Skip to content

Apex 🔸

Enumeration

The web server shows a page of medical stuff.

Let's add apex.offsec to /etc/hosts.

We have four potential users:

And a scheduler app:

We find documents in the smb share that can be accessed without a username or password.

With feroxbuster, we find a filemanager path, serving the same files as the smb share in a documents folder.

We can upload PHP files, but the app won't show them.

Searching with searchsploit:

We can search in GitHub where sqlconf is located, but we need to edit the script and put Documents in the path where the file is being copied to. This way, we can see it in the smb share, since here we can't see PHP files.

Initial Access

We can access the database with the credentials and get users.

Using searchsploit to get an openemr exploit:

Privilege Escalation

The password is the same as before.

Post Exploitation

Get the flag: