[HTB] Hospital

CH@3M 2024. 4. 11. 17:02
└╼$ nmap -A -T5
Starting Nmap 7.93 ( ) at 2024-04-16 06:00 BST
Nmap scan report for
Host is up (0.093s latency).
Not shown: 980 filtered tcp ports (no-response)
22/tcp   open  ssh               OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e14b4b3a6d18666939f7aa74b3160aaa (ECDSA)
|_  256 96c1dcd8972095e7015f20a24361cbca (ED25519)
53/tcp   open  domain            Simple DNS Plus
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-04-16 12:00:22Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC,
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
443/tcp  open  ssl/http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_ssl-date: TLS randomness does not represent time
|_http-title: Hospital Webmail :: Welcome to Hospital Webmail
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC,
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
1801/tcp open  msmq?
2103/tcp open  msrpc             Microsoft Windows RPC
2105/tcp open  msrpc             Microsoft Windows RPC
2107/tcp open  msrpc             Microsoft Windows RPC
2179/tcp open  vmrdp?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC,
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
3269/tcp open  globalcatLDAPssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC,
| Not valid before: 2023-09-06T10:49:03
|_Not valid after:  2028-09-06T10:49:03
3389/tcp open  ms-wbt-server     Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: HOSPITAL
|   NetBIOS_Domain_Name: HOSPITAL
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: hospital.htb
|   DNS_Computer_Name:
|   DNS_Tree_Name: hospital.htb
|   Product_Version: 10.0.17763
|_  System_Time: 2024-04-16T12:01:12+00:00
| ssl-cert: Subject:
| Not valid before: 2024-04-15T11:57:03
|_Not valid after:  2024-10-15T11:57:03
8080/tcp open  http              Apache httpd 2.4.55 ((Ubuntu))
|_http-server-header: Apache/2.4.55 (Ubuntu)
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Login
|_Requested resource was login.php
| http-cookie-flags: 
|   /: 
|_      httponly flag not set
Service Info: Host: DC; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-04-16T12:01:12
|_  start_date: N/A

└╼$ ldapsearch -H ldap:// -x -s base namingcontexts
# extended LDIF
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 

namingcontexts: DC=hospital,DC=htb
namingcontexts: CN=Configuration,DC=hospital,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=hospital,DC=htb
namingcontexts: DC=DomainDnsZones,DC=hospital,DC=htb
namingcontexts: DC=ForestDnsZones,DC=hospital,DC=htb

admin이라는 계정이 존재하는 것 확인
파일 업로드 기능 존재
PHP 웹쉘 업로드 성공

phpinfo()를 올려서 disable_fuction list를 보면, 안되는 함수를 알 수 있음!

<?php phpinfo(); ?>

파일이 업로드되는 경로를 찾기위해 디렉토리 검색

└──╼ #gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 150
[+] Url:           
[+] Method:                  GET
[+] Threads:                 150
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2024/04/16 16:57:25 Starting gobuster in directory enumeration mode
/images               (Status: 301) [Size: 322] [-->]
/uploads              (Status: 301) [Size: 323] [-->]
/css                  (Status: 301) [Size: 319] [-->]    
/js                   (Status: 301) [Size: 318] [-->]     
/vendor               (Status: 301) [Size: 322] [-->] 
/fonts                (Status: 301) [Size: 321] [-->]  
/server-status        (Status: 403) [Size: 280]                                         
2024/04/16 16:59:20 Finished

php 웹쉘이 동작안함...


Online - Reverse Shell Generator

Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.

리버스 쉘 사용

리버스 쉘로 연결 완료

웹서버 버전에 해당하는 오버레이 취약점 활용하여 root 권한 상승

파일에 권한 주고 실행

root가 되어서 shadow 파일 확인. 패스워드 크랙 시도.

패스워드 획득

443포트의 webmail에 로그인하여 메일 확인


메일 내용으로 구글링

CVE를 이용하여 exploit 시도

이렇게 만들어진 파일을 메일로 전송

root.txt는 아직 획득 못함

admin 경로 권한 없음
