 What is going on everybody, my name is John Hammond and this is the very first hack the box machine video that I'd like to showcase on my channel. I would like to start to do these just before these machines are retired, so when they are retired I can upload them and I'd like to hopefully produce and showcase how I solve some of these. I don't think they'll be the same quality as Ipsak. Shout out to you my friend, if you haven't seen this channel please go check it out, he does some phenomenal stuff. I'd like to try my hand at some of these so I wanted to showcase Help, this machine from Hack the Box. Help showcases the Help Desk software, which is some open source code to actually submit tickets and kind of manage some tech support, web portal, front end that has an older vulnerability and then we can do kind of a simple, cool, at least accessible, easily accessible kernel exploit to Provesk to root. So this machine's IP address is 10.10.10.121, I'm going to go ahead and connect to my open VPN, have the certificate downloaded and ready so I can just roll. I'll go ahead and create a little directory to work with this and you may certainly do the same, I'm going to call this just YouTube Help and then we'll move into that directory. I like to personally take note of the IP address as its own file because I hate when I come back to this machine later, totally forget what the IP address is, I'm honestly too lazy just to go to the website so that's me. The first thing we should do is end map the box, you want to get an idea of what services are running on that machine. So I like to just simply use tack sc, tack sv and I use tack on just to get the end map version and I'll note that as like initial and then I'll paste in the IP address that I'm working on on the box, which in this case is 10.10.10.121. So we'll wait for end map to return its results to us, in the meantime we can start to poke around at some of the services that we would kind of already expect to be accessible. In that case I can assume HTTP will be accessible for us and it is, it's just the Apache 2 Ubuntu default page so there's nothing particularly worthwhile and visible there. We can kind of traverse to some of those other low hanging fruit spots like robots.txt but that doesn't look like there's any results there. But okay, end map came back for us, looks like we have port 22 open which is SSH, we can review these version numbers if we'd like to. We know that okay port 80 has this Apache default page, actually has a port on, actually has a service on port 3000 open and accessible and that it looks to be node. We can take a look at that, looks like hi shiv, to get access please find the credentials with given query, that might be a single page application, it looks like it's working with JSON, that, that JavaScript object notation. So we can put that away for the time being and let's start to look at that actual port 80. What I'm going to end up doing is actually running a full port scan in the background. I'll use tack P, tack and then I'll call that script all ports. And I'm going to end up going to run Durbuster which I tend to like so I'll go ahead and use opt, let's fire up and Nautilus there, Nautilus opt, just so I can open the farm manager. Durbuster is what I want to end up using to enumerate the web pages on this website. So that is HTTP and the IP address. I'll browse to that list that I want to use, I like to just use the medium and I'll drag it out directory list 2.3 medium file extensions, I'll pump in like HTML, SH in case I get some shell shock stuff, text, JavaScript if we wanted CSS, etc. And then the default kind of option seemed to work just fine for me. And I see support and I hadn't seen that before, that doesn't look like a default Apache thing. So I figure let's go ahead and take a peek at support. If I go back to port 80, that original HTTP server, we can move to the support directory and we have helpdesk, helpdesk z looks like a web interface that doesn't really have anything to scroll on. This is the absolute page we can control you to check out the source for the web page. I see some leftover PHP code if client status is not equal to one. No comments or kind of hidden information inside of this text here. But let's poke around. Oh, it looks like more random PHP strings just kind of left floating around. Let's poke around the web page to see what we can do. Can we search in the knowledge base? Do like a attempt for SQL injection if we'd like. We're able to find anything relevant to your search. Let's try double quotes, still nothing. Login. Lost password. An email. We could create like a fake email if you wanted to, like a 10 minute mail or a real mail, stuff like that. I won. Is that an I or a one? I mean, that's a one in the middle, so those clearly have to be I's. That's a valid email address. Don't believe me. Submit a ticket. Knowledge basis where you just were, news, there's nothing there. There's no, doesn't seem to be a means to register. Okay, helpdesk software. I've just, I just moused over the disclaimer here and helpdesk a free helpdesk software that works. Helpdesk is a free PHP based software. It allows you to manage your site support with a web based support ticket system 2015 2016. Doesn't look like that copyright has been