HackTheBox Writeup — Cache

Hello Guys , I am Faisal Husaini. My username on HTB is “MrSatan” . Also join me on discord.

The IP of this box is 10.10.10.188

Port Scan

We have only 2 Open Ports, one for SSH and another for Web, so we directly move onto the web

Web

Clicking on the Login option, we get redirected to the login page

Trying incorrect credentials leads us to alerts for both username and password separately

There was also an Author option which redirects us to author.html page

Here we see the name of the creator as Ash, this might be the username we want

Trying the username ash on the login shows its a correct username as we don’t get alerted for incorrect username like before

Running Gobuster against the target gives us few results

We also see a /jquery directory which seems to be interesting

Inside the directory there is a functionality.js file which we see

Here we see two functions validating the username and password , we see that user ash was correct and also we have a password too and we also know why we were getting alerts in incorrect user/pass

Login in with the correct credentials redirects to net.html was already accessible even without login, so this login page was a rabbit hole

But we can keep the credentials for future use as we weren’t able to login through SSH with this credentials

Since on the author page we saw that he has created some Hospital Management System (HMS), I fuzzed for vhosts but no luck , but then randomly guessed another domain by the name hms.htb which leads use to different place

We tried the credentials we got before but no luck, running gobuster against this domain

We got alot of results from it, one of them interestingly looks /portal

We got another login page, this time for OpenEMR and sadly those credentials didn't worked here too, clicking on the Register option redirects to registration page

From the reported vulnerability of OpenEMR, we see that we can bypass the login authentication from the registration page , details of which is in the link on the end of this writeup

add_edit_event_user.php

The above page is vulnerable to SQLi , so we use SQLMap against it to dump useful data

We got a username and encypted bcrypt password hash

I used hashcat to crack the hash using mode 3200 and with rockyou.txt password list

We got the password cracked it was lame , was justxxxxxx’

We used the credentials in the main OpenEMR login page and got accessed

/super/manage_site_files.php

Now we have a unrestricted file upload vulnerability where we upload a php web shell without any issues

We got our shell working and now moving onto getting reverse shell on netcat

We got shell as www-data, now we try to use the creds for user ash which we got before and then get the user flag

Privilege Escalation

We use telnet to connect to the port locally and then get important dumps

We got credentials for user luffy and then login into that user

Checking the groups of the current user, we see that user luffy is a group member of docker

We see that a docker image for ubuntu is installed on the docker and we can mount the /root directory to the /mnt directory and get the root flag

References

https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover