Official discussion thread for Heal. Please do not post any spoilers or big hints.
Nobody wants to discuss???
1 Like
Hmu if you have problems
3 Likes
Can somebody give a hint on the location to look for interesting files for foothold?
2 Likes
Think about the application that you are exploiting. Where can you usually find interesting information? (Maybe a research on the framework being used is helpful).
That said: This is a medium machine (not an easy one). So, expect a few steps to get to user. It’s not DIFFICULT, but not really trivial and require some steps until you get there.
Can someone PM me for nudges?
This machine really should be marked as EASY in my opinion. It is possible to get root within 10 minutes and skip the user completely.
oh? Elaborate, sounds like you found a unintended path
I think I solved it this way also. I’ll DM you how I did it, to see if indeed this is how u did it
Thanks!
It was interesting!
P.S. Can anyone tell me a way to get a shell from root? Or any kind of Persistence method?
UPD: via SUID
Rooted.
For user there is a service that is misconfiguration to allow you to view files. Think about the service that is running the framework that it is running on and the configuration files that it may have. Google is your friend. Worst case use chat jippity. From there you will gain a foothold and can enumerate as usual and find goodies.
For root, there is an internal service. Just look up the documentation and read. View the configuration files, see what permissions you have, and use them. The documentation literally tells you how to do everything from the manufacturer. You can seriously copy and paste from the documentation. Remember this is an easy (i know it says medium) box, don’t complicate, and public exploit exists in a database somewhere on the internet that has a automatic script that does it for you, if you are allergic to reading documentation.
1 Like
I’m sure it is unintended, but not really much can be done to correct it. Once you get RCE and a psuedo shell as www-data then you can attack the internal application with a Exploit to setup a health-check. If you use the known exploit for this, it will give you root shell before accessing user.
I have a write-up in progress for this, but I would love to find out if this is intended and see if we can patch it if not.
that seems intended to me
Is it normal to only have 1 port (ssh) opened?
Same question here, i reset the machine and only discover one open port (22)
I found something in a*****.heal.htb. I guess I can read some files there. Hopefully. But I need a token. Is this a rabbit hole or am I on the right track? Searching for a token or any other clue for hours…
EDIT: It is the wright path, but should I’ve used my brain hours ago… Layer 8
can someone help which file to lookup with lfi