Today we are going to solve another boot2root challenge called “HEALTHCARE 1”. It is developed to train student the art of penetration testing . The credit of making this lab goes to v1n1v131r4 and lab is available for download here healthcare-1 .This is an Intermediate level machine that hosts two flags: user.txt and root.txt .
Penetration Testing Methodology
Reconnaissance
·
netdiscover
·
nmap
Enumeration
·
Browsing HTTP
Service
- Directory Brute force using ‘ gobuster
‘
Exploitation
- OpenEMR 4.1.0 Vulnerable to
Critical SQL Injection
Privilege Escalation
- Privilege
Escalation Using PATH Variable with SUID bin
Reconnaissance
Let’s begin
scanning the network using "netdiscover" to identify the host IP
address as shown below:
netdiscover
Our target on VM is identified to
acquire IP address of 192.168.0.158. So, it's time to grab more information
about the target by executing 'nmap' port enumeration command:
nmap -A 192.168.0.158
Enumeration
The initial scan shows that
we have port 21(ftp) and 80(HTTP) open .The web server usually have
the largest attack surface ,so let's explore the web server running
on port 80 first .
As we see below the browser
presents us the below page at http://192.168.0.158 . However, we do
not get any clue as we explore in and around the page (including its sub links
and source code view)
To further enumerate, let's launch
'gobuster ' -the directory enumeration tool to look for other
directory or hidden content which this web application may have.
gobuster dir -u http://192.168.0.158/ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -t 100 –e 
The tool “ gobuster ” presents us some directories like favicon, robots, openemr, fonts, images etc. The "openemr" directory seems to contain a login page and revels the OpenEMR software version V4.1.0 . A quick google search presents us with a critical SQL injection exploit here : sql-injection-vulnerability-in-openemr
Let’s use 'sqlmap' to
further enumerate the database names :
sqlmap -u http://192.168.0.158/openemr/interface/login/validateUser.php?u= --dbs –batch 
....and we get the list of
database names as below:
The database named ' openemr
' looks associated with the web-application we are exploring and
hence we further enumerate the database :
sqlmap -u
http://192.168.0.158/openemr/interface/login/validateUser.php?u= -D openemr -T
users --dump –batch
We get two users
and their respective passwords as shown here:
Exploitation
Now , let’s navigate to 'openemr
' web application login page and use 'ackbar' credentials to
login as admin :
As we explore the application, we
find that we can edit the config.php which is under 'Administrative' tab
shown below:
We overwrite the content of
config.php with php reverse shell php-reverse-shell.php
and replace
the IP with our kali linux IP as highlighted below :
Save the above changes, start a netcat listener on kali , refresh the web application and we get a reverse shell :
Privilege Escalation
Now, that we have a revere shell
lets upgrade it to a fully interactive shell using python -c 'import pty;
pty.spawn("/bin/bash")' and explore the system
. We noted above, that we got the shell as 'apache ' user and we also had
found another user credential. We can switch to that user and further
investigate the system. We run below command to find SUID binaries
on target and we find an interesting binary healthcheck as highlighted below:
python -c 'import pty; pty.spawn("/bin/bash")' find / -perm -u=s -type f 2>/dev/null
We explore ' healthcheck ' further
using strings command and we find that it scans the system by running commands
like ' ifconfig ' and ' fdisk ' :
We can
use Privilege Escalation Technique Using PATH Variable to exploit the
system :
cd /tmpecho "bin/bash" > fdiskchmod 777 fdiskexport PATH=/tmp:$PATH/usr/bin/healthcheckcd /rootls
....and we have the root flag : cat root.txt
Cheers!! - We nailed it, hope you enjoyed. - Happy hacking!
0 comments:
Post a Comment