Result of nmap scan:
Heading to the IP address in the browser reveals a website looking static and old. The login page however references an unusually named script
/jquery/functionality.js. Opening it reveals the only working credentials in the login form is
ash:H@v3_fun. But the page behind it is under construction with a nice picture of Ace from One Piece.
Further exploration in the Author page shows:
ASH is a Security Researcher (Threat Research Labs), Security Engineer. Hacker, Penetration Tester and Security blogger. He is Editor-in-Chief, Author & Creator of Cache. Check out his other projects like Cache:
HMS (Hospital Management System)
So if we are exploring
cache.htb and it says that there is HMS which is like cache so can it be a
Add that to the
/etc/hosts file and we got a login page. It seems apparently it’s a CMS called OpenEMR. When facing a CMS, I don’t directly go for gobuster since their structure can be found directly where the CMS is available like Github and you can even find listed vulnerabilities.
Found OpenEMR on Github but the
robots.txt does not mention the version. Their is a
admin.php in the root folder and
http://hms.htb/admin.php reveals the version used is 5.0.1 (3). Still from Github, switch to the appropriate tag from that version in order to see the source code which is deployed at HMS.
Now for vulnerability hunting, searchsploit reveals a RCE for our version but we need to get authenticated. A Google search ended with a PDF containing a ton of vulnerabilites. Follow the instructions necessary to make a SQL injection with the
catid GET parameter of
/portal/find_appt_popup_user.php. To speed the exfiltration of the users, you will find at the repo the database schema and the target table is called
Successful SQLMap exploitation gives the credentials
openemr_admin:$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. This being a Bcrypt hash, pass it to john or hashcat and it will come as being
xxxxxx (what a dumb password for an admin, lol).
Now we are authenticated, time to use the exploit we found with searchsploit.
And you have a shell !
The user flag is owned and readable only by ash but we do have a password for ash found in the cache JS script. Let’s try that:
Ash can’t sudo in the box so we used the famous linpeas script to check for possible things we can exploit.
In the process list, I spotted
Memcache is running at 11211, so let’s try to see what informations it can give us.
And we got
0n3_p1ec3 ! That is sure to be the password of user
luffy (I’m a BIG fan of One Piece by the way).
Now lateral movement is done and luffy can’t sudo too, let’s use again linpeas. The first ouputs reveal luffy is a member of the docker group.
This means we can run docker commands like deploy containers. The Privilege escalation became clear. We need to deploy an interactive container and mount the host filesystem as a volume in the container and like we will be root in the container, we will be root of the mounted volume which is the current box. Let’s first check if there is any image in the box we can use for that because if not, we will have to set a docker repository from our machine, host a useful image in it and make the box pull it.
Congratulations, you just rooted the box.