Introduction

I begin every box by running AutoRecon:

Copy

I noticed Port 80 come up into the initial scan so I went to the website.

The two things I noticed was Author/Login as author mentioned a HMS.

The two things I noticed were Author/Login as the author mentioned an HMS.

Clicking on Login takes you to an HTML based login page. Viewing the source showed me src=jquery/functionality.js as an active script.

Copy

Pulling the important lines it essentially means if the username and password are not equal != to above put up an error. A picture of Luffy is shown.

OnePiece nostalgia eh…

OnePiece nostalgia eh…

The next part took me a while and there is probably a much better approach. On the Contact Page you will see ASH mention HMS (Hospital Management System). I added cache.htb to my hosts file and decided to try HMS.htb which thankfully lead me to a new site.

Copy
OpenEMR login page was displayed at HMS.htb

OpenEMR login page was displayed at HMS.htb

A short Google later found this PDF which I suggest everyone read:

Download

Essentially if you go to hms.htb/portal you will see the Patient Portal Login. If you go through the registration process by clicking Register.

From Register you can navigate to bunch of other pages (Page 4)
From Register you can navigate to bunch of other pages (Page 4)

you can actually access other pages. I used the add_edit_event_user.php from the list (top one) to perform a SQL Injection. I’m terrible at doing it manually (RIP OSCP training) so I used SQLMap. To do this I went to the Register Page (picture above) and navigated to hms.htb/portal/add_edit_event_user.php?eid=1 and loaded up Burp Suite. I turned Intercept On and navigated to the page.

On Burp I was able to see my PHP Session Cookie and OpenEMR cookie which is needed for SQLMap. I copied the information into a file called req.

Running SQLMap with the req.

Running SQLMap with the req.

Next, I dumped the users_secure table from openemr. I found the table structure well looking for exploits here.

Copy

The dump should be an Excel file. Using hashid I was able to see it was a Blowfish/bcrypt hash. I copied the hash into a file called hash. I used John to decrypt the hash:

Copy
Using John to crack the password.

Using John to crack the password.

Next, I logged into the hms.htb primary (admin) login (3rd photo). Once inside the Administration Panel select Administration/Files. Inside here scroll to the bottom and upload your favorite web shell. In my Tabby guide I touch on tennc and I use the WSO/PHP shell.

After logging in at hms.htb/sites/default/images/shell.php I began to poke around.

After logging in at hms.htb/sites/default/images/shell.php I began to poke around.

I noticed inside the web shell that a user on the box was Ash who a password I got from earlier. I used the Network tab to create a reverse shell onto the box.

Copy

Once on the box I upgraded my shell and tried the Ash user:

Copy

Nice! user flag! Next, I put LinPEAS onto the box. I struggled for a bit until I noticed:

The local host had traffic listening on 11211 which definitely wasn’t normal.

The local host had traffic listening on 11211 which definitely wasn’t normal.

Google eventually led me to this Memcached Cheat Sheet.

Copy
Luffy (should have known from the one piece background earlier).

Luffy (should have known from the one piece background earlier).

Next I started an SSH session with my new user:

Copy

Congrats, your essentially done as the next part was incredibly easy. I ran LinPEAS again which showed me:

Luffy (should have known from the one piece background earlier).

I’ve used Docker extensively but for reference: GTFOBINS

Luffy (should have known from the one piece background earlier).

Docker privileged escalation.

Rooted

Published On: October 10th, 2020 / Categories: HTB, Technology / Tags: , , , , , /

Leave A Comment