Written by PwnStruggles

HackTheBox – “Help” Write-Up

help.png

1. Kicking the tires

I started looking into this machine by running a typical nmap scan and saving the output for later review. I ran the command “nmap -A help.htb -oA help.htb”. This command does the following:

  • -A = enables additional advanced and aggressive options. Enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute)
  • help.htb = I edit my hosts file so that I don’t have to remember the IP. This just resolves to the IP of the server.
  • -oA help.htb = this saves the scan to all three output types (Greppable nmap, XML, and nmap)

This scan gave me the following results.

help - nmap scan (edit).png

  • 22/tcp (ssh)
  • 80/tcp (http)
  • 3000/tcp (http Node.js Express Framework)

One thing to keep in mind is that nmap can be wrong. For instance, the “Note.js” service above may not actually be that service.

2. HTTP Enumeration

I wanted to see what subfolders were running on the web service on the machine. I ran “dirbuster” for enumeration. I received the results below.

help - dirbuster (edit)

I decided to start checking out the /support/ folder. This folder hosted a webapp titled “HelpDeskZ”.

help - Support Page

3. Getting access to the Webapp

I searched the application using searchsploit and found an unauthenticated vulnerability that I decided to try.

help - searchsploit results.png

I copied the 40300.py file to my /htb/help/ directory so that I could take a look at the code to see what I needed to change or remove from the exploit. I also generally make an additional copy of the exploit so that I can view the original wording while making changes to the script. In this case, I named the other file “readme-40300”.  The exploit had fairly simple instructions:

help - 40300 script wording.png

The writer of the exploit did a good job to state how to perform the exploit, but I kept running into an issue when attempting to upload the PHP page to the HelpDeskZ web app. The app said that the PHP file type was not allowed.

help - php Upload.png

I was at a loss, so I hit up the HackTheBox forums for some hints. One of the hints said to read the code on GitHub, so I attempted to do this and got nowhere. Another user had stated to check to see if the file was actually uploaded anyway. Which brings up another hint that keeps popping up time and time again….DON’T TRUST ERRORS!

I still couldn’t get the script to work. I tried many different directories in the arguments for the 40300.py script. After several hours, I finally entered the correct command the script was a success!

help - Python Script (40300).png

Before attempting to load the PHP Reverse Shell that I had uploaded previously I needed to setup a listener on my host. I did this by typing in “nc -lnvp 1234”

  • -l = sets the NC session to listen
  • -n = do not do DNS or service lookups
  • -v = has NC give verbose output
  • -p 1234= sets the port to 1234.

The”phpshell.php” file that I had uploaded was from PentestMonkey (http://pentestmonkey.net/tools/web-shells/php-reverse-shell). I only edited the PHP file to point back to my IP and port that my NC listener was running on, which was port 1234 in this case.

I clicked the link and quickly switched to my NC terminal….SUCCESS!

4. Pwning User

The webapp connected back to my nc listener and I quickly raced to the /home directory to pull down the user.txt file.

help - User Shell.png

5. Pwning Root

Now that I had user access, I attempted to go through the Basic Linux Privilege Escalation guide from g0tmi1k (https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/). I started at the top of the list by pulling kernel and OS version information. I worked through this list and didn’t find anything glaring until the middle of the page. I checked the .bash_history file that contains previously typed commands. (This is located in the user directory, so in this case it was located at /home/help/.bash_history).

catted the file and found a very misfortunate typo.

help - bash_history.png

I then attempted to simply perform a su command to quickly capture root, but no dice….I was hit with an error message, “su: must be run from a terminal”. That sucks. A quick google search got me to where I needed to be. I was able to run the following command that allows a python script to be created into a file using “echo”. Running this python script gives a more traditional shell that will work with “su –

help - User shell terminal.png

Now that I had a shell, I attempted to use su – and type in the credentials from the .bash_history file…

help - rootmeordie 1.png

NOOOOO! I felt like my whole life was a lie at this point. After staring at my screen for what seemed like an eternity I decided to go back to the forums for a hint. A user had suggested that sometimes tYpoS hAPPen. This led me to attempt a different version of the credentials, which were successful.

help - rootmeordie 2.png

I quickly accessed the root.txt file to root the box.

 

Lessons Learned

This box was my second box to fully root on HackTheBox. I’ve already felt like i’ve learned a lot on these boxes that are rated “easier”. If you are also new to RedTeaming or Pentesting, try not to get too discouraged if you have trouble on the “easy” boxes. Each person starts off at a different place with a different skill set. I also wouldn’t be afraid to look up hints when you are really stuck, but do whatever you want. Thanks for checking this out!

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.