HackTheBox : Help
Help is a Linux box which has a GraphQL endpoint that can be enumerated to get a set of credentials for a HelpDesk software called HelpDeskZ. The software is vulnerable to blind SQL injection which can be exploited to get a password for SSH Login. Alternatively an unauthenticated arbitrary file upload can be exploited to get RCE. Then the kernel is found to be vulnerable and can be exploited to get a root shell.
Reconnaissance
Nmap
Here, we have three tcp open ports :
Furthermore, based on OpenSSH and Apache’s banner, we can guess that the system is running Ubuntu as a distribution.
Well, let’s start our enumeration with the Apache web server. Shall we 😉 ?
HTTP — TCP/80
In this section, we will enumerate the Apache web server by performing a file and directory fuzzing, vhosts fuzzing and looking for exploits if the server is using vulnerable and outdated components.
Here we have the Apache default page.
Technology Profiling
Let’s now check the technologies used by the web server :
Based on the output above, we can see that we got interesting information regarding the OS being used (Ubuntu), the web server type and its version (Apache 2.4.18). Furthermore, we also got earlier the backend programming language (Node.js and PHP) as well as the web framework (Express) using wappalyzer. All these gathered information will be useful in the next stages of our assessment.
Well, after a quick Google search, I found out that the latest version of Apache was 2.4.62. However, as previously mentioned, our target is using version 2.4.18 of Apache. Therefore, we will first check if this outdated version has some known public exploits in the wild :
As you can notice, I did not find any exploit that could help me get an initial access to the target machine.
That said, let’s now perform some directory and file fuzzing.
File and Directory Fuzzing
Before performing a file and directory fuzzing, I always check for /robots.txt
file. Indeed, this allows me to have a quick view of the webpages that the web admin does not want me to see :
As you can see, there is no /robots.txt
on the web server. Let’s continue with our file and directory fuzzing :
Vhosts Fuzzing
Great ! Let’s now browse the directories and files we found during the previous steps :
Here we have a login page and the name of the technology being used : HeplDeskZ. After some research, I found out that HelpDeskZ was a web-based support ticket system that allowed someone to manage its site’s support. With that information in mind, I naturally tried to find the version of this technology. To do that, I inspected the source looking for comments and strings like version or powered by :
As you can see, I found nothing unfortunately.
However, let’s check if HelpDeskZ has some known public exploits :
Well, we found 2 exploits namely :
- An Arbitray File Upload : This could allow us to upload a webshell or reverse shell on the web server, then execute it to get a remote code execution. Furthermore this does not require us to be authenticated.
- A SQL injection : To use this exploit, we first need to be authenticated. Knowing that I am quite lazy I will start with the first exploit see that it requires less efforts than the second one.
Note : Make sure to modify the php reverse shell with your ip address and desired port number. In my case, I used tcp port 4443.
That said, to use the exploit, we will first need to send our reverse shell to the web server using the “submit a ticket” feature :
Let’s now run the exploit :
Unlikely for us, the exploit did not work.
Knowing that to use the second exploit, I need to be authenticated, I have tried to look for HelpDeskZ’s default credentials but found nothing :
You may ask yourself, what about brute forcing the login page ?
Well, brute forcing the login page would be time consuming and might not work properly because I did not have a valid email address.
That being said, let’s take a look at the Node.js web server. This may lead us to better results.
Node.js Express — TCP/3000
In this section, we will enumerate Express which is a Node.js web application framework.
Haha, sounds interesting ! It seems that we have to find credentials. Let’s keep on our enumeration by gathering as much as information until we find the credentials :
As you can see, there is no robots.txt file.
Directory/Page Fuzzing
When taking a look at the previous error message, we can see that the server returned a message different from web servers’ generic error message like 404 Not Found or 403 Forbidden. Therefore, I searched for the error message on Google to know if I can find more information :
As you can see, this seems to be an API. Frankly speaking, I did not think of that. Therefore, let’s try to enumerate the endpoints using this wordlist :
As you can see, we found nothing again. This was really strange to me. Therefore I decided to change my ffuf request by making it match all the http status code except the 404 status code. To do that, I use -mc all -fs 404
:
Guess what ? This time, we got an endpoint : graphql.
GraphQL is a data query and manipulation language for APIs that allows a client to specify what data it needs (source : Wikipedia).
Well, here we go again :-)
Nevertheless, I kept on and searched “Graphql API pentesting” on Google :
This is where I discovered this wordlist from seclists. Let’s use that to perform our endpoints fuzzing :
Unfortunately, this led me nowhere as I still got the same error message :
However, I didn’t give up. I then searched for “graphql API pentesting hacktricks” :
This time, it seems that we are going to get something. Let’s take a look at this article :
As you can see, we got new endpoints like graphql/graphql
and graphql/api
.
Well, let’s now perform some basic enumeration :
For instance, to discover the schema information, we can query the __schema
field. This field is available on the root type of all queries. Here is the query to use : query={__schema{types{name,fields{name}}}}
Let’s query the username and password using the following query : query={user{username,password}} :
Awesome ! We found a username and a hashed password. Looking at the hash, it seems to be an MD5. Before cracking the hash with tools like hashcat, let’s check if we cannot find it in rainbow tables. Let’s explore that in the next step : Initial Access.
Initial Access
In this section, we will try to perform a rainbow table attack to retrieve helpme’s plaintext password from its hash. If the attack works, we will then try to authenticate to helpme’s account and find a way to get a remote shell.
That said, I will use a tool called search-that-hash that will try to retrieve the plaintext password from a hash using different well-known hash cracking sites. Indeed these websites store huge databases of hashes with their respective plaintext passwords. These are call rainbow tables. Now, let’s walk the talk :
You could also use crackstation.net but I personally find search-that-hash pretty straightforward :
Well, let’s try to authenticate to helpme@helpme.com’ s account :
Here I will try to use the authenticated SQLi exploit that I previously found out during the enumeration phase to get the administrator’s password hash :
The exploit did not work properly for me. Nevertheless, I understood how the script works and what parameter was vulnerable to SQLi. As you can see below, the param[]
parameter is the vulnerable one :
Here is what I got when I visit the link to the attachment : http://help.htb/support?v=view_tickets&action=ticket¶m[]=4¶m[]=attachment¶m[]=1¶m[]=6 :
This request was intercepted in Burp, therefore let’s copy it to a file, then perform an SQLi using sqlmap :
Database enumeration
sqlmap -r attachment.req --dbs
Enumerating support database’s tables
sqlmap -r attachment.req -D support --tables
Dumping users’ information
sqlmap -r attachment.req -D support -T users --dump
Dumping staff’s information
Let’s retrieve the user flag :
Privilege Escalation
In this section, I started with some basic enumeration :
Sudo privileges Enumeration
No privilege escalation vector found !
Crontab Enumeration
No privilege escalation vector found !
SUID/SGID Enumeration
As you can see, these seem to be the default SUID/SGID binaries. Therefore, we can continue our local enumeration.
Kernel Enumeration
This seems to be an old kernel. It might potentially be vulnerable. Let’s see if we can find some exploits :
Great ! We found an exploit. Let’s download it, then transfer it to the target machine. Once transferred, we will compile and execute it as follows :
Hoorah \0/ the exploit was successfully executed and we got a root shell.
Note : In a real engagement, it is recommended to communicate with your client prior executing a kernel exploit as it could crash the system that you’re assessing.
That said, let’s now retrieve the root flag :
Key Techniques Used
Here are the main techniques that we cover in this box :
- GraphQL API pentesting
- Detection and exploitation of a blind SQLi using sqlmap
- Rainbow table attacks to crack hashes using search-that-hash
- Exploit research and fixing using searchsploit
- Kernel exploit to escalate our privileges
Wrap Up
That’s it guys. Congrats on having made it so far 👏
I hope you enjoyed the writeup.
If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles !
Resources
https://blog.securelayer7.net/helpdeskz-v2-0-2-stored-xss-vulnerability-explained/
https://www.exploit-db.com/exploits/40300
https://www.exploit-db.com/exploits/41200
https://stackoverflow.com/questions/13339695/nodejs-w-express-error-cannot-get
https://graphql.org/learn/introspection/
https://portswigger.net/web-security/graphql/what-is-graphql
https://portswigger.net/web-security/graphql
https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql
https://www.exploit-db.com/exploits/44298
Contact
GitHub : https://github.com/0liverFlow