Help was an ‘Easy’ box worth 20 points and retired 08/06/2019. It was one of the first boxes I did and looking at it now, it was a learning experience and indeed rather easy. I did struggle quite a lot because of the instability of the box and some subtle things, typically CTF, that cost me some time.
A traditional nmap to kick things off.
At first sight nothing out of the ordinary. Every time I see that port 80 or 443 is open, I try to visit the webpage, which in this case was the Apache2 default page. So, I turned to a Dirb scan to see if there were some interesting things to be found. I quickly found a support page which led me to a HelpdeskZ website. I looked around and found out that you could submit tickets and upload a file attached to it.
Every time I see an upload possibility, a flag goes off in my head. It was only logical that I explored this possibility further. I googled something like “HelpdeskZ file upload exploit” and immediately found and arbitrary file upload: https://www.exploit-db.com/exploits/40300 . I invite you to read the exploit yourself for all the details, but It comes down to the following. HelpdeskZ allows .php files to be uploaded because they obfuscate the filename, which should eliminate the risk of allowing php files. However, the renaming function uses the current time. By guessing it, we can get RCE.
I decided to try and upload a php reverse shell to use the above exploit. I was thinking which problems I should overcome for it to work and I came up with 3 problems:
- Every file I tried to upload so far showed the error message ‘File not allowed’, so there could be a rule on the file extensions or something
- I need to know the location where the file is uploaded, so I can execute it
- I need to guess the time the file is uploaded (required by the exploit)
Since I know we can upload php files, but that they use renaming, I wanted to check the source code of the submit ticket page from HelpdeskZ. I found their GitHub page: https://github.com/evolutionscript/HelpDeskZ-1.0/blob/master/controllers/submit_ticket_controller.php
This is an extract from the submit ticket page. If you analyse the code, which I invite you to do for yourself, you see that a successful file upload generates the message ‘File not allowed’. So, problem 1 is solved. For problem 2 I just used Google and I found out that the files are at the following location: http://10.10.10.121/support/uploads/tickets/
Since we still need to solve problem 3, which is guessing the time, I just tried to upload the file and use the exploit. I used the reverse shell from pentestmonkey and adjusted it to my host IP and to listen at port 5555.
We used the following command to run the Arbitrary file upload exploit:
# python exploit.py http://10.10.10.121/support/uploads/tickets/ php-reverse-shell.php
After multiple guesses, I eventually found that I needed to use London time (GMT +1) to upload the file. I hated this part of the box since it was a bit random in my opinion. I also had to adjust a For loop in the exploit code. My exploit always finished before my reverse shell was caught by my listener. When I used a large value (> 10.000), my shell was caught, and I had RCE.
User: Check! Let’s go for root now. I did some basic enumeration and one of the first things I found was the following:
# uname -a
# Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
I googled Linux 4.4.0-116 and the fist result was a local privilege escalation (https://www.exploit-db.com/exploits/44298). Bingo! All I had to do now was get the exploit on the machine, run it and then I should have root.
Since I can’t upload anything to the machine i had to find another way. So, I started an Apache web server on my Linux machine and downloaded it from there with wget.
The exploit (44298.c) has to be in the /var/www/html folder. I started the web server with the above command. All I have to do now is a simple wget command on the machine.
Note: I changed directories to tmp, which is in almost every case a writeable directory. I tried to download the file in other directories but I didn’t have write permissions.
As you can see, there are 2 version of the 44298 exploit. That is because I downloaded it once before. We use the gcc command to compile the file into the file ‘exploit’. We then run exploit and check our privileges: ROOT.