HackTheBox - Hospital
00:00 - Introduction
01:00 - Start of nmap
03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented
07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files
13:48 - Uploading a php shell, discovering there are disabled functions blocking system
17:15 - Using dfunc bypass to identify proc_open is not disabled and then getting code execution
23:00 - Reverse shell returned on the linux host
26:00 - Uname shows a really old kernel, then doing CVE-2024-1086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password
29:20 - Talking about Man Pages and how they are organized to identify $y$ is yescrypt
33:40 - Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit
36:00 - Building a malicious EPS File with a powershell reverse shell
43:40 - PRIVESC 1: Uploading a shell in XAMPP and getting system
52:30 - PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password
1:01:50 - While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen
1:10:08 - PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password
Watch video HackTheBox - Hospital online without registration, duration hours minute second in high quality. This video was added by user IppSec 13 April 2024, don't forget to share it with your friends and acquaintances, it has been viewed on our site 24,175 once and liked it 616 people.