Lecture Summary: Hack the Box - Hospital
This lecture covers the Hack the Box 'Hospital' challenge, which involves exploiting a file upload vulnerability on a Linux system, leading to various privilege escalations and attack vectors on both Linux and Windows systems.
Key Steps & Techniques
Initial Reconnaissance and File Upload Vulnerability
- Scan the Network: Use nmap with default scripts, version enumeration, and output to identify open ports and services on the target network.
- Example: SSH, DNS, SMB, Apache with PHP enabled, RDP, etc.
- Identify the Target System: Examine TTL values in responses to determine the operating system (OS) of the host machine (Windows vs. Ubuntu).
- File Upload: Initial uploading of image files and analysis of responses through tools like Burp Suite.
Code Execution and Enumeration Phase
- Bypass File Type Restrictions: Use different file extensions and strategies to bypass upload blacklists for PHP code execution (e.g.,
.php3
, .phtm
).
- Exploiting PHP Functions: Identify which PHP functions are disabled/enabled via
phpinfo()
, and find ones that are exploitable (e.g., poop
for command execution).
- Reverse Shell: Execute commands on the target system using vulnerable PHP functions to establish a reverse shell.
Privilege Escalation on Linux
- Database and Hash Cracking: Extract and crack database user hashes to gain further access credentials.
- Kernel Exploits: Use recent kernel exploits (e.g., CVE-2023 and CVE-2024 ones) to gain root access on the Linux container.
- Reading Sensitive Files: Utilize root privileges to obtain sensitive information like the
/etc/shadow
file for additional hashes.
Windows Exploitation
- Network Recon and Enumeration: Identify and explore Active Directory and additional Windows services (e.g., SMB, LDAP).
- Email Exploitation: Gain access to a doctor’s email and exploit vulnerabilities within file-processing scripts (e.g., Ghostscript EPS vulnerability) to gain shell access on Windows.
- Privilege Escalation on Windows: Utilize techniques such as injecting a keylogger to capture credentials or using process migration to monitor interactive sessions via VNC and keystroke logging.
- Final Privilege Escalation: Gain SYSTEM privileges by leveraging write access to web directories, uploading a malicious PHP script, or observing active user sessions to capture administrator credentials.
Tools Used
- Nmap: For network scanning and service enumeration.
- Burp Suite: For intercepting and modifying HTTP requests during exploit attempts.
- Hashcat: For cracking hashed passwords from extracted databases.
- Powershell & Python: For script execution and disabling/bypassing restricted PHP functionality.
- Metasploit: For process injection, setting up a VNC session, and capturing keystrokes.
Conclusion
- The hospital challenge demonstrates multiple attack vectors, including file upload vulnerabilities, PHP function exploitation, kernel vulnerabilities, and both privilege escalation techniques in Linux and Windows environments. Successful exploitation requires thorough reconnaissance, creative payload delivery, and efficient use of tools.