Hospital
Description
Automated Scanning
NMap Scan
# Nmap 7.94SVN scan initiated Fri Mar 1 15:35:21 2024 as: nmap -sC -sV -vvv -T4 -oN Data/Machines/hospital/nmap.txt 10.10.11.241
Nmap scan report for hospital.htb (10.10.11.241)
Host is up, received syn-ack (0.096s latency).
Scanned at 2024-03-01 15:35:22 EST for 120s
Not shown: 983 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 e1:4b:4b:3a:6d:18:66:69:39:f7:aa:74:b3:16:0a:aa (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEOWkMB0YsRlK8hP9kX0zXBlQ6XzkYCcTXABmN/HBNeupDztdxbCEjbAULKam7TMUf0410Sid7Kw9ofShv0gdQM=
| 256 96:c1:dc:d8:97:20:95:e7:01:5f:20:a2:43:61:cb:ca (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGH/I0Ybp33ljRcWU66wO+gP/WSw8P6qamet4bjvS10R
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-03-02 03:35:39Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.0.28)
| tls-alpn:
|_ http/1.1
|_http-title: Hospital Webmail :: Welcome to Hospital Webmail
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
| http-methods:
|_ Supported Methods: GET POST
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl? syn-ack
| ssl-cert: Subject: commonName=DC
| Subject Alternative Name: DNS:DC, DNS:DC.hospital.htb
| Issuer: commonName=DC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-06T10:49:03
| Not valid after: 2028-09-06T10:49:03
| MD5: 04b1:adfe:746a:788e:36c0:802a:bdf3:3119
| SHA-1: 17e5:8592:278f:4e8f:8ce1:554c:3550:9c02:2825:91e3
| -----BEGIN CERTIFICATE-----
| MIIC+TCCAeGgAwIBAgIQdNv8q6fykq5PQSM0k1YFAjANBgkqhkiG9w0BAQsFADAN
| MQswCQYDVQQDEwJEQzAeFw0yMzA5MDYxMDQ5MDNaFw0yODA5MDYxMDQ5MDNaMA0x
| CzAJBgNVBAMTAkRDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7obA
| P53k1qyTGrYu36d3MfqWRf+nPEFi6i+GK7/8cOoQfQPjPNMMHcmzHaFgkOdAcv12
| jctNzQYh6xUQY5R3zqjXlJyRorftvBlKDU02S4EOKsdytnziHbHG5ZEvRDoCgVH3
| uvt4U7cqwk1uE0r6iWwegK/xxtTVBPkObmepjTO1DEMyj8j6UU9jwyCH8jE5VTCC
| UiWJI/q+B/tcJcINfFerv4oDagptKrMAIfsX+ReqbZojCD5EREjMUyn+AigZTeyS
| ksesM2Cy6fkVkypComklqJw2YIIlDnPxdh3pAwjyUlbcb6WwE5aEKwuEgyRyXHET
| EKwcUBIa7y3iRSVCpQIDAQABo1UwUzAOBgNVHQ8BAf8EBAMCBaAwHgYDVR0RBBcw
| FYICREOCD0RDLmhvc3BpdGFsLmh0YjATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNV
| HRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBjA0NUb25R42VBXvb328jEcMam
| 19VS+MPZijp14phJ0Q/YuxlztTGnSlIFrUPWtJWvx8PLtdCnE1MOmFmcS2TNISg9
| Vt1sE4RF5N9s9TeFqCE80wH+qzZMCaBTlQxrzftkTfN67+SxoEGd6aywXEmzG5tw
| wbEe/dMglJVZ0Uk2DUXjpdXIDQlFIg+Yn0CqWjUvppLUyinxpmVqoC5dY8ijuuem
| 3JjZd5mDoYg1XIP3gfAAutdsce5Safoq7oqh0OYb4sQMu0y9YcRL0JsP3cwB4FnW
| eh2XVUa9NjHJi5hvdH3wy6/jU4UwPED41iuM6Y1rwF/l4J0LmELsmmYZEaWm
|_-----END CERTIFICATE-----
1801/tcp open msmq? syn-ack
2103/tcp open msrpc syn-ack Microsoft Windows RPC
2105/tcp open msrpc syn-ack Microsoft Windows RPC
2107/tcp open msrpc syn-ack Microsoft Windows RPC
2179/tcp open vmrdp? syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.hospital.htb
| Issuer: commonName=DC.hospital.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-29T20:59:54
| Not valid after: 2024-08-30T20:59:54
| MD5: 5134:6d4c:0c3f:7e7f:5fec:f377:9883:0f76
| SHA-1: 7259:2818:3743:1540:9be3:5506:111c:bd65:2537:b455
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQLvf4Ce/Z55RE/RMJ7ES1ATANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9EQy5ob3NwaXRhbC5odGIwHhcNMjQwMjI5MjA1OTU0WhcNMjQw