updated. But that's the real website. This is, this is the actual official thing. So I wish it would tell me some version information. We can go check out helpdesks on the interwebs. Google that here. Looks like there are some exploits and some information already being told to us here. What does Wikipedia tell me about this? Is there a stable version that's up and available? Is there even a Wikipedia page? I can't track one down for the specific software. That's totally fine. See if we can submit a ticket. If you can't find a solution to your problem, you can submit a ticket by selecting the appropriate department below. General is the only option we have. What's my name? Please subscribe a at a.com. Priority critical. Absolutely. This is extremely important. Subjects can be anything, message can be anything. Oh, it lets me upload something. Okay, so attachments. Well, I guess we could just add like a PHP shell or something. Let's go ahead and create one. I'm going to... Oh, that MAP scan finished. Looks like there was nothing new. We can probably go aggressive on this if we wanted to. Tech A, keep these things running in the background. Let's create just some like shells directory. And let's create a basic PHP shell dot PHP. So that will have our PHP opening and ending tags. And let's just use system of dollar sign get. And those you see as our variable. So that will just run the system function with an HTTP parameter, the get variable that we pass along to it. And that's going to be the C variable. So super simple. That would just print it out, right? Let's see if we can actually upload that. That's in CTF, hack the box, YouTube help. And that PHP shell uploaded. We have to fill out a caption that's kind of annoying each time. But I guess I understand. Submit this, please. Is that not a valid email address? Anything at anything.com. ZQIWV. File is not allowed. Okay, we can do some tweaks on that. We can actually modify it GIF 89A. And then add a semicolon in there to help it kind of look like a GIF file, right? If I were to run file on that, it would tell me, hey, that's a GIF image because that magic file header there, the magic number at the very, very start of the file looks like a GIF file. We can go ahead and try and upload that. Still keeping the extension there. RJ, you, this caption sucks, man. Submit. File is not allowed. Okay, whatever. Let's, we, let's, let's see. When we googled helpdesk, it looks like it already showed us some exploits that might be an option. Let's check on the end map scan. Okay, the aggressive stuff already finished. Running through it. Nothing extremely helpful. That's totally fine. All right. I have SearchSploit installed and accessible on my Ubuntu machine. If you want to get SearchSploit and you aren't running Cali, you can go ahead and get the exploit database, excuse me, exploit database SearchSploit from the GitHub repository. They have it accessible. And it's in their offensive security page here. You can get clone this and then totally run it and work with it. The SearchSploit is the script that you want to end up running. I have that stored in opt. But all that really is, is a command line avenue to access exploit database.com, right? And search for things as you would in the webpage. So I'll use opt exploit DB SearchSploit and it's totally showcasing stuff that I had done earlier to prep. So SearchSploit helpdesks, if we search for just a string of what we're really looking for, we can give it a service name. If you wanted to, a version number, if we had that information, I wasn't able to track that down in the source code. But let's just search for helpdesks and see if we have anything. We have an arbitrary file upload, which looked like we were just trying to do and less than 1.02 authenticated. So we aren't authenticated, we don't have an account or any credentials or users we can log in as. But this arbitrary file upload might be promising. We can go ahead and copy that and move mirror it right to our current location. So let's mirror that here. And now we have this 4030.py. Let's take a look at what that is. I'm going to move it to something that's like a better name, file upload.py. And let's see what that'll actually tell us. Okay, 2016 date. So kind of around that when we saw those copyright messages on the official website, helpdesks less than version 1.0.2 suffers from an unauthenticated suite shell upload vulnerability. The software and the default configuration allows upload for .php files. I think, oh, it does allow for .php files. So when we try to upload it, and it told me that file is not allowed, maybe it was lying to me. I think the developer thought it was no risk because the file names get obfuscated when they're uploaded. However, there's a weakness in the rename functionality of the upload file. Controllers GitHub evolution script. Oh, they actually showcased some of the some of the source code here for that submit to controller dot php in the line. Looks like it's available on GitHub. So we could totally track it down. By guessing the time the file is uploaded, we can get remote code execution. The file name that's stored on the server is set to an md5 hash of the attachments name with time appended to it. The dot in php is to append. And so it's kind of time