Machine Synopsis

Doctor is an easy machine that features an Apache server running on port 80. Users can identify a virtual host on the main webpage, and after adding it to their hosts file, acquire access to the `Doctor Messaging System`. The system is found to be vulnerable to Server Side Template Injection, and successful exploitation of the vulnerability results in a shell as the user `web`. This user belongs to the `adm` group and is able to read various system logs. Enumeration of the logs reveals a misplaced password that can be used to login as the user `shaun`. Enumeration of system services reveals that a Splunk Universal Forwarder is running on port 8089, in the context of `root`. Research reveals an exploit that can be used with valid credentials in order to execute code remotely and escalate our privileges.