APEX
Index
1-Nmap
Scan with nmap
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: APEX Hospital
http-enum:
| /filemanager/: Potentially interesting folder
|_ /source/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| Thread ID: 33
| Capabilities flags: 63487
| Some Capabilities: IgnoreSpaceBeforeParenthesis, Support41Auth, FoundRows, ConnectWithDatabase, Speaks41ProtocolOld, SupportsCompression, LongPassword, DontAllowDatabaseTableColumn, IgnoreSigpipes, InteractiveClient, SupportsLoadDataLocal, LongColumnFlag, ODBCClient, Speaks41ProtocolNew, SupportsTransactions, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: z+e=@hlg=<Vz$AXyyqLh
|_ Auth Plugin Name: mysql_native_password
Service Info: Host: APEX
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: apex
| NetBIOS computer name: APEX\x00
| Domain name: \x00
| FQDN: apex
|_ System time: 2021-08-28T13:15:02-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-08-28T17:15:01
|_ start_date: N/2-Filemanager
The Nmap scan shows us that on port 80 there is a directory called /filemanager that could be a potential attack vector.
We go to the path and find the RESPONSIVE filemanager software v.9.13.4
This is vulnerable to path traversal, this exploit (EDB-ID:49359) copies the file that we choose and paste it in the source folder of the web page. Looking for directories in the folder openemr we also find the following path /openemr/sites/default/sqlconf.php, most likely there are mysql credentials and we can connect. The problem is that we can not display .php files on the web page so we will use SMB for this.
We can modify the exploit so that instead of copying the file in source it pastes it in /source/Documents and in this way to be able to visualize it in SMB:
If we run the exploit we will be able to view the file in SMB:
3-SMB
We get an error since it is not possible to visualize this type of file, we will connect by SMB anonymously, since with Nmap we list this at the beginning:
To display it we will use the command more sqlconf.php, as we do not have permission to download the file:
4-MySQL
We connect to MySQL with the following credentials:
After searching different tables in the database we found the following hashed credentials of the admin user:
5-Hashcat
To know what kind of hash it is before cracking it we will use the web page https://hashes.com/en/tools/hash_identifier, and it returns that the hash is bcrypt $2*$, Blowfish (Unix).
Let's crack it:
In a minute we managed to crack it and the credentials are thedoctor:
6-OpenEMR
We can now log in to openEMR:
Next we will upload a reverse shell in the path http://192.168.214.145/openemr/controller.php?document&upload&patient_id=00&parent_id=4&, but we will not have access to it because of the permissions, so we will reuse the previous exploit that was to copy files and thus execute it while listening through netcat:
Execute the exploit:
And we get the reverse shell:
7-Privilege Escalation
Looking for different ways to escalate privileges we did not find any that is by bad file configurations, after a while testing we see that we can log in as root reusing the admin password and you can also use the pwnkit exploit to get the shell:
Last updated