13 Apr, 2024
Hack The Box: Hospital Machine Walkthrough – Medium Difficulty
Medium Machine , , , , , , , , , ,
Reading Time: 7 minutes

In this post, I would like to share a walkthrough of the Hospital Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Hospital machine?

For the user flag, you must circumvent upload filters and deactivate functions to obtain a PHP webshell in the virtual machine and execute commands. I will elevate privileges using kernel exploits, demonstrating both CVE-2023-35001 and GameOver(lay). With root access on the web server, I’ll decrypt the password hashes for a user, acquiring credentials that are also effective on the Windows host and the RoundCube webmail. Within the email system, I’ll respond to another user anticipating an EPS file, exploiting a vulnerability in Ghostscript to achieve execution.

As for the root flag, you need to Automate processes designed for the Ghostscript phishing stage.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvv

Information Gathering on Hospital Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Documents/htb/hospital]
└──╼ $ nmap -sC -sV 10.10.11.241 -oA intial 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-19 06:28 EST
Nmap scan report for 10.10.11.241
Host is up (0.30s latency).
Not shown: 979 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
22/tcp   open  ssh               OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e14b4b3a6d18666939f7aa74b3160aaa (ECDSA)
|_  256 96c1dcd8972095e7015f20a24361cbca (ED25519)
53/tcp   open  domain            Simple DNS Plus
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2023-11-19 18:28:31Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
443/tcp  open  ssl/http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_http-title: Hospital Webmail :: Welcome to Hospital Webmail
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
1801/tcp open  msmq?
2103/tcp open  msrpc             Microsoft Windows RPC
2105/tcp open  msrpc             Microsoft Windows RPC
2107/tcp open  msrpc             Microsoft Windows RPC
2179/tcp open  vmrdp?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
3269/tcp open  globalcatLDAPssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
3389/tcp open  ms-wbt-server     Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.hospital.htb
| Not valid before: 2023-09-05T18:39:34
|_Not valid after:  2024-03-06T18:39:34
| rdp-ntlm-info: 
|   Target_Name: HOSPITAL
|   NetBIOS_Domain_Name: HOSPITAL
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: hospital.htb
|   DNS_Computer_Name: DC.hospital.htb
|   DNS_Tree_Name: hospital.htb
|   Product_Version: 10.0.17763
|_  System_Time: 2023-11-19T18:29:30+00:00
6646/tcp open  msrpc             Microsoft Windows RPC
8080/tcp open  http              Apache httpd 2.4.55 ((Ubuntu))
| http-title: Login
|_Requested resource was login.php
|_http-server-header: Apache/2.4.55 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
Service Info: Host: DC; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-11-19T18:29:30
|_  start_date: N/A
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.04 seconds
┌─[darknite@parrot]─[~/Documents/htb/hospital]
└──╼ $

Let’s access the website interface

It has redirected to a login page

Therefore, let’s register the new account on the website

It required us to upload some files into the website interface

Let’s upload a random file to the website interface

However, it shows that the upload of a random file is a successful

The file I upload to the website can be readable to the public.

Firstly, we can upload a file that contains the content above on the website interface

Finally, we managed to retrieve the phpinfo

As a result, we can put a single-line

At last, we managed to obtain a command injection

As a result, we should inject the reverse shell on the website to retrieve the reverse shell connection

It will look something as shown above via Burp Suite

Successfully access the www-data on shared domain

Finally, we have successfully obtained the shell connection on our attacker’s machine

We should execute the command above.

We notice that there’s a hash on drwilliams

Let’s start cracking the hashes

After a while, we have successfully obtained the password for drwilliams

We can change from root to drwilliams by using the credentials that we found earlier

Sadly, there is no user flag on the drwilliams home directory

After a while of thinking, I remembered that there’s another website where we are required to enter the credentials for the website. Surprisingly, it works as a charm

There’s one unread email that shows some vulnerability on GhostScript

Let’s download the script on our attacker’s machine

We should execute the Python script as shown above.

Let’s start our listener

Let’s replied the email with an attachment that will give us a connection back

After a while, we have obtained the shell as drbrown as shown above

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access

Inside the xampp directory, we notice the permission as shown above

The file shown above lists the htaccess on the machine

As a result, we should upload the online line file to the machine

We can use the command above to see the privileges access. We can use the same file to execute the reverse shell connection back to us

Finally, we can successfully connect the reverse shell back to us.

We can read the root flag by typing the “type root.txt” command

Extra Information