4 min read
June 9, 2019

Hack the Box Writeup: Help

This was a pretty straightforward machine that required minimal alterations to the exploits - once you found them anyway :)

Nmap scan shows only a few ports open:

22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
|ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxDPln3rCQj04xFAKyecXJaANrW3MBZJmbhtL4SuDYX
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open  http    syn-ack ttl 63 Node.js Express framework
| http-methods:
|  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (application/json; charset=utf-8).

I tried port 3000 first and was greeted with this:

I don't know anything about JSON so skipped this.

Port 80 just gave me a default Apache screen so I ran dirb:

START_TIME: Tue Jan 22 11:38:26 2019
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
---- Scanning URL: ---- (CODE:200|SIZE:11321)
==> DIRECTORY: (CODE:403|SIZE:300)
---- Entering directory: ----
---- Entering directory: ----
==> DIRECTORY: (CODE:200|SIZE:1150)
==> DIRECTORY: (CODE:200|SIZE:4453)

Going to shows a HelpdeskZ application:

Clicking around found a potential entry at a file upload page:

First thing I tried was uploading a PHP reverse shell but got a big fat NO:

Searchsploit shows a couple of exploits but one needs credentials:

Looking at the arbitrary file upload exploit shows this:

Looking at the code for the upload page shows where the upload dir is:

I'm no PHP coder but it seems the potential exploit is correct and that files are uploaded even though you may get an error message:

After some experimentation, I figured out the upload directory by appending 'tickets/' to the 'support/uploads' directory that dirb found. Running the exploit with a PHP reverse shell and that directory yielded a limited shell:

With a netcat listener ready, simply running the exploit yielded the shell since it will hit the PHP page. Otherwise, opening the URL the exploit gives will do it:

User flag:

Searching for SUID files shows s-nail-privesp:

Googling 's-nail-privesp' found an exploit for it. I could not get that initial exploit working but found a wrapper for it that did the trick quite nicely:

A few seconds later:

Root flag: