HackTheBox : Help

0liverFlow
11 min readDec 15, 2024

--

Help is a Linux box which has a GraphQL endpoint that can be enumerated to get a set of credentials for a HelpDesk software called HelpDeskZ. The software is vulnerable to blind SQL injection which can be exploited to get a password for SSH Login. Alternatively an unauthenticated arbitrary file upload can be exploited to get RCE. Then the kernel is found to be vulnerable and can be exploited to get a root shell.

Reconnaissance

Nmap

Here, we have three tcp open ports :

TCP open ports

Furthermore, based on OpenSSH and Apache’s banner, we can guess that the system is running Ubuntu as a distribution.

Well, let’s start our enumeration with the Apache web server. Shall we 😉 ?

HTTP — TCP/80

In this section, we will enumerate the Apache web server by performing a file and directory fuzzing, vhosts fuzzing and looking for exploits if the server is using vulnerable and outdated components.

Main web page

Here we have the Apache default page.

Technology Profiling

Let’s now check the technologies used by the web server :

Technology profiling

Based on the output above, we can see that we got interesting information regarding the OS being used (Ubuntu), the web server type and its version (Apache 2.4.18). Furthermore, we also got earlier the backend programming language (Node.js and PHP) as well as the web framework (Express) using wappalyzer. All these gathered information will be useful in the next stages of our assessment.

Well, after a quick Google search, I found out that the latest version of Apache was 2.4.62. However, as previously mentioned, our target is using version 2.4.18 of Apache. Therefore, we will first check if this outdated version has some known public exploits in the wild :

Exploit research with searchsploit
Exploit research with Google

As you can notice, I did not find any exploit that could help me get an initial access to the target machine.

That said, let’s now perform some directory and file fuzzing.

File and Directory Fuzzing

Before performing a file and directory fuzzing, I always check for /robots.txt file. Indeed, this allows me to have a quick view of the webpages that the web admin does not want me to see :

Searching for /robots.txt

As you can see, there is no /robots.txton the web server. Let’s continue with our file and directory fuzzing :

File and directory fuzzing

Vhosts Fuzzing

Vhosts fuzzing

Great ! Let’s now browse the directories and files we found during the previous steps :

/support

Here we have a login page and the name of the technology being used : HeplDeskZ. After some research, I found out that HelpDeskZ was a web-based support ticket system that allowed someone to manage its site’s support. With that information in mind, I naturally tried to find the version of this technology. To do that, I inspected the source looking for comments and strings like version or powered by :

Searching for comments and version in the HTML source code

As you can see, I found nothing unfortunately.

However, let’s check if HelpDeskZ has some known public exploits :

Exploits Research

Well, we found 2 exploits namely :

  • An Arbitray File Upload : This could allow us to upload a webshell or reverse shell on the web server, then execute it to get a remote code execution. Furthermore this does not require us to be authenticated.
  • A SQL injection : To use this exploit, we first need to be authenticated. Knowing that I am quite lazy I will start with the first exploit see that it requires less efforts than the second one.
Downloading the exploit

Note : Make sure to modify the php reverse shell with your ip address and desired port number. In my case, I used tcp port 4443.

That said, to use the exploit, we will first need to send our reverse shell to the web server using the “submit a ticket” feature :

Submitting a ticket with our malicious php reverse shell as an attachment

Let’s now run the exploit :

Exploit failed

Unlikely for us, the exploit did not work.

Knowing that to use the second exploit, I need to be authenticated, I have tried to look for HelpDeskZ’s default credentials but found nothing :

Searching for helpdeskz default credentials

You may ask yourself, what about brute forcing the login page ?

Well, brute forcing the login page would be time consuming and might not work properly because I did not have a valid email address.

That being said, let’s take a look at the Node.js web server. This may lead us to better results.

Node.js Express — TCP/3000

In this section, we will enumerate Express which is a Node.js web application framework.

Main web page

Haha, sounds interesting ! It seems that we have to find credentials. Let’s keep on our enumeration by gathering as much as information until we find the credentials :

Technology Profiling
Checking the presence of /robots.txt

As you can see, there is no robots.txt file.

Directory/Page Fuzzing

When taking a look at the previous error message, we can see that the server returned a message different from web servers’ generic error message like 404 Not Found or 403 Forbidden. Therefore, I searched for the error message on Google to know if I can find more information :

As you can see, this seems to be an API. Frankly speaking, I did not think of that. Therefore, let’s try to enumerate the endpoints using this wordlist :

API endpoints enumeration

As you can see, we found nothing again. This was really strange to me. Therefore I decided to change my ffuf request by making it match all the http status code except the 404 status code. To do that, I use -mc all -fs 404 :

Guess what ? This time, we got an endpoint : graphql.

