101B  - /archive
[14:46:28] 302 -  245B  - /home  ->  http://doctors.htb/login?next=%2Fhome
[14:46:51] 200 -    4KB - /login
[14:46:54] 302 -  217B  - /logout  ->  http://doctors.htb/home
[14:47:54] 200 -    1KB - /register
[14:48:03] 403 -  276B  - /server-status
[14:48:03] 403 -  276B  - /server-status/
[14:48:41] 200 -    1KB - /user/admin

website (http://10.10.10.209)

i found nothing useful here , but i did found mail address - info.doctors.htb , lets add it add it to /etc/hosts and check

website (http://doctors.htb)

we got login page and also a sign up functioality , lets create an account on this After getting in we get message functionality which consist of 2 parameters

after posting message it looks like this :-

shell as web

Both parameters are vulnerable . para 1 is vulnerable to SSTI & XSS , para 2 vulnerable to command injection

SSTI

i injected payload , but none of them is working until i checked the /archive , 9x9 didnt give any result , i don't think its vulnerable to SSTI but 8x8 wworked for me

its working lets take reverse shell

I thought it didn,t work , but no we have to send requestnin archieve as well , after hitting the send from /archive i got this as response and reverse shell as well

command injection

i start testing it by injecting my ip , but it gave an error

trying $IFS payload and it worked :-

after that i just bash /dev/shm/exploit , and i get the reverse shell

privesc web => shaun

grep -r passw . 2>/dev/null

and i found this :-

./apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"

i tried su - with username = shaun & password = Guitar123 , and i got the shell

privesc shaun => root

GitHub - cnotin/SplunkWhisperer2: Local privilege escalation, or remote code execution, through Splunk Universal Forwarder (UF) misconfigurationsGitHub

Previousblocky Nextmagic

Last updated 2 years ago

hashtagRecon & Enum

hashtagport scan

hashtagdirectory scan (http://10.10.10.209)

hashtagdirectory scan (http://doctors.htb)

hashtagwebsite (http://10.10.10.209)

hashtagwebsite (http://doctors.htb)

hashtagshell as web

hashtagSSTI

hashtagcommand injection

hashtagprivesc web => shaun

hashtagprivesc shaun => root