🏥{THM} Plotted EMR

Introduction

This was my first hard box. To be honest, it quite hard at first since I don’t have any idea open this portal. At first, this machine is quite similar with one box prepare by MCC crew but using different foothold. During my past, I do lot of study and finding on vulnerability on this CMS OpenEMR. So here my writeup for this machine. Enjoy!

Step 1 - Enumerate

As usual, I will scan any opening port and directory.

From above result, I known that 4 port are open.

Port 21 – FTP

Manage to login as anonymous

Going deep into directory, found one txt file. Download it.

Argghh!! First rabbit hole. But, we manage to get some hint there.

Move to port 80

Just landing page.

And result from gobuster found 3 directories. Unfortunately, only 1 are coming with good information and come with same hint as file found in ftp. Another 2 are rabbit hole. hurmm

Port 5900 (vnc)

This port are usually use for remote desktop connection using remote frame buffer.

Port 8890

Another landing page. But gobuster show interesting result

We manage to find login page. But we don’t have any credentials.

Step 2 - Gaining Access

Found good documentation (link) . Here it list all possible vulnerability that happen, after testing each of it, found that, admin.php and setup.php can be access.

From the documentation, we can add our site with our own credentials. Let create new site.

We know create new database with new value(openemruser). Before that, we need to check are database being created for site default?.

sqlmap -u admin -h <ipmachine> -P 5900

show databases;
alter user admin identified by '<putnaythint>';

Next we setup with below ;

Server : victim machine
Port : vnc
Login name ; admin
Password : <create before>
Root : admin
Password <createbefore>

Waiting a while when database being created.

And just next until finish.

We manage to create new site with our chosen user and password.

Step 3 - Exploitation

We manage to get admin page after some sweet and tear. Let check which version this portal.

We know that this version have multiple vulnerabilities. According to documentation, we can put Remote Code Injection in manage_site_file.php.

Use this script. But before that, always read to understand how this script works.

This command to run this script. But something weird happens. So need to use python2 instead python or python3. Another things, need to change something in script to have same direction as we want.

Since we not use default, let change to name site we create. Just follow the poc given. And we manage to gain access by listening to our port.

Step 4 – User Access

We manage to gain access. As usual, we need to make this raw shell become stable.

(To be continue)