In this post, I would like to share a walkthrough of the Appsanity Machine from Hack the Box
This room will be considered a Hard machine on Hack the Box
What will you gain from the Appsanity machine?
For the user flag, you must create an account and exploit a concealed input vulnerability to gain elevated privileges, assuming the role of a doctor. Subsequently, I will leverage the obtained cookie on another platform to gain access, where I discover a server-side request forgery (SSRF) vulnerability and an opportunity to upload PDF files. By circumventing a filter, I will upload a webshell and utilize the SSRF vulnerability to access the internal management page, thereby initiating a reverse shell.
As for the root flag, you need to create a DLL and initiate its loading process, thereby gaining shell access as an administrator
For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259Information Gathering on Coder Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start.
┌─[darknite@parrot]─[~/Documents/htb/appsanity]
└──╼ $nmap -sC -sV 10.10.11.238 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-09 08:44 EST
Nmap scan report for meddigi.htb (10.10.11.238)
Host is up (0.18s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to https://meddigi.htb/
|_http-server-header: Microsoft-IIS/10.0
443/tcp open https?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.36 seconds
┌─[darknite@parrot]─[~/Documents/htb/appsanity]
└──╼ $
Let’s access the website interface
Nothing that stood up within the website interface.
Let’s enumerate using the gobuster but sadly nothing that looks interesting at all
After roaming the website, i noticed there was a signup button which led to a login page. However, we don’t have any credentials to login in.
Let’s register a new account on the website interface.
We can access the dashboard as patient with the original packet
We can see one column we didn’t enter during the registration, but it appears via the burpsuite request. As a result, we can change the Acctype from “1” to “2”
Once we manage to complete the registration, we should be able to sign-in to the application with the credentials that we created earlier.
While the application redirected to the profile page, I noticed there was one cookie that stood out very clearly to me which was the “access_token”
We have managed to access the dashboard as doctor privileges where we can assign any patient to us.
It will look something as shown in the screenshot above.
Let’s enumerate the subdomain with gobuster
When trying to access the portal.meddigi.htb it redirected us to a login page. However, we don’t have any clue about the Doctor Ref.Number at this point. Therefore, let’s replace the current cookie with the cookie that we sighted earlier such as access_token
It looks like we can access the subdomain with the cookie that we found earlier.
Access the portal.meddigi.htb using the access_token on appsanity machine
At last, we managed to access the subdomain panel which looks something like in the screenshot above. However, we must key-in the access_token when accessing all the functions or links within the subdomain.
On the Issue Prescriptions tab, there’s a scheduler for the Prescription that we can take advantage of here.
Therefore, let’s enter the information I put inside the email address and prescription link and try to inspect with burpsuite
The request and response will look something as shown in the burpsuite. By default, there should be more information on the Response tab. After a while, I did notice that I forgot to insert the access_token on the Request tab.
The response looks as expected after entering the access_token on the request tab.
While trying to scroll further below, there’s a PDF file that we can View the report on the browser.
On the browser interface, it will look something like the above.
Let’s try to upload a malicious file for Doctor Review.
As usual, let’s start our listener on our attacker’s machine.
I’m not familiar with the Windows Reverse Shell so let’s download aspx-reverse-shell on the internet.
Let’s upload the shell aspx file on the website interface.
The file will appear like the above, and we need to add a few things to the packet such as the filename, which will need to add %00 and add %PDF-1.7 on the top of the shell code.
Finally, we managed to obtain the report that was assigned to us.
The output will show that our file has been uploaded into the application.
The outcome will look something as shown above.
At last, we managed to retrieve the reverse shell connection back to us.
We can read the user flag by typing the “type user.txt” command
Escalate to Root Privileges Access
We are required to find some ports open on the app sanity machine which will help us proceed with the next step.
Therefore, let’s start our port-forwarding with port 100
From the file like ExaminationManagement.dll, I notice there’s a Key that can be found in Software\\Medigi on the appsanity machine
I also managed to obtain the potential password for devdoc access
We need to find the user that can be access using the password that we found earlier
At last, we managed to access it with those credentials
We found the exploitation location in C:\Program Files\ReportManagement\Libraries when we tried to analyze the ReportManagement.exe
Let’s create a DLL malicious file by using msfvenom tool
The screenshot above shows all the permissions on the directory
The requirement to retrieve the root is to upload the file on the ReportManagement\Libraries as shown above.
We also need to upload the externalupload using nc localhost 100 on appsanity machine
We can read the root flag by typing the “type root.txt” command
No responses yet