# Help ## Nmap ``` sudo nmap 10.10.10.121 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 3000/tcp open http Node.js Express framework Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` **Note:** Add `10.10.10.121 help.htb` to `/etc/hosts`. ### Web Server Viewing the web server running on port 80 we are greeted with the Apache2 default page.

### Directory Brute Force With nothing of interest left in the page source we change over to directory brute forcing with `feroxbuster`. ``` feroxbuster -u http://help.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt ```

### HelpDeskZ `feroxbuster` discovers the /support/ directory. Navigating to the directory we are directed to a login page for "HelpDeskZ".

A quick search with `searchsploit` shows that HelpDeskZ may be vulnerable to arbitrary file upload attack.

Further enumeration with `feroxbuster` on the /support/ directory picks up `/readme.html`.

Viewing this we see the version of `HelpDeskZ` running is v1.0.2 which should be vulnerable to the arbitrary file upload.

The basis of this exploit can be found here: . I was not able to get the included exploit to work however, used an alternative script linked further below to complete the exploit. ### File Upload Firstly, navigate to the "Submit a Ticket" page. Fill in information as required and attach a PHP reverse shell.

### Reverse Shell On upload the web page gives a "disallowed file" type error when uploaded PHP. This error can be disregarded. I then used the script linked below to complete the exploit and receive a shell on my `netcat` listener. **Exploit:**

### User Flag After connecting the reverse shell we can navigate to /home/help to grab the `user.txt` flag

### Privilege Escalation After grabbing the flag we upload a copy of `linpeas.sh` and let the script run. After a short while we see the binary `s-mail-privep` has the SUID bit set.

Looking for way to exploit the binary I came across the following bash exploit script in order to escalate privileges. **ExploitDB:** ### Root Shell After uploading the script I ran it a few times before it worked correctly and gave a **root** shell.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/linux/help.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.