🩹Heal
Welcome to another fun-filled journey into the world of insecure enterprise apps. Today’s patient is “Heal” — a misconfigured resume builder So, scrub in — we’re operating without anesthesia.
👋 Hi, I’m Shivam (taauxick)
A curious mind with a keyboard, currently diving deep into the world of ethical hacking and CTFs. I enjoy poking around where I shouldn’t (legally, of course), and turning misconfigurations into opportunities. This writeup walks through my process of breaking into the “Heal” lab — from login to root — with some sarcasm, a bit of bash, and a whole lot of fun.
Check out my portfolio showcasing projects, write-ups, and my journey in cybersecurity:
2. RustScan — Opening the Case
rustscan -a heal.htb -r 1-65535 -- -sV -sT -A
🩻 Output:
22/tcp — SSH
80/tcp — HTTP
Port 80 is always where dreams begin. And where misconfigurations live rent-free.
3. Port 80 — Yet Another Login Page
A Resume-builder-themed web app... with a login form on the main page..
"Security starts with a login box," they said. "We don’t need brute-force protection," they probably also said.
We respectfully ignored it and moved to something juicier.
4. Subdomain Enumeration — DNS: The Gift That Keeps Giving
Fuzzed some subdomains and struck gold:
api.heal.thm
5. Rails + Ruby Version Disclosure — Thanks for the Patch Notes
api.heal.thm was leaking:
X-Rails-Version: 7.1.4X-Powered-By: Ruby 3.3.5
That’s not a header. That’s an exploit invitation.
6. Survey Time!
takesurvey.heal.thm had a friendly UI, and a not-so-friendly Export as PDF button.
Clicked it → captured request in Burp Suite → found file path usage.
One thing led to another, and boom...
7. Local File Inclusion (LFI) — Cut Deeper
Tried:
GET /download?filenaem=../../../../../../etc/passwd
✅ Success.
Digging Rails File Structure
Then found a SQLite database file exposed — possibly
If you listen closely, you can hear the Rails server cry.
Got:
Username: ralph
Hash: stored in bcrypt
Dumped the hash into a .hash file, ran:
hashcat -m 3200 ralph.hash /usr/share/wordlists/rockyou.txt --force
⛏️ Result:
ralph:147258369
They say users are the weakest link. Turns out, so are their passwords.
🧑💼 8. Admin Panel Access
Logged in as ralph — now suddenly we’re in the Admin Panel.
Oh, the power. Oh, the exposed forms.
9. LimeSurvey RCE — GitHub Magic
Found this little gem:
Ran the exploit with our creds
💥 Shell as www-data achieved. Patient’s heart rate dropping
10. Looting Files & SSH Login to ron
Started poking around the web directory like a nosey intern.
A plain text password, just lying there. No encryption, no secrets manager, not even a .bak extension to pretend like it was protected.
Only One Patient Left — Ron
There was just one user we hadn’t poked yet. The mysterious, the quiet, the final boss of bad practices...
🧔 ron
So naturally, I did what anyone would do:
ssh ron@heal.thm
🩺 Using the password I found discarded like last week's prescription.
✅ Logged in.
Captured user.txt.
11. Internal Service Hunting with netstat
netstat -tulnp
Too many services to count. But one stood out like a tumor:
So we did what any ethical hacker would do — tunneled it through SSH.
ssh -L 8500:127.0.0.1:8500 ron@heal.thm
Visited: http://localhost:8500
Saw Consul dashboard
12. Consul Exploitation for Root — Straight from ExploitDB
Found the perfect exploit:
🐚 Got root shell.
Mission: successfully violated HIPAA, metaphorically speaking.
13. Final Thoughts — Heal Thyself
This box had more vulnerabilities than a reality TV show contestant.
From LFI to hash leaks, from lazy admin panels to Consul misconfigurations — this was a CTF pentester’s Disneyland.
Last updated