Today we are going to solve another boot2root challenge called “HEALTHCARE 1”. It is developed to train student the art of penetration testing . The credit of making this lab goes to v1n1v131r4 and lab is available for download here healthcare-1 .This is an Intermediate level machine that hosts two flags: user.txt and root.txt .
Penetration Testing Methodology
Reconnaissance
· netdiscover
· nmap
Enumeration
· Browsing HTTP Service
- Directory Brute force using ‘ gobuster ‘
Exploitation
- OpenEMR 4.1.0 Vulnerable to Critical SQL Injection
Privilege Escalation
- Privilege Escalation Using PATH Variable with SUID bin
Reconnaissance
Let’s begin scanning the network using "netdiscover" to identify the host IP address as shown below:
netdiscover
Our target on VM is identified to acquire IP address of 192.168.0.158. So, it's time to grab more information about the target by executing 'nmap' port enumeration command:
nmap -A 192.168.0.158
Enumeration
The initial scan shows that we have port 21(ftp) and 80(HTTP) open .The web server usually have the largest attack surface ,so let's explore the web server running on port 80 first .
As we see below the browser presents us the below page at http://192.168.0.158 . However, we do not get any clue as we explore in and around the page (including its sub links and source code view)
To further enumerate, let's launch 'gobuster ' -the directory enumeration tool to look for other directory or hidden content which this web application may have.
gobuster dir -u http://192.168.0.158/ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -t 100 –e ![]()
The tool “ gobuster ” presents us some directories like favicon, robots, openemr, fonts, images etc. The "openemr" directory seems to contain a login page and revels the OpenEMR software version V4.1.0 . A quick google search presents us with a critical SQL injection exploit here : sql-injection-vulnerability-in-openemr
Let’s use 'sqlmap' to further enumerate the database names :
sqlmap -u http://192.168.0.158/openemr/interface/login/validateUser.php?u= --dbs –batch 
....and we get the list of database names as below:
The database named ' openemr ' looks associated with the web-application we are exploring and hence we further enumerate the database :
sqlmap -u http://192.168.0.158/openemr/interface/login/validateUser.php?u= -D openemr -T users --dump –batch
We get two users and their respective passwords as shown here:
Exploitation
Now , let’s navigate to 'openemr ' web application login page and use 'ackbar' credentials to login as admin :
As we explore the application, we find that we can edit the config.php which is under 'Administrative' tab shown below:
We overwrite the content of config.php with php reverse shell php-reverse-shell.php and replace the IP with our kali linux IP as highlighted below :
Save the above changes, start a netcat listener on kali , refresh the web application and we get a reverse shell :
Privilege Escalation
Now, that we have a revere shell lets upgrade it to a fully interactive shell using python -c 'import pty; pty.spawn("/bin/bash")' and explore the system . We noted above, that we got the shell as 'apache ' user and we also had found another user credential. We can switch to that user and further investigate the system. We run below command to find SUID binaries on target and we find an interesting binary healthcheck as highlighted below:
python -c 'import pty; pty.spawn("/bin/bash")' find / -perm -u=s -type f 2>/dev/null
We explore ' healthcheck ' further using strings command and we find that it scans the system by running commands like ' ifconfig ' and ' fdisk ' :
We can use Privilege Escalation Technique Using PATH Variable to exploit the system :
cd /tmpecho "bin/bash"> fdiskchmod 777 fdiskexport PATH=/tmp:$PATH/usr/bin/healthcheckcd /rootls
....and we have the root flag : cat root.txt
Cheers!! - We nailed it, hope you enjoyed. - Happy hacking!
