🩹Heal

Start with some recon

Follow up with some fuzzing

Let's have a look

Good, something useful, the backend is using ruby on rails 7.1.4 and ruby 3.3.4

Now let's hop on the main site, create login and try to generate a resume to http://heal.htb/resume

There is quite something going on here, let's fire up burp and take a look at the requests

We can see that the data flow is pretty much the following:

generating a resume in a html template

do an OPTIONS request with a filename

do a GET request to get the generated file.

We can try abuse the filename parameter of the latest request to exfiltrate some data

the pdf viewer will be stuck on trying to load the non-pdf file, just save it into a txt format

there we go.

we have 3 users other than root

let’s take a look at the host file

That url was already discoverable by fiddling around with the application, so there's nothing new

Do a bit of fuzzing on take-survey.heal.htb

those are typically files found on apache web servers, we know from the nmap scan that we’re on nginx here, it seems odd.

let’s get back to api.heal.htb

We saw that it uses ruby on rails 7.1.4, and the default config file is located to config/application.rb

so we try to evaluate where we are and the final relative path of the file is ../../config/application.rb

nothing interesting, let’s check database.yml file

There are 2 sqlite databases, let’s download both files

the test db has almost nothing in it, but the development one…

the cypher is bcrypt, check the code on hashcat and let’s crack it

create an hash file and then pass the hash for ralph to hashcat

hashcat -m 3200 ralph.hash /usr/share/wordlists/rockyou.txt --user

we got the password but we can’t do much with it right now.

So let’s get back to take-survey.heal.htb

googling around it seems to be LimeSurvey and in the documentation we can find some mentions about an admin panel.

we got access and saw the version, 6.6.4

look on the internet for exploits and there it is

GitHub - Y1LD1R1M-1337/Limesurvey-RCE: LimeSurvey Authenticated RCEGitHub

So we need to create a malicious plugin and use it to gain access.

Let's use the github one, change the config to update the version and the rev-shell to set your IP and Port for the listener

<?xml version="1.0" encoding="UTF-8"?>
<config>
    <metadata>
        <name>HexaRed</name>
        <type>plugin</type>
        <creationDate>2024-02-28</creationDate>
        <lastUpdate>2024-02-28</lastUpdate>
        <author>HexaRed</author>
        <authorUrl>https://github.com/hexared</authorUrl>
        <supportUrl>https://github.com/hexared</supportUrl>
        <version>6.6.4</version>
        <license>GNU General Public License version 2 or later</license>
        <description>
		<![CDATA[Author : HexaRed]]></description>
    </metadata>

    <compatibility>
        <version>3.0</version>
        <version>4.0</version>
        <version>5.0</version>
        <version>6.0</version>
    </compatibility>
    <updaters disabled="disabled"></updaters>
</config>

zip it, upload it and activate the plugin, then start the listener on the configured port and go to:

http://take-survey.heal.htb/upload/plugins/<name>/php-rev.php

(change the and the filename of the php shell accordingly)

a service user, but that's enough.

at first sight the only one significant seems to be the 5432 that is the default for postgresql, but googling what the other ports are usually used for, it pops up hashicorp consul quite a lot.

let’s focus on postgres;

Since the only other thing that stores information other than ruby for the users is limesurvey, we check in the doc if there’s something interesting about postgresql and there should be a config file for the database