Official Doctor Discussion

Type your comment> @TazWake said:

@deissh said:

So, I got access to the admin panel at doctor.htb, there is no password for the account. I dont know what to do

You might be looking in the wrong place. I don’t recall seeing an admin panel.

*admin@doctor.htb account

@deissh said:

*admin@doctor.htb account

Yeah, it kind of depends on where you are logging in with that. If it is a S****** M******** portal, you are on the right track and it is likely you’ve used an account someone else set up.

Finally did it! This is my second box here and I feel like I’m starting to get the hang of it.

Rooted !
The foothold took me hours and hours. The root part comes without much surprise but was very enjoyable nonetheless.
Feel free to reach out while the process is still fresh in my head :wink:
Thanks to @egotisticalSW for the box, and thanks to everyone for nudges, especially to @Harbard

Thank @ArtemisFY for the nudge

Got root but definetely not an easy box. I think easy ones would be those that a newcomer could do without much effort. I don’t think this is the case. Besides that, nice box.
PM me if you need help.

I really enjoyed the box. Very interesting, nice foothold and more interesting privesc.
Dm for hints.
Thanks @egotisticalSW for the cool box!

Got stuck at S**i. I know its b**** in******* but cant figure out which parameter to try on. Any nudge?

@mandev said:

Got stuck at S**i. I know its b**** in******* but cant figure out which parameter to try on. Any nudge?

Depends what you mean by parameter in this context. If you mean which field of the form, you can test it. Put One in the first and two in the second. When you look at the right output, there will only be a single response and you know which bit to attack.

If you mean parameter to S**i, then I don’t think I understand.

Finally rooted… This one was tough but definitely learned a lot. Much respect to @TazWake for guiding me down the right path!

very interesting this box is learned by solving

Type your comment> @TazWake said:

@mandev said:

Got stuck at S**i. I know its b**** in******* but cant figure out which parameter to try on. Any nudge?

Depends what you mean by parameter in this context. If you mean which field of the form, you can test it. Put One in the first and two in the second. When you look at the right output, there will only be a single response and you know which bit to attack.

If you mean parameter to S**i, then I don’t think I understand.

Yes it was form fields :smile: . I think this one not easy as given si pa****ds to fm f***ds. I am trying hard. Can i pm you?

If someone needs help, contact me, I’ll try not to spoil you

Rooted. Easy box. If you need some help, DM me.

@mandev said:

Yes it was form fields :smile: . I think this one not easy as given si pa****ds to fm f***ds.

You might be using the wrong s**i.

I am trying hard. Can i pm you?

Yes.

rooted. initial foothold is the difficult part but root is simple. Thanks to @ArtemisFY for the nudge

Did anyone try to crack the root hash from shadow file?

Can anyone give me a nudge for USER? I got a low priv shell from the s*** exploit, have ran enum script and found the encrypted PW for the DSM app, which is not proving useful at the moment… I identified a random hash in a file that looks like it is a PW once decrypted, then I attempted to login to diff services on the box with the found PW and list of valid users but have not been successful. Additionally, I found a key to the DB but current low priv shell doesn’t have access to the DB directory. Sanity check?

@mf10ck4 said:

Can anyone give me a nudge for USER? I got a low priv shell from the s*** exploit, have ran enum script and found the encrypted PW for the DSM app, which is not proving useful at the moment… I identified a random hash in a file that looks like it is a PW once decrypted, then I attempted to login to diff services on the box with the found PW and list of valid users but have not been successful. Additionally, I found a key to the DB but current low priv shell doesn’t have access to the DB directory. Sanity check?

Your enum scripts may have presented you with what you need, but possibly in a format that is difficult to understand.

Think about the application and mistakes people can make. If they make a mistake the data is captured in a file. If you look through that file you might see someone putting the loot you want in the wrong place.

Thanks @TazWake ! My initial s*** exploit landed me in a super restrictive shell (w** - **), once i adjusted my payloads i was able to get a shell as w and able to access the file you mentioned. Thanks for your help!