sudo nmap -p- -sS -sV   

22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18
3000/tcp open  http    Node.js Express framework
Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Note: Add help.htb to /etc/hosts.

Web Server

Viewing the web server running on port 80 we are greeted with the Apache2 default page.

Directory Brute Force

With nothing of interest left in the page source we change over to directory brute forcing with feroxbuster.

feroxbuster -u http://help.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt


feroxbuster discovers the /support/ directory. Navigating to the directory we are directed to a login page for "HelpDeskZ".

A quick search with searchsploit shows that HelpDeskZ may be vulnerable to arbitrary file upload attack.

Further enumeration with feroxbuster on the /support/ directory picks up /readme.html.

Viewing this we see the version of HelpDeskZ running is v1.0.2 which should be vulnerable to the arbitrary file upload.

The basis of this exploit can be found here: I was not able to get the included exploit to work however, used an alternative script linked further below to complete the exploit.

File Upload

Firstly, navigate to the "Submit a Ticket" page. Fill in information as required and attach a PHP reverse shell.

Reverse Shell

On upload the web page gives a "disallowed file" type error when uploaded PHP. This error can be disregarded. I then used the script linked below to complete the exploit and receive a shell on my netcat listener.


User Flag

After connecting the reverse shell we can navigate to /home/help to grab the user.txt flag

Privilege Escalation

After grabbing the flag we upload a copy of and let the script run. After a short while we see the binary s-mail-privep has the SUID bit set.

Looking for way to exploit the binary I came across the following bash exploit script in order to escalate privileges.


Root Shell

After uploading the script I ran it a few times before it worked correctly and gave a root shell.

Last updated