GraphQL is a data query and manipulation language for APIs that allows a client to specify what data it needs (source : Wikipedia).

Well, here we go again :-)

Nevertheless, I kept on and searched “Graphql API pentesting” on Google :

GraphQL API Pentesting

This is where I discovered this wordlist from seclists. Let’s use that to perform our endpoints fuzzing :

GraphQL API endpoints fuzzing

Unfortunately, this led me nowhere as I still got the same error message :

However, I didn’t give up. I then searched for “graphql API pentesting hacktricks” :

GraphQL API Pentesting with HackTricks

This time, it seems that we are going to get something. Let’s take a look at this article :

Common GraphQL endpoints
GraphQL API endpoints fuzzing

As you can see, we got new endpoints like graphql/graphql and graphql/api .

Well, let’s now perform some basic enumeration :

For instance, to discover the schema information, we can query the __schema field. This field is available on the root type of all queries. Here is the query to use : query={__schema{types{name,fields{name}}}}

Let’s query the username and password using the following query : query={user{username,password}} :

Querying username and password from graphQL API

Awesome ! We found a username and a hashed password. Looking at the hash, it seems to be an MD5. Before cracking the hash with tools like hashcat, let’s check if we cannot find it in rainbow tables. Let’s explore that in the next step : Initial Access.

Initial Access

In this section, we will try to perform a rainbow table attack to retrieve helpme’s plaintext password from its hash. If the attack works, we will then try to authenticate to helpme’s account and find a way to get a remote shell.

That said, I will use a tool called search-that-hash that will try to retrieve the plaintext password from a hash using different well-known hash cracking sites. Indeed these websites store huge databases of hashes with their respective plaintext passwords. These are call rainbow tables. Now, let’s walk the talk :

Rainbow table attack against helpme’s password hash

You could also use crackstation.net but I personally find search-that-hash pretty straightforward :

Cracking the hash with Crackstation

Well, let’s try to authenticate to helpme@helpme.com’ s account :

Authenticating to helpme@helpme.com

Here I will try to use the authenticated SQLi exploit that I previously found out during the enumeration phase to get the administrator’s password hash :

Created ticket

The exploit did not work properly for me. Nevertheless, I understood how the script works and what parameter was vulnerable to SQLi. As you can see below, the param[] parameter is the vulnerable one :

Here is what I got when I visit the link to the attachment : http://help.htb/support?v=view_tickets&action=ticket&param[]=4&param[]=attachment&param[]=1&param[]=6 :

This request was intercepted in Burp, therefore let’s copy it to a file, then perform an SQLi using sqlmap :

Copy intercepted request into a local file
SQLi using sqlmap
GET parameter param[] is vulnerable to boolean-based blind

Database enumeration

sqlmap -r attachment.req --dbs

Databases enumeration

Enumerating support database’s tables

sqlmap -r attachment.req -D support --tables

Tables enumeration

Dumping users’ information

sqlmap -r attachment.req -D support -T users --dump

users table’s entries
Performing a rainbow table attack against xcvxv’s password hash

Dumping staff’s information

Performing a rainbow table attack against Administrator’s password hash
SSH authentication succeeded

Let’s retrieve the user flag :

User.txt flag

Privilege Escalation

In this section, I started with some basic enumeration :

Sudo privileges Enumeration

No privilege escalation vector found !

Crontab Enumeration

No privilege escalation vector found !

SUID/SGID Enumeration

As you can see, these seem to be the default SUID/SGID binaries. Therefore, we can continue our local enumeration.

Kernel Enumeration

This seems to be an old kernel. It might potentially be vulnerable. Let’s see if we can find some exploits :

Great ! We found an exploit. Let’s download it, then transfer it to the target machine. Once transferred, we will compile and execute it as follows :

Kernel exploit successfully executed

Hoorah \0/ the exploit was successfully executed and we got a root shell.

Note : In a real engagement, it is recommended to communicate with your client prior executing a kernel exploit as it could crash the system that you’re assessing.

That said, let’s now retrieve the root flag :

Root.txt flag
Cheers

Key Techniques Used

Here are the main techniques that we cover in this box :

  • GraphQL API pentesting
  • Detection and exploitation of a blind SQLi using sqlmap
  • Rainbow table attacks to crack hashes using search-that-hash
  • Exploit research and fixing using searchsploit
  • Kernel exploit to escalate our privileges

Wrap Up

That’s it guys. Congrats on having made it so far 👏

I hope you enjoyed the writeup.

If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles !

--

--

0liverFlow
0liverFlow

Written by 0liverFlow

Pentester | Enjoy breaking and building stuffs

No responses yet