# Help

## Nmap

```
sudo nmap 10.10.10.121 -p- -sS -sV   

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18
3000/tcp open  http    Node.js Express framework
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

**Note:** Add `10.10.10.121 help.htb` to `/etc/hosts`.

### Web Server

Viewing the web server running on port 80 we are greeted with the Apache2 default page.

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FvC3NSQdW9QsjIlxjKguc%2Fimage.png?alt=media&#x26;token=eccaa09f-a536-42f6-ad9b-39960dd6c032" alt=""><figcaption></figcaption></figure>

### Directory Brute Force

With nothing of interest left in the page source we change over to directory brute forcing with `feroxbuster`.

```
feroxbuster -u http://help.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
```

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FihYWR7BrXvOvmL8L34yj%2Fimage.png?alt=media&#x26;token=35c21820-0034-43ff-98b5-ed8a6c7187dd" alt=""><figcaption></figcaption></figure>

### HelpDeskZ

`feroxbuster` discovers the /support/ directory. Navigating to the directory we are directed to  a login page for "HelpDeskZ".

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FnzpzBPbWXLPxB3r5enQX%2Fimage.png?alt=media&#x26;token=761f5276-d0bb-4c3e-9b05-aeceed8c22b9" alt=""><figcaption></figcaption></figure>

A quick search with `searchsploit` shows that HelpDeskZ may be vulnerable to arbitrary file upload attack.

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F4jEcoRaZmu1UDFxd6WIT%2Fimage.png?alt=media&#x26;token=25a30545-d57a-4ebc-a23f-2da6b3fb35d6" alt=""><figcaption></figcaption></figure>

Further enumeration with `feroxbuster` on the /support/ directory picks up `/readme.html`.

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FpBKrMeeE26zJ0gQOT57Q%2Fimage.png?alt=media&#x26;token=963e9bf7-b6b5-4ba8-beb6-40d12dcb7fbb" alt=""><figcaption></figcaption></figure>

Viewing this we see the version of `HelpDeskZ` running is v1.0.2 which should be vulnerable to the arbitrary file upload.

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fk7p99nsuk6o9ts2mUihl%2Fimage.png?alt=media&#x26;token=d3453d11-ce6f-44a7-974d-b0f7f786d89d" alt=""><figcaption></figcaption></figure>

The basis of this exploit can be found here: <https://www.exploit-db.com/exploits/40300>. I was not able to get the included exploit to work however, used an alternative script linked further below to complete the exploit.

### File Upload

Firstly, navigate to the "Submit a Ticket" page. Fill in information as required and attach a PHP reverse shell.

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FWhed4BnJpVQA5LU7Iomd%2Fimage.png?alt=media&#x26;token=13aef3f3-d0c2-4bb3-8f3e-f932e25c975a" alt=""><figcaption></figcaption></figure>

### Reverse Shell

On upload the web page gives a "disallowed file" type error when uploaded PHP. This error can be disregarded. I then used the script linked below to complete the exploit and receive a shell on my `netcat` listener.

**Exploit:** <https://cxsecurity.com/issue/WLB-2017080112>

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FNVSJZhXQspjMlJKAjh1p%2Fimage.png?alt=media&#x26;token=d07644bd-9dd0-4e33-a618-8b91296fc9aa" alt=""><figcaption></figcaption></figure>

### User Flag

After connecting the reverse shell we can navigate to /home/help to grab the `user.txt` flag

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fx5a88PwfKtYW9fFjf1PT%2Fimage.png?alt=media&#x26;token=5976d6ec-ed59-4545-a77d-15991943afa7" alt=""><figcaption></figcaption></figure>

### Privilege Escalation

After grabbing the flag we upload a copy of `linpeas.sh` and let the script run. After a short while we see the binary `s-mail-privep` has the SUID bit set.

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FfrL79kfqaj3kePiZhOLW%2Fimage.png?alt=media&#x26;token=c41b8db8-5d57-4ed3-b186-931667fa67c7" alt=""><figcaption></figcaption></figure>

Looking for way to exploit the binary I came across the following bash exploit script in order to escalate privileges.

**ExploitDB:** <https://www.exploit-db.com/exploits/47172>

### Root Shell

After uploading the script I ran it a few times before it worked correctly and gave a **root** shell.

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FjhvsanpVJ4EAPu6jFNvp%2Fimage.png?alt=media&#x26;token=4d7719d1-93c7-4966-bb11-9abd37f67ddd" alt=""><figcaption></figcaption></figure>