Skip to content

Apex 🔸

Enumeration

Web server shows a page of medial stuff

Let's add apex.offsec to hosts

We have four potential users

And a scheduler app

We find documents in smb share that can be accessed without user/pass

With feroxbuster we find a filemanager path, serving the same files as the smb share in a documents folder

We can upload php files and the app won't show them.

Searching with searchsploit

We can search in github where sqlconf is located, but we need to edit the script and put Documents in the path where the file is being copied to, this way we can see it in smb share, here we can't see php files.

Initial Access

We can access the db with the crednetials and get users

Using searchsploit to get a openemr exploit

Privilege Escalation

The password is the same as before

Post Exploitation

Get the flag