Help
https://app.hackthebox.com/machines/Help
Nmap
Note: Add 10.10.10.121 help.htb
to /etc/hosts
.
Web Server
Viewing the web server running on port 80 we are greeted with the Apache2 default page.
Directory Brute Force
With nothing of interest left in the page source we change over to directory brute forcing with feroxbuster
.
HelpDeskZ
feroxbuster
discovers the /support/ directory. Navigating to the directory we are directed to a login page for "HelpDeskZ".
A quick search with searchsploit
shows that HelpDeskZ may be vulnerable to arbitrary file upload attack.
Further enumeration with feroxbuster
on the /support/ directory picks up /readme.html
.
Viewing this we see the version of HelpDeskZ
running is v1.0.2 which should be vulnerable to the arbitrary file upload.
The basis of this exploit can be found here: https://www.exploit-db.com/exploits/40300. I was not able to get the included exploit to work however, used an alternative script linked further below to complete the exploit.
File Upload
Firstly, navigate to the "Submit a Ticket" page. Fill in information as required and attach a PHP reverse shell.
Reverse Shell
On upload the web page gives a "disallowed file" type error when uploaded PHP. This error can be disregarded. I then used the script linked below to complete the exploit and receive a shell on my netcat
listener.
Exploit: https://cxsecurity.com/issue/WLB-2017080112
User Flag
After connecting the reverse shell we can navigate to /home/help to grab the user.txt
flag
Privilege Escalation
After grabbing the flag we upload a copy of linpeas.sh
and let the script run. After a short while we see the binary s-mail-privep
has the SUID bit set.
Looking for way to exploit the binary I came across the following bash exploit script in order to escalate privileges.
ExploitDB: https://www.exploit-db.com/exploits/47172
Root Shell
After uploading the script I ran it a few times before it worked correctly and gave a root shell.
Last updated