Plotted-EMR
端口扫描
root@ip-10-10-141-243:~/plottedemr# nmap -sTCV -p- --min-rate 1000 10.10.241.189
Starting Nmap 7.60 ( https://nmap.org ) at 2023-12-03 11:38 GMT
Nmap scan report for ip-10-10-241-189.eu-west-1.compute.internal (10.10.241.189)
Host is up (0.00050s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.141.243
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
5900/tcp open mysql MySQL 5.5.5-10.3.31-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.31-MariaDB-0+deb10u1
| Thread ID: 43
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, LongColumnFlag, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, SupportsCompression, FoundRows, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsTransactions, Speaks41ProtocolNew, InteractiveClient, ODBCClient, IgnoreSigpipes, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: pC?OP$a=LG^&>E"xW,ps
|_ Auth Plugin Name: 104
8890/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:76:C2:49:91:0F (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.22 seconds
21
root@ip-10-10-141-243:~/plottedemr# ftp 10.10.214.64
Connected to 10.10.214.64.
220 (vsFTPd 3.0.3)
Name (10.10.214.64:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
dr-xr-xr-x 3 ftp ftp 4096 Oct 17 2021 .
drwxr-xr-x 3 ftp ftp 4096 Oct 17 2021 .-
dr-xr-xr-x 3 ftp ftp 4096 Oct 17 2021 ..
226 Directory send OK.
从其中我得到了一个文件, 指向一个视频以及一个账户的名称
root@ip-10-10-141-243:~/plottedemr# cat you_are_determined.txt
Sorry, but you wasted your time!
Here is something for you :D
https://www.youtube.com/watch?v=dQw4w9WgXcQ
Wait..I'll give you a hint: see if you can access the `admin` account
80
root@ip-10-10-141-243:~/plottedemr# gobuster dir -u http://10.10.214.64/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.214.64/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/12/03 13:56:28 Starting gobuster
===============================================================
/index.html (Status: 200)
/admin (Status: 200)
/shadow (Status: 200)
/passwd (Status: 200)
/server-status (Status: 403)
===============================================================
2023/12/03 13:59:33 Finished
===============================================================
之后进行访问发现是一些 base64 加密的信息
root@ip-10-10-141-243:~/plottedemr# curl http://10.10.214.64/admin
dGhpcyBtaWdodCBiZSBhIHVzZXJuYW1l
root@ip-10-10-141-243:~/plottedemr# curl http://10.10.214.64/shadow
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==
root@ip-10-10-141-243:~/plottedemr# curl http://10.10.214.64/passwd
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==
root@ip-10-10-141-243:~/plottedemr# echo 'dGhpcyBtaWdodCBiZSBhIHVzZXJuYW1l' | base64 -d
this might be a username
root@ip-10-10-141-243:~/plottedemr# echo 'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQ==' | base64 -d
https://www.youtube.com/watch?v=dQw4w9WgXcQ
8890
root@ip-10-10-141-243:~/plottedemr# gobuster dir -u http://10.10.214.64:8890/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.214.64:8890/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/12/03 13:56:55 Starting gobuster
===============================================================
/index.html (Status: 200)
/portal (Status: 301)
/80 (Status: 301)
/server-status (Status: 403)
===============================================================
2023/12/03 14:00:15 Finished
===============================================================
访问 /portal 发现其指向 openemr 网站
再次进行枚举, 从中我发现一个 sql 目录
root@ip-10-10-141-243:~/plottedemr# gobuster dir -u http://10.10.214.64:8890/portal/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.214.64:8890/portal/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/12/03 14:31:26 Starting gobuster
===============================================================
/index.php (Status: 302)
/images (Status: 301)
/services (Status: 301)
/templates (Status: 301)
/modules (Status: 301)
/common (Status: 301)
/library (Status: 301)
/public (Status: 301)
/version.php (Status: 200)
/admin.php (Status: 200)
/portal (Status: 403)
/tests (Status: 301)
/sites (Status: 301)
/custom (Status: 301)
/contrib (Status: 301)
/interface (Status: 301)
/vendor (Status: 301)
/config (Status: 301)
/setup.php (Status: 200)
/Documentation (Status: 301)
/sql (Status: 301)
/controller.php (Status: 403)
/LICENSE (Status: 200)
/ci (Status: 301)
/cloud (Status: 301)
/ccr (Status: 301)
/patients (Status: 301)
/repositories (Status: 301)
/myportal (Status: 301)
/entities (Status: 301)
/controllers (Status: 301)
===============================================================
2023/12/03 14:33:49 Finished
===============================================================
当创建完成之后我们就可以邓丽 openemr 程序了, 经过查找我发现了对应的 RCE 漏洞OpenEMR_Vulnerabilities
5900
root@ip-10-10-141-243:~/plottedemr# mysql -h 10.10.214.64 -P 5900 -u admin
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 39
Server version: 5.5.5-10.3.31-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)
mysql>
后渗透
www-data
www-data —>
(remote) www-data@plotted:/$ cat /etc/crontab
* * * * * plot_admin cd /var/www/html/portal/config && rsync -t * [email protected]:~/backup
17 * * * * root cd / && run-parts --report /etc/cron.hourly