Official Hospital Discussion

Rooted, that was very interesting and some bits were quite tough. I think Foothold is the challenging bit, once you’re done root is just mostly enumeration and looking around.
PM for help

Time for some nudges since it’s been 24h.

User: By far, by FAR, the hardest part of this machine. Foothold is all about uploading and then can be rootable quite easily but it’s not the end of the path. Keep looking. Hash cracking will be part of your journey and the second phase before user is harder than the foothold.

Root: Don’t overthink. That is all there is to it. If it’s a way that takes too long, it’s wrong.


Can anyone tell which dictionary to use for user part? ext-most-co… doesn’t work

Not sure of what you’re asking… but if it’s regarding hash cracking… for most of HTB machines, I have found that you just need to keep rocking.

to identify extension for uploading. which dictionary have u used?

Not really a dictionary… It’s a pretty common situation (at least in CTF-like exercises): whenever you have a file upload feature using this technology. If the standard extension is blocked, this other extension tends to be allowed.

Just finished rooting this one…Super fun machine and many thanks to ruycr4ft!!!

So many small steps, and none of them crazy complicated. Too much in there to give specific hints, but I would say that other than the very first and the very last step, pretty much everything is related to stuff being out of date and vulnerable. The first and last steps are also very straight forward though.

Oh, and I did find myself going down a rabbit hole at the very start. the version of the app has a fix with the release notes relating to a vulnerability - seemed like a follow on from the CVE. Got caught trying to figure out if it was still vulnerable despite being fixed for the CVE. I think it just was the devs adding the application content-disposition header to help remediate?

Feel free to HMU for specific hints, enjoy!

Rooted in 2 different ways both not as box author intended. I guess I’ll just wait ippsec video and see how it was supposed to be rooted the box

1 Like

Can not get shell. rebooted. Im pretty sure im doing right?

Rooted!! there’s more than one way to get the root

I have a problem when i try to upload rev shell. I get this error every time :
WARNING: Failed to daemonise. This is quite common and not fatal.
ERROR: Can’t spawn shell

I don’t really understand how root works in this one, if someone could explain it to me I’d appreciate (I eventually got it, but it was kind of an accident, I want to learn how I could do it in a deterministic way)

Alright, someone left something behind that makes it easy for anyone to get the root flag with basically little to no work. Please remove.

Hi !
i’m stuck with my shell :frowning: i’m close to be inside but i have no return.
someone can pm me :slight_smile: ?

EDIT : i did it ^^ maybe the machine just needed a reset

I managed to get a reverse shell but I can’t seem to make it interactive. I also found some *** creds, but with this shell I can connect to the db. Any ideas on what I can do to continue on the path to get user?

Just rooted :slight_smile: a fun machine

Are you at a web shell? If yes, then you need to use it to get a reverse shell.

1 Like

I have a reverse shell

Well, I must be looking in the wrong spot. Made it to where I’m looking for the root flag. Have user.

Thought I was supposed to be looking in the x****\h***** folder but everytime I get a file in there when I go to access it it’s displaying the content, not executing the file.

Maybe I’m down a rabbit hole. Anyone want to push me one way or another?