[rebelhex2]

Happy Hacking! 

Let's discuss this new Medium Linux box!
**HTB Heal**

Good Luck !!!!

[maggi]

subs

api.heal.htb
take-survey.heal.htb

"Please contact Administrator ( ralph@heal.htb ) for further assistance."

[peRd1]

LFI at the export pdf function.
GET /download?filename=/../../
ruby 3.3.5 + Rails 7.1.4

[ritualist]

GET /download?filename=../../config/database.yml
GET /download?filename=../../storage/development.sqlite3

Crackable hash for ralph. Only works for heal.htb though and not for limesurvey or ssh.

[nomx1337]

How long did you crack? mode is 28400 right?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[maggi]

How long did you crack? mode is 28400 right?

3200

hashcat --identify

[peRd1]

Once logged in, use the LimeSurvey RCE malicious plugin, grab RCE, look further, dig more, find the postgresql connection string which contains a password, use that for user.

[StingEm]

The sql database shows

ralph | 147258369

http://heal.htb/profile shows he is the Administrator

============

He can log into here also:

http://take-survey.heal.htb/index.php/admin/index

[peRd1]

Yes, that's where you upload the malicious plugin to get RCE. Once there, look further and user is just a step away.

Privesc is not too shabby, quite easy after all, just look what else is running. What service. Access it then exploit it to gain shell thru it.

[ritualist]

Yes, that's where you upload the malicious plugin to get RCE. Once there, look further and user is just a step away.

Privesc is not too shabby, quite easy after all, just look what else is running. What service. Access it then exploit it to gain shell thru it.

Thanks for the hints.
Stupidly only tried admin at first on limesurvey, doh.

For root have a look at port 8500. Quite straight-forward.