HEALTHCARE
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Healthcare, from the VulnHub pentesting platform.
- Healthcare can be downloaded from here:
https://www.vulnhub.com/entry/healthcare-1,522/
- Once the virtual machine downloaded and extracted with VirtualBox:
2 - ENUMERATION
- Discovering IP 192.168.1.46:
- Scanning with Nmap:
- Scanning deeper port 21:
- Scanning deeper port 80:
- Browsing the web server:
- View-sourcing there are some misleading information:
- For instance folder /admin leads to nothing:
- Dirbusting with rockyou.txt:
- There is a hidden folder called openemr:
- Openemr is a medical management application:
3 - EXPLOITATION
- Looking for exploits for Openemr version 4.1.0:
- Reading 49742.py there is a vulnerable injection point that can be used with Sqlmap:
- Looking for databases with Sqlmap:
- Looking for tables inside database openemr:
.....................................
- Dumping all about table users we find cleartext passwords for two users:
- So finally we have credentials admin:ackbar and medical:medical.
- Logging into Openemr as user admin:
- There is a management interface for user admin:
- Files at website are stored at /var/www/html/openemr/sites/default:
- Let's create an exploit named myshell.php:
- Uploading myshell.php to /var/www/html/openemr/sites/default it's not allowed:
- However it is feasible to upload myshell.php to /openemr:
- Setting a listening session at port 3333:
- Now, just calling myshell.php with curl we have a remote shell:
4 - CAPTURING THE 1st FLAG
- Browsing the /home folder we find an additional user called almirant:
- Inside almirant's home folder we find user.txt and the 1st flag:
......................................
5 - PRIVILEGE ESCALATION
- Looking for files with setuid bit:
- For instance file healthcheck, owned by root, it can be run by user medical because of the setuid bit:
- Applying strings to healthcheck we discover that it uses some commands like fdisk, ifconfig, du, ... without the whole path (/bin, /sbin):
- So moving to /tmp let's write a new script fdisk containing /bin/bash, and then let's update enviroment variable PATH pointing to /tmp:
- Now, when healtcheck (owned by root) calls to fdisk it will execute /bin/bash as a root.
- Running again healthcheck we have finally a root shell:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt: