Help
https://app.hackthebox.com/machines/Help
Last updated
https://app.hackthebox.com/machines/Help
Last updated
Note: Add 10.10.10.121 help.htb to /etc/hosts.
Viewing the web server running on port 80 we are greeted with the Apache2 default page.
With nothing of interest left in the page source we change over to directory brute forcing with feroxbuster.
feroxbuster discovers the /support/ directory. Navigating to the directory we are directed to a login page for "HelpDeskZ".
A quick search with searchsploit shows that HelpDeskZ may be vulnerable to arbitrary file upload attack.
Further enumeration with feroxbuster on the /support/ directory picks up /readme.html.
Viewing this we see the version of HelpDeskZ running is v1.0.2 which should be vulnerable to the arbitrary file upload.
The basis of this exploit can be found here: https://www.exploit-db.com/exploits/40300. I was not able to get the included exploit to work however, used an alternative script linked further below to complete the exploit.
Firstly, navigate to the "Submit a Ticket" page. Fill in information as required and attach a PHP reverse shell.
On upload the web page gives a "disallowed file" type error when uploaded PHP. This error can be disregarded. I then used the script linked below to complete the exploit and receive a shell on my netcat listener.
Exploit: https://cxsecurity.com/issue/WLB-2017080112
After connecting the reverse shell we can navigate to /home/help to grab the user.txt flag
After grabbing the flag we upload a copy of linpeas.sh and let the script run. After a short while we see the binary s-mail-privep has the SUID bit set.
Looking for way to exploit the binary I came across the following bash exploit script in order to escalate privileges.
ExploitDB: https://www.exploit-db.com/exploits/47172
After uploading the script I ran it a few times before it worked correctly and gave a root shell.
