Just looking at the image of the doctor holding that syringe, I’m going to bet it has something to do with injection, lol.
I started out with an initial nmap scan:
Here is that webpage pulled up from port 80. Just looks like a basic medical care site:
Most of the links just take you right back to the homepage. I ran gobuster to see if I could find anything interesting:
And this is where I got stuck for a LONG time, mostly trying to find exploits for that blog hosting site. Eventually though, after looking back at my nmap scan, I noticed that it said:
“Requested resource was http://doctors.htb/login?next=%2F”
Apparently that is a messaging portal for the doctors, that can be seen connected to the main website here:
If you try to pull that page up it will give you an error message at first, but if you add the hostname to your /etc/hosts directory, you will be able to access it from your IP as if you were one of the doctors.
Remember to save it.
Now, just type doctors.htb into your browser bar and you will see a login page.
I registered for an account so I could snoop around:
Um, that’s annoying. So it looks like I have to figure this out in 20 minutes or keep creating new accounts. A weird limitation to add.
When you get into the doctor’s forum, you will see that you are able to create posts:
This might be where injection comes into play?
After looking around a bit more, I saw this in the source code, which seemed to be a hint:
A good resource for stuff like this is HERE. There is a specific section about CSRF with payload examples. Then at the bottom of that CSRF page there are multiple other resources to read.
This took a large amount of time to craft, during which I had to create about 10 new accounts because they kept expiring, but eventually, I came up with this:
Before hitting Post though, I created a listener with netcat:
Now post, then switch back to your listener:
This was quite an obscure foothold (at least to me). Very interesting, and I definitely learned something.
Upgrade your shell:
Looks like a user named Shaun has the user.txt file, but I don’t have the permissions to read it. I need to find Shaun’s password:
So after looking around a bit, I focused on the logs. Specifically the logs for Apache2, since that is the web server.
You can use grep to find info about passwords.
Notice the first entry has a password listed as “Guitar123” where it looks like someone reset their password.
This is indeed Shaun’s password:
Now for root. The path to privilege escalation is actually the other port that was open but has been largely ignored until now, port 8089.
I will be using an exploit called PySplunkWhisperer2_remote.py that you can check out HERE.
I started out by cloning it from github and setting up a listener:
Change directories to /SplunkWhisperer2/PySplunkWhisperer2 and run the following:
Check back with your listener, upgrade your shell, and collect your prize!
Happy Hacking! ❤
