HTB: hospital Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (7.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐⭐☆
• Real-world: ⭐⭐⭐⭐☆
• CVE: ⭐⭐☆☆☆
• CTF-like: ⭐⭐⭐☆☆

Summary

hospital is a Medium-difficulty Windows machine featuring an Active Directory environment with multiple network services. The machine presents a comprehensive penetration testing scenario involving reconnaissance of a complex Windows infrastructure, web application analysis with file upload functionality, and potential privilege escalation paths through credential extraction. The initial foothold is gained through identifying and exploiting a vulnerable PHP application on port 8080 that allows file uploads.

TL;DR: AD Enumeration → Web App Reconnaissance → File Upload Exploitation → User Access → Privilege Escalation → Administrator.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.229.189

Results:

The target machine has an extensive port footprint characteristic of an Active Directory environment:

PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
443/tcp  open  https
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
1801/tcp open  msmq
2103/tcp open  zephyr-clt
2105/tcp open  eklogin
2107/tcp open  msmq-mgmt
2179/tcp open  vmrdp
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
5985/tcp open  wsman
6404/tcp open  boe-filesvr
6406/tcp open  boe-processsvr
6407/tcp open  boe-resssvr1
6410/tcp open  boe-resssvr4
6615/tcp open  unknown
6639/tcp open  unknown
8080/tcp open  http-proxy
9389/tcp open  adws
9593/tcp open  cba8

Service Enumeration

Hostname: hospital.htb

Add the machine to /etc/hosts:

echo "10.129.229.189 hospital.htb" >> /etc/hosts

Key Services Identified:

Active Directory Infrastructure:

• Kerberos (88/tcp): Primary authentication service
• LDAP (389/tcp, 636/tcp SSL, 3268/tcp, 3269/tcp SSL): Directory services
• DNS (53/tcp): Domain name resolution
• SMB (445/tcp, 139/tcp): File sharing and authentication
• RDP (3389/tcp): Remote desktop access
• WinRM (5985/tcp): Windows remote management
• ADWS (9389/tcp): Active Directory Web Services

Web Services:

• HTTPS (443/tcp): Encrypted web service
• HTTP-Proxy (8080/tcp): HTTP proxy with PHP application
• HTTP-RPC-EPMAP (593/tcp): RPC over HTTP

Web Application Discovery (Port 8080):

Directory enumeration reveals the following endpoints:

/register.php      - User registration endpoint
/upload.php        - File upload functionality
/success.php       - Success confirmation page

File Upload Configuration:

• Allowed file type: .png (images only)
• Potential vulnerability: File upload validation may be bypassable

HTTP Ports Identified:

• 8080 (HTTP Proxy - Primary web application)
• 443 (HTTPS)
• 593 (HTTP-RPC-EPMAP)

Technology Stack:

• Backend: PHP
• Authentication: Active Directory (Kerberos, LDAP)
• Infrastructure: Windows Server with Linux VM integration

Initial Foothold

Exploitation Path

STATUS: IN PROGRESS - Reconnaissance Complete

The reconnaissance phase has identified a PHP-based web application on port 8080 with file upload functionality. This represents the primary attack surface for gaining initial access. Further analysis and exploitation of the upload.php endpoint is required to achieve code execution.

Key Attack Surface:

1. File Upload Vulnerability (Primary Target)

   • Endpoint: http://hospital.htb:8080/upload.php
   • Current restriction: .png files only
   • Potential bypass: File type validation evasion techniques
   • Objective: Upload malicious PHP file for remote code execution

2. Application Logic Review

   • Analyze registration and upload workflows
   • Identify potential business logic flaws
   • Test for improper file validation/sanitization

3. Active Directory Attack Vectors

   • Assess LDAP enumeration possibilities
   • Evaluate Kerberos-based attacks (if applicable)
   • Identify credential harvesting opportunities from web application

Enumeration Commands

# Comprehensive port scanning
nmap -p- -Pn hospital.htb -oA all_ports

# UDP scanning (DNS, Kerberos)
nmap -sU -p- -Pn hospital.htb -oA udp_ports

# Service version enumeration
sudo nmap -Pn -sC -sV hospital.htb -oA default_scan

# Web directory enumeration on ports 8080, 443, 593
gobuster dir -u http://hospital.htb:8080 -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u http://hospital.htb:8080 -w /usr/share/wordlists/dirb/common.txt -r

# LDAP enumeration
ldapsearch -h hospital.htb -x -s base namingcontexts

Next Steps (Exploitation - Incomplete)

Refer to the original engagement notes for detailed exploitation steps, specific payloads, and attack chain to compromise the system through the identified PHP upload vulnerability or alternative attack vectors.

User Compromise

Credential Discovery

STATUS: INCOMPLETE - Awaiting Exploitation Details

Credentials are expected to be discovered through one or more of the following methods:

1. File Upload RCE: Execution of PHP code on the web server to extract credentials from the system or Active Directory
2. Cleartext Credential Storage: Configuration files or application databases containing plaintext credentials
3. LDAP Enumeration: Harvesting user information from Active Directory LDAP services
4. Application Logic Flaws: Bypass of authentication mechanisms in register.php or other endpoints

User Flag

STATUS: NOT YET CAPTURED

# After obtaining user credentials
cat ~/user.txt
# or
type C:\Users\[username]\Desktop\user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Post-Compromise Enumeration

Once user-level access is obtained, the following enumeration steps apply:

whoami /all
net user
systeminfo
Get-LocalGroupMember "Administrators"
Get-Service | Where-Object {$_.Status -eq "Running"}

Privilege Escalation Path

STATUS: INCOMPLETE - Awaiting User-Level Access

Potential privilege escalation vectors on Windows/AD environment:

1. Service Account Exploitation: Identify and exploit misconfigured services
2. Token Impersonation: Leverage user tokens for privilege escalation
3. AD Lateral Movement: Use compromised credentials to access higher-privileged accounts
4. Kernel/Application Exploits: Zero-day or unpatched vulnerabilities
5. Credential Dumping: Extract credentials from memory/LSA secrets

Root Flag

STATUS: NOT YET CAPTURED

# After privilege escalation to Administrator
cat /root/root.txt
# or
type C:\Users\Administrator\Desktop\root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

Reconnaissance (Port/Service Enumeration)
         ↓
Web Application Analysis (Port 8080 PHP App)
         ↓
File Upload Vulnerability Exploitation
         ↓
Remote Code Execution (RCE)
         ↓
User-Level Access (Credential Extraction)
         ↓
Privilege Escalation (Administrator)
         ↓
Full System Compromise

Current Progress: Reconnaissance phase complete. Attack surface identified.

Tools Used

Key Learnings

• Comprehensive Enumeration: The extensive port footprint of Active Directory environments provides multiple reconnaissance opportunities and attack surfaces.
• Web Application Security: File upload functionality is a critical attack vector; input validation and file type restrictions must be thoroughly tested.
• Defense-in-Depth: Even with file upload protections, alternative attack vectors (LDAP, Kerberos, RPC services) may be available.
• Active Directory Exploitation: Understanding AD services, authentication mechanisms, and lateral movement is essential for Windows penetration testing.
• Reconnaissance is Critical: Detailed service enumeration reveals the target’s architecture and enables targeted exploitation.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #ActiveDirectory #Medium #FileUpload #PHP