based, right? It just adds it in with a period added in there and the file extension. So by guessing the time this file is uploaded, we can get RCE steps to reproduce. Go to that's the same form we were just that, right? Submit a ticket, submit a ticket, and action equals display form. Okay. That's it. Action equals display form. Once we've actually selected a department and or anything in the mandatory fields, attach your php shot up php and solve the caption submit your ticket, call this group with the base URL of the installation and the name of the file you uploaded. So looks like that md5 hash of the current time minus, so they're actually trying to figure out an offset or like a jitter, right? Of when, what was the correct second that that was uploaded? Let's take a look at that source code. Because if we're able to track that down. GitHub help desks. Looks like evolution scripts. When was this last updated, man? How old is this January 5 2016? Okay. So this looks like the real thing version 1.0.2. And that's what's referenced in that exploit script. Where did they go? They went to controllers and submit ticket controller, which is the one we're looking for. So let's control F for upload. Upload. Okay. Upload directory. Where is this? Let me just kind of get our bearings first. Display form, which is where we were at in our URL. If it's a confirmation, blah, blah, blah, blah, we're uploads. If we don't have any errors, so if error message is not set, and settings ticket attachment is equal to one, so if we supply the ticket attachment, the upload directory is equal to uploaddir.tickets with a forward slash. That's good to know. What is uploaddir? What is that being set to? Is that anywhere? Try to track down where that might be. There's a way to find inside of the repository, right? There's a way to search inside the repository. I should know these things. In this repository. Okay, cool. Uploaddir. In this repository. Save directory goes uploaddir. Uploaddir. Define uploaddir is equal to root path uploads. And we know it's going to go to tickets. So that's in globals. So let's make sure our script is right. I don't think it is. Help desk base URL, which will be the forward slash md5. So they're not even including it. They're not even including uploads tickets. So uploaddir. Let's say equals that's uploads and tickets plus our md5 hash. So we need to include that in. We'll concatenate in uploaddir. Good. And let's look at that code one more time. Let's see what that says. I think we were in submit to controller and upload. Remove that. If we attach stuff, filename.time is in there. File uploaded is equal to an array that's saved with the file name. That carves out the extension, grabs the file type and everything. Upload file is equal to the upload directory and that file name. So that uploaddir is critical. That is where it needs to go. And if move uploaded file, if not move uploaded file, attachment show step two is equal to true, error message equals error uploading file. If it did not have an error, then it tries to file verify, verify attachment. What does that do? The attachment that we supplied, message code, one invalid file extension or two file not allowed. That's what we saw. We saw that file not allowed. So maybe that verify attachment is doing something odd. Let's check. Verify attachment is the name of that function. They call it every now and again. Okay, this is an includes functions. It says function verify attachment. Verify attachment. Good. So it's getting the parts of the file and the file extension. And okay, that must be testing from a database. If the file type is in the databases, message code two was when it was not allowed. So there must be some file types that they're keeping track of in their database that they don't trust. But if we go back to where we were, that move uploaded file in PHP, that function already does it. Moves an uploaded file to a new location. It's already uploaded before it even checks or tries to verify if it's a valid and trusted extension. So it's already going to be present on the server, right? We can try and find out. Yeah. Okay. So let's, we don't need these arguments. Let's try and let's try and hard code what we would expect the stuff to be. We're going to end up having HTTP 10.10.10.121. And then support is the name of it. It is 121, right? Cat IP address 121. And then the file name, I'm going to keep mine as PHP shell dot PHP. And then the upload directory we're adding in, the current time it tries to calculate, and then it tries to guess stuff within a current range. I think we have everything we need. Hopefully we'll be able to find something. It helped us base URL as it's forward slash and then add upload directory uploads tickets, the MD5 hash that we calculate based off the current time minus a few seconds. It's trying to track it down. And then it'll determine whether or not we found something. Sorry, I did not find anything. Okay. Let's try this. We can submit a ticket. Good old please sub, please sub at please sub.com, please sub, please sub. And let's add PHP shell, HBOHL. Submit. Oh, okay, whatever. Let me, let me start again. If you didn't like my cross-site request forgery token, let's do these. Oh, I need an actual email address. I started to do that in the message U E O R B and we'll attach our PHP shell. File is not allowed. Okay, it should still be uploaded because we just figured that out. Let's run file upload. I did not have it should bangline on that. So let's add one user bin environment Python. And then we should be able to run that. And it needs to be converted. Because we downloaded it. And it still needs arguments. It was testing for those. So we don't need to test for arguments anymore, because we're hard coding them in for our sake. And let's run this takes a little bit of time, right? Because it's going through those 300 seconds. So a couple minutes where it has a window that it could be uploading. And what we don't know whether our time or local time is the same as the server side time. So it has to guess a little bit. But maybe it'll be able to track something down. Okay, tells me sorry, I did not find anything. Okay, so let's go back to the drawing board. Everything looks right. The only thing I'm worried about is that time offset is that time jitter. So if we really wanted to, we could try and add time by going with it starting with like a negative number. Or let's amp it up, let's go like to 500 or something, and see if it'll be able to track something down. So let's go through that process one more time. Please sub, please sub, please sub. Or 5gz and let's upload our PHP shell up PHP submit, it's going and we have 500 seconds in there now. So when we crank on this, maybe it'll be able to find something. And there it goes. Okay, it found something. We have a link and we can go to this. And it has our gif 89. Can we run commands? So I'm going to change my percent sign. I'm sorry, question mark to say these are some variables that I want to pass in and c equals ID. And we get help, help, help, help as the user. Cool. So we have code execution. Now let's see if we can get a reverse shell, right? If we create, we can go get some of those pentest monkey reverse shell cheat sheets. Because that is just going to quickly give us a reversal code that we want. We can actually create one in PHP. We don't need to try and include some of this code in there. We can, we have that large PHP reversal. So it's going to end up being called if we are to create this. So let's go ahead and download this. Let's work with this. If you guys haven't seen this before, this is a more formal and clean PHP shell that if you actually have PHP shell that's being interpreted and ran, where am I going? I'm going to hack the box. It was going into Pico for a second. Sorry. YouTube help. So let's get this in PHP reversal tar or whatever. Go ahead and save it. Because this will allow us to have a reverse shell that's called back to us. And it's a little bit more stable than any of these kind of quick one liner cookbooks that reverse shell like pentest monkey will give us. Let's modify that though. We got to go ahead and extract it. So I'm just going to use the GUI to get that done real quick. And this is really the only thing that we need here. Let's rename this. It's actually, yeah, let's put it in the shells directory. Rename it to PHP shell. So now I want to modify that and actually work with it because we got to give it our IP address, right? It needs to know the reversal needs to know how it can reverse and call back to us, the attacker machine. So this IP and port we need to modify. Let's figure out our IP address. So if config and I'm on ton zero, that's my interface right now. I'm 10.10.14.2. Yours may very likely be different. But let's use that as our IP address and let's change it to 9001. So if we listen on 9001 and we upload that script, once our other script or exploiter attack script finds it, it has already made a request and it should already be invoked. And that way that PHP code will activate and we'll get our shell. So let's upload that and then use the correct CAPTCHA submit files not allowed. We are listening up there. Now let's go ahead and run our file upload script, see if we can track it down, see if we get a catch. And if our reverse shell is activated once we find a correct time match for that file found. Okay, we found the page. We don't have a call back yet. Let's open up that page and see if we get anything. No, we don't. Okay, what's the matter? I must have done something wrong. Did I upload the right script? No, I did not. Because that's still let's give it a new file name. Maybe maybe I need to be cautious with that. Let's say PHP shell call it better PHP shell, right? And I actually want to modify that in our scripts. If you were using the command line arguments, you could just change that while you run it. But better PHP shell is kind of what we need for that. So now let's start over anything.com. And our attachment will now be better PHP shell LZ one HS submit those. It is uploaded even though it tells me file is not allowed. Let's go back to listen. And let's try and run our script again to track down our better PHP shell maybe that file name didn't want to create it because it was already existing or whatever the case may be. We figured you know what? Let's let's play it safe. Let's give a new file name and see what we get. So once we find it, given the time skew, will we get a reverse shell? Okay, that didn't find anything for me. So I must have missed something yet again. Better PHP shell is what we're looking for. Better PHP shell is the correct name. I assess you why we'll submit again. Try that one more time. Okay, so that one got it. Maybe it was little finicky. Maybe I failed the first time. But you can see up top side, I now have a reverse shell. So because I am in Z shell, if I try and use some of those techniques to get a bash shell going and the STT Y raw minus echo, it tends to trip up. So let's go ahead and use bash on this. I'll have bash run. And then I'll use my netcat lvnp to start my reverse shell within bash. We'll check the file upload script to see if we can actually get the callback. It should still be able to reach it. I think it's in that time skew. Okay, now we have a connection. So now I can use the regular Python syntax just as we did before. Now we can background this and use STT Y raw minus echo foreground that. And let's export term equal something like X term. So now I can hit Ctrl L and do whatever I need to do. We have home. We can move into help. And let's use word count to actually see if we can read that user.text file, which we can has 33 characters in it. So we know that is the hash that you could submit and get four points here. But now what do we do now that we are on the box, we kind of want to enumerate and figure out what more we can find out and how we can progress and escalate our privileges. Looks like we have the source code for help, or really that node modules thing that we were looking down. Before I dive into that, I kind of want to run through our lin enum script, the enumeration script, we can run on Linux. I'll move into the temp directory and I'll make kind of a home for myself. You can also move into devshm or shared memory, which is a cool good place to hide if you wanted to make a directory dot sub or whatever for subscribe. You can do that. So if you wanted to drag over lin enum, a cool technique is to use wget or just host it on your machine temporarily. So I created a dub dub dub directory so that I can host files. And then I'll use like Python simple HTTP server so I can pull them down. What I'll do is I'll copy opt lin enum, which I have again, lin enum is download and accessible, you can get it off GitHub if you'd like it, put it in here. And if we need to modify that, we can, we can specify set throw to true or search for passwords or keywords if you'd like to. That's a good idea to do. If you set thorough equal to one, and then keywords equal to something, you can certainly do that. Let me actually go modify that at the very, very top of the script. Let's say thorough equals one. And then I think it's keywords, keyword, you can say like password or something, whatever you'd like here. So now we can go ahead and download that if we start to host it. Let's do Python M simple HTTP server. So it's hosting on port 8000. If I were to go to my IP address, which you know is 10.10.14.2. Was that right? Let's find out. I have config ton zero. Yes. 10.10.14.2. Port 8000, which is apparently also being redirected on port 80 for some reason on my box. You can see Lynn enum.sh is something that we will show and it can be made available. So that means that on the other remote machine, we can totally W get 10.10.14.2. Let's go to port 8000 Lynn enum.sh. So we'll download it. You can see I got it over on the other side here. And now it's present in this current directory. So what we can do is mark that as executable if we'd like to run it. Go ahead and run it. I like to pipe it to t just to get a log for it log.txt. And then it will go ahead and run through this enumeration script. There's a lot of information that this will dig out. And that will normally help you track down where should I go, what should I look at next? Are there set UID binaries? Are there some odd permissions on some of these directories? Are there other user accounts that are super user enabled or the things that I can run with pseudo that I wouldn't normally be able to do. And that takes some time. So given that this is thorough checks, it will go through everything and take a little bit more time. I don't know if I just lost display here or it's trying pretty hard to do something. Looks like it's trying hard to do stuff. But I'll let this run and we'll pull it out and examine it after I pause the recording. Okay, now that that's done, we have that log that's saved thanks to t. If we wanted to cat that out and view it, we absolutely could. That's still a little bit messy, especially because we won't be able to fit all of that in our buffer. And did I lose some of it? I might have. No, it looks good. But as you can see viewing it in nano kind of sucks because of all those control characters. So if we were to pull this down and we absolutely could, if whatever we wanted to pull up our own Python simple HTTP server on here, can we do that? Will it let us? Let's find out. It will. Okay. So we could very well just W get HTTP 10.10.10.121. Let's get log. Remember port 8000, right? log.text. We'll pull it here. There's a lot of files. There's not a lot of files. It's only one file, but there's a lot of there's a lot of stuff in that file. So we can open that up in sublime text, but that also sucks to look at. So something that I found, at least it sucks because of these color