# nmap -Pn --open -T4 -sV -sC -p- 10.10.10.121Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-13 00:14 EDT
Nmap scan report for 10.10.10.121
Host is up (0.081s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- HTTP (80/TCP) — Apache2 default page
- HTTP (3000/TCP) — NodeJS page. JSON message was giving some hint about finding credentials with given query.
Web Directory Enumeration (Gobuster)
As usual, I ran a quick
gobuster to see if I could discover more of the interesting files/folders on the web server.
# gobuster dir -u http://10.10.10.121/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/support— It found a login page for HelpDeskZ application
GraphQL Query (Getting Credentials)
First, I wanted to dig in more deeper into the
http://10.10.10.121:3000 page. After some looking around, I found another endpoint
/graphql. It was waiting for a “query”
It was actually GraphQL and I was able to enumerate some data out of it.
After some more digging, I was able to find a set of credentials:
email@example.com : 5d3c93182bb20f07b994a7f617e99cff
Password was actually a MD5 hashed password. Using an online tool, I recovered the password:
HelpDeskZ File Upload Exploit
Using the found credentials, I was able to login to the HelpDeskZ application (
But I also found the public exploit about unauthenticated HelpDeskZ 1.0.2 — Arbitrary File Upload. The author mentioned that the file upload functionality of the ticket controller script obfuscates the uploaded file name with
time() and MD5 it.
And he also had a PoC script. The exploit seemed pretty straight-forward so I decided to use the PoC script to exploit it.
According the reproduction guide, I used the “Submit a Ticket” function while unauthenticated and uploaded
<?php phpinfo(); ?>) as an attachment.
It complained the “File is not allowed” but it was uploaded and the filename would be obfuscated. (I later confirmed this while doing the source code review that although it does check the file extension to check not allowed ones; the file actually gets upload. )
But the exploit attempt was unsuccessful…-_-
HelpDeskZ Source Code Review
I was suspecting that the baseURL when the file was uploaded could be something else. Since HelpDeskZ was an open-source project, I was able to download the source code from the Github.
I searched for “md5” and found
# grep -ir "md5" . --color
When I inspect the script, I could see the
$uploaddir = UPLOAD_DIR.'tickets/'; variable. So I found the uploaded file will be stored in
baseURL + <UPLOAD_DIR> + tickets/.
Time to fine what is
# grep -ir "UPLOAD_DIR" . --color
And it found the
/uploads folder in the
Cool I think we have necessary items to try our exploit again.
Updated the baseURL and I got successful file upload this time.
One caveat was that the Help server time was
GMT so you have to change/calculate the time difference in your local Kali box in order to match the
time() portion of the exploit. Additionally, you can just hardcode the date right after you upload a file and retrieving a server time via
### Getting Server Time
# curl -v http://10.10.10.121/support### Hardcoding the Server Time in exploit.py
currentTime = int(datetime(2021,04,13,17,43).strftime('%s'))
And visiting the URL, I got the reverse shell.
help → root (Kernel Exploit)
The box was a bit older version of Ubuntu and it was vulnerable to several Kernel exploits for local privilege escalation.
I used this (Linux Kernel < 4.4.0–116 (Ubuntu 16.04.4) — Local Privilege Escalation) 44298.c public exploit code to gain
It was good box to do PHP code review and see what could be bypassed/abused to gain arbitrary code execution. It was pretty fun and quick box for OSWE learning. Thanks for reading!