OSCP PREP BOX 2: HtB Help

Written By Ryan Daly

Key takeaways:

·         Don’t always be trusting of file upload success from on screen prompts (test with burp)

·         Compiling exploits is easier done on the target system to ensure compatibility.

 

Alright, this machine really wasn’t too bad in principle. I ended up spending way too much time on the file upload portion of this box, but what’s cracking boxes without spending hours going down a rabbit hole..

 

So, to start, I ran the usual nmap scan and noticed we had three open ports, 22, 80, and 3000.

 I tested a little bit with the port 3000 HTTP API which was a GraphQL endpoint, but I ended up sticking with the port 80 HTTP server.

Upon initial navigation to the page, it’s the default Apache2 landing page, so we’re going to have to do some directory enumeration.

I ran gobuster and located a /support page.

When navigating there, we can see a few navigation pages, one that is of interest which is a help desk ticket submission. We can also see that it’s hosting a web app called Helpdeskz.

Running searchsploit for helpdeskz, we can see there’s an arbitrary file upload vulnerability.

Now, I ran this lab first on PwnBox but went through hell with getting the exploit to work since it’s written in Python2 and for some reason none of the Python3 exploits were coming together for me.

Because of this, I got massively side tracked with chasing down and trying to bypass what I thought were web filters.

In short, the site actually does allow you to upload .php scripts even though it throws you an error message saying they’re not allowed.. literally spent so long throwing .php.jpegs and more trying to get this to work..

So, even though it gives you that error, the file did upload! So, I uploaded pentest monkey’s php reverse shell script. Make sure to edit the listening port and IP before you upload it. I just used vim and edited it.

Now, the way that this service is vulnerable is that the devs figured they didn’t need to write filters, and instead just obfuscate the way that the php files were being stored on the server.. didn’t work out well for them.

So the way the exploit works is by taking the name of the .php file you uploaded, adding that with the time it was uploaded (time on the server which is important (or was at the initial time the exploit came out..)), and then encoding that in md5.

Then set up a netcat listener: nc -lvnp 1234

After the file is uploaded, we can just copy the searchsploit script to our working directory and use the following format:

python2 exploit.py http://help.htb/support/uploads/tickets/ <name of php file>

What this does is it takes the php file and puts it through the encoding process, then sends requests to the URL looking for 200 response codes.

The script running should be enough to give you your user shell, but if not, just copy the URL it gives you and paste it into the browser.

From here, I went down a HUGE rabbit hole in mysql.. I found the root password for mysql in one of the /var/www/html/ log files and enumerated the hell out of mysql to no avail..

I then ran uname -a to start some host enumeration since I had hit such a glorious dead end and learned that the Linux kernel was

Now from here, I took to searchsploit again and found a privilege escalation script. What luck!

The only trick I ran into here was that in exploitdb, the script is written in C. So in order to execute it you have to compile it. I was running into such issues trying to compile it on my kali machine, but I ended up transferring the C code to the target machine, compiled it there, gave it execute permission, and got root!





Ryan Daly
Previous

OSCP PREP BOX 3: HtB Broker
Next

OSCP PREP BOX 1: HtB Sau