VulnHub: Healthcare
Today we will be looking at Healthcare which is a VulnHub box. As usual we start off with an NMAP scan and see that both port 21 and 80 are open.
We see both port 80 and 21, lets enumerate those some more:
We can look up the versions for both but that won’t help much within Searchsploit. Let’s look a little deeper into port 80:
We can see that Nikto shows it is vulnerable to shellshock. This kind of threw me for a loop since I tried to exploit that a number of different ways. However, after about 30 to 40 minutes I decided that it may not be as vulnerable as Nikto is telling me. I then spent some time doing some different directory busters and found something very useful:
Notice the wordlist I am using for the directory buster since this is not a norm for boot to root style boxes. After we find openemr it is “easy sailing” from here. Let’s go to the site first and see what it is.
Notice above we get a version number, version 4.1.0, we can look that up in Searchsploit and see if we find anything:
It is vulnerable to SQL injection, we can use the python script against it, however we need to first change the URL as shown:
We can now run the exploit, this is going to take a minute to get the users and the hashes for those users:
Now that we have the password hashes we can throw those into John the Ripper and see if we can crack them:
Now that we have a password we can login to openemr and see if we can get some type of reverse shell. For this next part I went to administrator and then to Files and uploaded a web reverse shell:
The next part is a little tricky, we need to see where did we upload our reverse shell. However, we do so a uploaded image to, openemr/sites/default/images, lets go there and call for our shell. php:
Now for the priv esc, let’s see what SUID bits we have first:
Notice we have a lot of SUID bits set, however, healthcheck is not normal. We can look deeper into that.
Notice how it is calling for ifconfig, however it is not calling for the full path. This means that we can make an ifconfig within /tmp and then export the path. When we do this we can run healthcheck and we should escalate our privs:
And we are now root. I would list this box as a medium box. Going through it the first couple of times I think was pretty good and made you look at different wordlists and think more outside the box.