| ODMwMjA1OTU0WjAaMRgwFgYDVQQDEw9EQy5ob3NwaXRhbC5odGIwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS6CkqXaBp7TNHXq/lZ6SzWGcGokkCFalH
| 80MWyOGqwryD1UeaTNPj7S2VS+XWmfPqDLID+73NoCaAtW1XNJYyJGdJniBROgVf
| v8fcGRAqD1S73U6pHnt6K2iZBW4sJYmsH7ov6KSauftb7RQ0DeP93d/JXHEbuzN5
| aTWAcXPPZz/fzGcJD/4dAhJlEhwmduIykPu3WtkoFBfSD8DqFZ7dvKeSLRWCCD56
| aNtP1dBac6Sbmc4w72/h3n8DBMu7yLOIXJ5/IejFj8IMlJlocuNAujtxdvCKYiGK
| A3Gqmc5q8Nn3p9heRfmApexGao2pkRnDbt5E9YMyGowvGndUqcVRAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAxcUqoXpp9qXi9MX+e+cmxlKxck41Zb3D0HmZkoVcJ4Ec/PyDUg3HM9yE
| RIkrWwLPfVLv8tM0dEYxJZHRGKMjepxP4J1zD+4O2ebsoXoAmoFFJXJs2SOPh35d
| 27iVACki1+gBB93SGhA+VZoqymRp676JPnuQ1uoM8MPXmWWc4mhT9UjP4ArFSruU
| GpMJt3jnq9OtWe+EyMMLY3tKkZciNpIypb3mvCDQzKAeN/wQn9hDRaWzGdKAHr/U
| e3w1KV2SWUhyjmTeTFmpoXFtv0JlpFrsI4l2algUP5MXg4+iSAGZXe3LznjhFDwQ
| mK2NUchy6IPsRsf3ju3mrM9hV8QWyw==
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: HOSPITAL
| NetBIOS_Domain_Name: HOSPITAL
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: hospital.htb
| DNS_Computer_Name: DC.hospital.htb
| DNS_Tree_Name: hospital.htb
| Product_Version: 10.0.17763
|_ System_Time: 2024-03-02T03:36:44+00:00
8080/tcp open http syn-ack Apache httpd 2.4.55 ((Ubuntu))
| http-title: Login
|_Requested resource was login.php
|_http-open-proxy: Proxy might be redirecting requests
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: Apache/2.4.55 (Ubuntu)
Service Info: OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 23222/tcp): CLEAN (Timeout)
| Check 2 (port 42595/tcp): CLEAN (Timeout)
| Check 3 (port 23197/udp): CLEAN (Timeout)
| Check 4 (port 14932/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-03-02T03:36:43
|_ start_date: N/A
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 1 15:37:22 2024 -- 1 IP address (1 host up) scanned in 120.52 seconds
Gobuster (DNS) Scan
DirBuster Scan
No Results
Nuclei Scan
[caa-fingerprint] [dns] [info] hospital.htb
[apache-detect] [http] [info] https://hospital.htb ["Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28"]
[openssl-detect] [http] [info] https://hospital.htb ["OpenSSL/1.1.1t"]
[php-detect] [http] [info] https://hospital.htb ["8.0.28"]
[tech-detect:php] [http] [info] https://hospital.htb
[tech-detect:bootstrap] [http] [info] https://hospital.htb
[http-missing-security-headers:content-security-policy] [http] [info] https://hospital.htb
[http-missing-security-headers:x-content-type-options] [http] [info] https://hospital.htb
[http-missing-security-headers:clear-site-data] [http] [info] https://hospital.htb
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] https://hospital.htb
[http-missing-security-headers:strict-transport-security] [http] [info] https://hospital.htb
[http-missing-security-headers:permissions-policy] [http] [info] https://hospital.htb
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] https://hospital.htb
[http-missing-security-headers:referrer-policy] [http] [info] https://hospital.htb
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] https://hospital.htb
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] https://hospital.htb
[http-trace:trace-request] [http] [info] https://hospital.htb
[waf-detect:apachegeneric] [http] [info] https://hospital.htb/
