[HTB] Help — Writeup (OSWE-Prep)

Help was an easy difficulty Linux box. Good learning path for:

Initial Recon

Nmap

# nmap -Pn --open -T4 -sV -sC -p- 10.10.10.121Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-13 00:14 EDT
Nmap scan report for 10.10.10.121
Host is up (0.081s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Directory Enumeration (Gobuster)

As usual, I ran a quick gobuster to see if I could discover more of the interesting files/folders on the web server.

# gobuster dir -u http://10.10.10.121/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Initial Foothold

GraphQL Query (Getting Credentials)

First, I wanted to dig in more deeper into the http://10.10.10.121:3000 page. After some looking around, I found another endpoint /graphql. It was waiting for a “query”

It was actually GraphQL and I was able to enumerate some data out of it.

After some more digging, I was able to find a set of credentials: helpme@helpme.com : 5d3c93182bb20f07b994a7f617e99cff

Password was actually a MD5 hashed password. Using an online tool, I recovered the password: godhelpmeplz

HelpDeskZ File Upload Exploit

Using the found credentials, I was able to login to the HelpDeskZ application (http://10.10.10.121/support).

But I also found the public exploit about unauthenticated HelpDeskZ 1.0.2 — Arbitrary File Upload. The author mentioned that the file upload functionality of the ticket controller script obfuscates the uploaded file name with time() and MD5 it.

And he also had a PoC script. The exploit seemed pretty straight-forward so I decided to use the PoC script to exploit it.

According the reproduction guide, I used the “Submit a Ticket” function while unauthenticated and uploaded info.php (<?php phpinfo(); ?>) as an attachment.

It complained the “File is not allowed” but it was uploaded and the filename would be obfuscated. (I later confirmed this while doing the source code review that although it does check the file extension to check not allowed ones; the file actually gets upload. )

But the exploit attempt was unsuccessful…-_-

HelpDeskZ Source Code Review

I was suspecting that the baseURL when the file was uploaded could be something else. Since HelpDeskZ was an open-source project, I was able to download the source code from the Github.

I searched for “md5” and found submit_ticket_controller.php file.

# grep -ir "md5" . --color

When I inspect the script, I could see the $uploaddir = UPLOAD_DIR.'tickets/'; variable. So I found the uploaded file will be stored in baseURL + <UPLOAD_DIR> + tickets/.

Time to fine what is UPLOAD_DIR.

# grep -ir "UPLOAD_DIR" . --color

And it found the /uploads folder in the ./includes/global.php script.

Cool I think we have necessary items to try our exploit again.

Reverse Shell

Updated the baseURL and I got successful file upload this time.

One caveat was that the Help server time was GMT so you have to change/calculate the time difference in your local Kali box in order to match the time() portion of the exploit. Additionally, you can just hardcode the date right after you upload a file and retrieving a server time via curl.

### Getting Server Time
# curl -v http://10.10.10.121/support
### Hardcoding the Server Time in exploit.py
currentTime = int(datetime(2021,04,13,17,43).strftime('%s'))
Modified Exploit Script

And visiting the URL, I got the reverse shell.

user.txt

Privilege Escalation

help → root (Kernel Exploit)

The box was a bit older version of Ubuntu and it was vulnerable to several Kernel exploits for local privilege escalation.

root.txt

I used this (Linux Kernel < 4.4.0–116 (Ubuntu 16.04.4) — Local Privilege Escalation) 44298.c public exploit code to gain root access.

Conclusion

It was good box to do PHP code review and see what could be bypassed/abused to gain arbitrary code execution. It was pretty fun and quick box for OSWE learning. Thanks for reading!

Thanks to TJ_NULL for providing the list for the OSWE-like VMs

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store