codes, right? Because of those escape sequences, some that I ended up finding was remove or I told it was like strip colors. I saved it. I know I saved it, but there's a way I promise I saved it. Perl, remove colors, escape sequence, and Linux. Removing anti color codes. I saw this. And I had to do it earlier. And some other thing that we were exploring and poking at. But there's a Perl command to straight up rip it out. And there's also I saw someone post like a little little script to do it. I think this one liner should do it just fine. But clear reset said we'll kill it too. So if we were to said on log dot text, that should be perfectly fine now. We can just go ahead and say clean log dot text. My face is in the way. I realize I'm sorry. And now we can access that clean log that no longer has those codes in there. We can totally save that as an alias. And I think that's what I had done. Alias somewhere among these apparently many aliases that Z shell prepared for me. Thank you. I appreciate that. So if you want to review that in sublime text, we had a little bit more scroll and control f functionality, you certainly could. Again, just trying to showcase some some options. If you want to scroll through this, we could. But something that I noted that I picked up on kind of right as I started to peruse through this is that the kernel information 4.40116, it's always a good idea. Just to check if that kernel version is older outdated or actually has maybe some vulnerabilities that might let you do some dangerous stuff. So in this case, it's worth passing it to exploit DB, right? So we had opt exploit DB search exploit. And if we just pass in that in itself, know we got a couple of these Linux kernel noted here and less than 4.4.0116 that might still be worthwhile. So let's mirror this and take a look at it, see what it can do. Maybe that's going to be a kernel exploit that is a privesque. I'll actually run that again so we can see the rest of the description from that page. It says local privilege escalation. So okay, if we have a kernel exploit that works like that, let's take a look at this and see what we have. Subtle this guy. Oh, sorry, we should exploit DB copied over. Let's opt exploit DB search exploit and let's mirror that. So now we have this, and let's move that 4.442 privesque kernel exploit. Sure, this is from ZShell again auto suggesting from some previous stuff, privesque kernel exploit.c 16.04 kernel privesque. Looks like a lot of worthy bites and not a whole lot of comments as to what it does. So okay, we'll determine whether or not we can, whether it is vulnerable or it didn't get a root shell. So let's try it. You can copy and paste this and slip it in the box that way if you want to. Or again, you can just kind of bring this to your www directory. So you can share that and make it accessible from maybe your Python simple HTTP server you're pulling stuff down from. So now back on the box, I'm in that help account, right? We can go ahead and wget just as we had done before and set bradlinlinium.sh. Let's get that, what is it called, privesque kernel exploit. And now we have that in our current directory and we can play with it. So hopefully we can run GCC. Thankfully we can. So GCC will allow us to compile this C source code. Let's call it privesque or something as an output file. And there weren't any errors. So fingers crossed. Let's try and run privesque. And there we go. Spawning a root shell. Now we are root. A bit of a hack. I'm sure there are plenty of other methods and procedures to go away, to go about and solve this. I know that's what I dug out and found. So very, very cool. If you wanted to at this point, you can move to cd root. And you'll see that you have the root.txt which you can go ahead and grab the hash for if you'd like to, but I will not show it to you so you can snag it on your own. And that's that. That is the box. Helpdesk, the port service. Looks like had a little bit of a bug worthwhile and cool that we could dig through the source code and worthwhile that we had to kind of tweak and change that number range and finding the time offset. But we were able to track it down, able to get a reverse shell and then do a little bit of enumeration that normally in practice among other machines and some other stuff we would travel down and other scenarios, we could dig through that linenum.sh output more, but you could totally have just found that kernel version with uname tack A. And you would see that. And if you wanted to give that to search exploit, you certainly could. That would bring you down the same path we did just now. So well, I hope you guys enjoyed this. Hope you guys like this. This was kind of fun, kind of cool. Very, very first time I've been able to share a hack the box box on the channel. Hopefully I'll be able to get it in time before it retires and we'll keep doing some more of these. So thank you guys for watching. Thank you for listening. If you did like this video, please do like, comment and subscribe. There's a link in the description to join our Discord server. I'd be loving to see you. I'm running out of words. I'm bad at these. I'm bad at the outros. If you'd like to support the channel, I'd love to see you on Patreon. I'd love to see you on PayPal. Thanks so much. Until next time.