Introduction
I begin every box by running AutoRecon:
I noticed Port 80
come up into the initial scan so I went to the website.
The two things I noticed were Author/Login as the author mentioned an HMS.
Clicking on Login takes you to an HTML based login page. Viewing the source showed me src=jquery/functionality.js
as an active script.
Pulling the important lines it essentially means if the username and password are not equal !=
to above put up an error. A picture of Luffy is shown.
OnePiece nostalgia eh…
The next part took me a while and there is probably a much better approach. On the Contact Page you will see ASH mention HMS (Hospital Management System). I added cache.htb to my hosts file and decided to try HMS.htb which thankfully lead me to a new site.
OpenEMR login page was displayed at HMS.htb
A short Google later found this PDF which I suggest everyone read:
Essentially if you go to hms.htb/portal you will see the Patient Portal Login. If you go through the registration process by clicking Register.
From Register you can navigate to bunch of other pages (Page 4)
you can actually access other pages. I used the add_edit_event_user.php from the list (top one) to perform a SQL Injection. I’m terrible at doing it manually (RIP OSCP training) so I used SQLMap. To do this I went to the Register Page (picture above) and navigated to hms.htb/portal/add_edit_event_user.php?eid=1 and loaded up Burp Suite. I turned Intercept On and navigated to the page.
On Burp I was able to see my PHP Session Cookie and OpenEMR cookie which is needed for SQLMap. I copied the information into a file called req.
Running SQLMap with the req.
Next, I dumped the users_secure table from openemr. I found the table structure well looking for exploits here.
The dump should be an Excel file. Using hashid I was able to see it was a Blowfish/bcrypt hash. I copied the hash into a file called hash. I used John to decrypt the hash:
Using John to crack the password.
Next, I logged into the hms.htb primary (admin) login (3rd photo). Once inside the Administration Panel select Administration/Files. Inside here scroll to the bottom and upload your favorite web shell. In my Tabby guide I touch on tennc and I use the WSO/PHP shell.
After logging in at hms.htb/sites/default/images/shell.php I began to poke around.
I noticed inside the web shell that a user on the box was Ash who a password I got from earlier. I used the Network tab to create a reverse shell onto the box.
Once on the box I upgraded my shell and tried the Ash user:
Nice! user flag! Next, I put LinPEAS onto the box. I struggled for a bit until I noticed:
The local host had traffic listening on 11211 which definitely wasn’t normal.
Google eventually led me to this Memcached Cheat Sheet.
Luffy (should have known from the one piece background earlier).
Next I started an SSH session with my new user:
Congrats, your essentially done as the next part was incredibly easy. I ran LinPEAS again which showed me:
I’ve used Docker extensively but for reference: GTFOBINS
Docker privileged escalation.