[smb-enum] [javascript] [info] hospital.htb:445 ["NetBIOSDomainName: HOSPITAL","DNSComputerNamen: DC.hospital.htb","DNSComputerName: DC.hospital.htb","ForestName: hospital.htb","OSVersion: 10.0.17763","NetBIOSComputerName: DC"]
[smb2-capabilities] [javascript] [info] hospital.htb:445 ["[\"DFSSupport\",\"LargeMTU\",\"Leasing\"]"]
[ssh-auth-methods] [javascript] [info] hospital.htb:22 ["[\"publickey\",\"password\"]"]
[ssh-sha1-hmac-algo] [javascript] [info] hospital.htb:22
[ssh-password-auth] [javascript] [info] hospital.htb:22
[ssh-server-enumeration] [javascript] [info] hospital.htb:22 ["SSH-2.0-OpenSSH_9.0p1 Ubuntu-1ubuntu8.5"]
[openssh-detect] [tcp] [info] hospital.htb:22 ["SSH-2.0-OpenSSH_9.0p1 Ubuntu-1ubuntu8.5"]
[msmq-detect] [tcp] [info] hospital.htb:1801
[rdp-detect:win2016] [tcp] [info] hospital.htb:3389
[expired-ssl] [ssl] [low] hospital.htb:443 ["2019-11-08 23:48:47 +0000 UTC"]
[mismatched-ssl-certificate] [ssl] [low] hospital.htb:443 ["CN: localhost"]
[revoked-ssl-certificate] [ssl] [low] hospital.htb:443
[self-signed-ssl] [ssl] [low] hospital.htb:443
[deprecated-tls] [ssl] [info] hospital.htb:443 ["tls10"]
[deprecated-tls] [ssl] [info] hospital.htb:443 ["tls11"]
[tls-version] [ssl] [info] hospital.htb:443 ["tls10"]
[weak-cipher-suites:tls-1.0] [ssl] [low] hospital.htb:443 ["[tls10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]"]
[tls-version] [ssl] [info] hospital.htb:443 ["tls11"]
[weak-cipher-suites:tls-1.1] [ssl] [low] hospital.htb:443 ["[tls11 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]"]
[tls-version] [ssl] [info] hospital.htb:443 ["tls12"]
[tls-version] [ssl] [info] hospital.htb:443 ["tls13"]
Automation Summary
Summary of Scan Results:
NMap Scan:
- Open Ports: The scan revealed several open ports including SSH (22), DNS (53), HTTPS (443), SMB (445), RDP (3389), and HTTP (8080).
- Services: Detected services include OpenSSH, Apache HTTP server, Microsoft Windows services like Kerberos, RPC, NetBIOS, and Terminal Services.
- Web Services: Apache HTTP server is running on port 443, with a webmail service accessible. Another instance of Apache is running on port 8080, requiring login.
- Security Findings: Multiple security headers are missing from the Apache server running on port 443, indicating potential security weaknesses.
- Certificates: Detected expired, mismatched, revoked, and self-signed SSL certificates on the Apache server, raising concerns about security practices.
- Software Versions: Versions of software components like Apache, OpenSSL, and PHP are disclosed, potentially aiding in vulnerability assessment.
Nuclei Scan:
- Web Technologies: Detected PHP, Bootstrap, and Apache web technologies.
- Security Issues: Various security issues were identified including missing security headers, trace request enabled, and deprecated TLS versions.
- Service Detection: Identified services such as SMB, SSH, RDP, MSMQ, and their respective configurations.
Insights:
- The target appears to be a mixed environment with both Linux and Windows services running.
- The web services may have security vulnerabilities due to missing security headers and outdated SSL configurations.
- Further enumeration and analysis are required to exploit potential vulnerabilities and gain access to the system.
AI Generated
User Own
Root Own
Summary
AI Generated