Healthcare: 1 Walkthrough
| reference | Healthcare: 1 |
| target ip | 192.168.1.26 |
Scan with nmap:
Enumerate HTTP with gobuster:
Combine these two exploits together:
- CVE-2015-4453 - Authentication bypass in OpenEMR
- CVE-2014-5462 - Multiple Authenticated SQL Injections In OpenEMR
Save the request:
SQLi with sqlmap to extract table openemr.users:
Crack with john:
Login into FTP to upload a reverse shell on /var/www/html/openemr:
Reverse shell:
Escalate from user apache to user medical:
Escalate from user medical to user almirant.
Download /var/backups/shadow:
Crack with john:
/home/almirant/user.txt:
Escalate from user almirant (or medical) to user root.
/usr/bin/healthcheck:
Privilege escalation:
/root/root.txt:
