In this post, I would like to share a walkthrough of the Appsanity Machine from Hack the Box


This room will be considered a Hard machine on Hack the Box

What will you gain from the Appsanity machine?


For the user flag, you must create an account and exploit a concealed input vulnerability to gain elevated privileges, assuming the role of a doctor. Subsequently, I will leverage the obtained cookie on another platform to gain access, where I discover a server-side request forgery (SSRF) vulnerability and an opportunity to upload PDF files. By circumventing a filter, I will upload a webshell and utilize the SSRF vulnerability to access the internal management page, thereby initiating a reverse shell.


As for the root flag, you need to create a DLL and initiate its loading process, thereby gaining shell access as an administrator

For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259

Information Gathering on Coder Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start.

┌─[darknite@parrot]─[~/Documents/htb/appsanity]
└──╼ $nmap -sC -sV 10.10.11.238 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-09 08:44 EST
Nmap scan report for meddigi.htb (10.10.11.238)
Host is up (0.18s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE VERSION
80/tcp  open  http    Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to https://meddigi.htb/
|_http-server-header: Microsoft-IIS/10.0
443/tcp open  https?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.36 seconds
┌─[darknite@parrot]─[~/Documents/htb/appsanity]
└──╼ $

Let’s access the website interface


Nothing that stood up within the website interface.


Let’s enumerate using the gobuster but sadly nothing that looks interesting at all


After roaming the website, i noticed there was a signup button which led to a login page. However, we don’t have any credentials to login in.


Let’s register a new account on the website interface.


We can access the dashboard as patient with the original packet


We can see one column we didn’t enter during the registration, but it appears via the burpsuite request. As a result, we can change the Acctype from “1” to “2”


Once we manage to complete the registration, we should be able to sign-in to the application with the credentials that we created earlier.


While the application redirected to the profile page, I noticed there was one cookie that stood out very clearly to me which was the “access_token”


We have managed to access the dashboard as doctor privileges where we can assign any patient to us.


It will look something as shown in the screenshot above.


Let’s enumerate the subdomain with gobuster


When trying to access the portal.meddigi.htb it redirected us to a login page. However, we don’t have any clue about the Doctor Ref.Number at this point. Therefore, let’s replace the current cookie with the cookie that we sighted earlier such as access_token


It looks like we can access the subdomain with the cookie that we found earlier.

Access the portal.meddigi.htb using the access_token on appsanity machine


At last, we managed to access the subdomain panel which looks something like in the screenshot above. However, we must key-in the access_token when accessing all the functions or links within the subdomain.


On the Issue Prescriptions tab, there’s a scheduler for the Prescription that we can take advantage of here.


Therefore, let’s enter the information I put inside the email address and prescription link and try to inspect with burpsuite


The request and response will look something as shown in the burpsuite. By default, there should be more information on the Response tab. After a while, I did notice that I forgot to insert the access_token on the Request tab.


The response looks as expected after entering the access_token on the request tab.


While trying to scroll further below, there’s a PDF file that we can View the report on the browser.


On the browser interface, it will look something like the above.


Let’s try to upload a malicious file for Doctor Review.


As usual, let’s start our listener on our attacker’s machine.


I’m not familiar with the Windows Reverse Shell so let’s download aspx-reverse-shell on the internet.


Let’s upload the shell aspx file on the website interface.


The file will appear like the above, and we need to add a few things to the packet such as the filename, which will need to add %00 and add %PDF-1.7 on the top of the shell code.

A screenshot of a computer

Description automatically generated

Finally, we managed to obtain the report that was assigned to us.

A screenshot of a medical form

Description automatically generated

The output will show that our file has been uploaded into the application.

A close-up of a number

Description automatically generated
A screenshot of a computer program

Description automatically generated

The outcome will look something as shown above.

A computer screen with green text

Description automatically generated

At last, we managed to retrieve the reverse shell connection back to us.

A screenshot of a computer

Description automatically generated

A screenshot of a computer screen

Description automatically generated

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access


We are required to find some ports open on the app sanity machine which will help us proceed with the next step.

A screen shot of a computer

Description automatically generated

Therefore, let’s start our port-forwarding with port 100


From the file like ExaminationManagement.dll, I notice there’s a Key that can be found in Software\\Medigi on the appsanity machine

A screen shot of a computer

Description automatically generated

I also managed to obtain the potential password for devdoc access



We need to find the user that can be access using the password that we found earlier

A computer screen with text on it

Description automatically generated

At last, we managed to access it with those credentials


We found the exploitation location in C:\Program Files\ReportManagement\Libraries when we tried to analyze the ReportManagement.exe


Let’s create a DLL malicious file by using msfvenom tool


The screenshot above shows all the permissions on the directory

A screen shot of a computer

Description automatically generated

The requirement to retrieve the root is to upload the file on the ReportManagement\Libraries as shown above.


We also need to upload the externalupload using nc localhost 100 on appsanity machine

A screenshot of a computer screen

Description automatically generated

A computer screen with green text

Description automatically generated

A computer code on a black background

Description automatically generated

We can read the root flag by typing the “type root.txt” command