Cache,a Linux box created by HackTheBox user ASHacker, was an overall medium difficulty box.The Initial enumeration is finding a domain hms.htb which is running a openemr which has a a SQLi which can give us a hash,cracking the hash and it also have a RCE which give us a shell. We also had a cred from the cache.htb. Using that we can su to get user. Enumerating in the shell we see memcached is running from which we can grab the password for second user luffy.su to that we see luffy is a memeber of docker group using that we can get root.
# Nmap 7.80 scan initiated Sun May 10 00:49:45 2020 as: nmap -sC -sV -oN nmap/cache 10.10.10.188 Increasing send delay for 10.10.10.188 from 0 to 5 due to 40 out of 133 dropped probes since last increase. Nmap scan report for 10.10.10.188 Host is up (0.26s latency). Scanned at 2020-05-10 00:49:46 IST for 111s Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb3lyySrN6q6RWe0mdRQOvx8TgDiFAVhicR1h3UlBANr7ElILe7ex89jpzZSkhrYgCF7iArq7PFSX+VY52jRupsYJp7V2XLY9TZOq6F7u6eqsRA60UVeqkh+WnTE1D1GtQSDM2693/1AAFcEMhcwp/Z7nscp+PY1npxEEP6HoCHnf4h4p8RccQuk4AdUDWZo7WlT4fpW1oJCDbt+AOU5ylGUW56n4uSUG8YQVP5WqSspr6IY/GssEw3pGvRLnoJfHjARoT93Fr0u+eSs8zWhpHRWkTEWGhWIt9pPI/pAx2eAeeS0L5knZrHppoOjhR/Io+m0i1kF1MthV+qYjDjscf | 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFAHWTqc7a2Az0RjFRBeGhfQkpQrBmEcMntikVFn2frnNPZklPdV7RCy2VW7Ae+LnyJU4Nq2LYqp2zfps+BZ3H4= | 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnbsx7/pCTUKU7WwHrL/d0YS9c99tRraIPvg5zrRpiF 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Cache Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun May 10 00:51:37 2020 -- 1 IP address (1 host up) scanned in 111.55 seconds
auxiliary/sqli/openemr/openemr_sqli_dump which was also for OpenEMR 5.0.1
so i tried that but that also resulted in nothing and we get 0 tables.
reveal the username as openemr for database
1 2 3 4 5 6 7 8 9
Configuration: driver = mysqli_mod, host = localhost, user = openemr, database = openemr, table prefix = gacl_Testing database connection... Failed! ERROR connecting to database, are you sure you specified the proper host, user name, password, and database in admin/gacl_admin.inc.php? Did you create the database, and give read/write permissions to "openemr" already?