HacktheBox Help: Walkthrough

HacktheBox Chaos Walkthrough
May 24, 2019
Share This:

HacktheBox Help: Walkthrough

Lets Start With Nmap Scan:

GoBuster

Go Buster Revel dir named support

Checking Directory

Uploading Shell

Under Submit a Ticket Section we can upload a file

Now Here attach a phpshell

Dont Mind the error File not Allowed

Help Desk is vulnerable of https://www.exploit-db.com/exploits/40300

Exploiting

Now We can upload our php shell and we also have the exploit

After Reading Script, Helpdeskz rename every file we upload to:

MD5HASH+timezone.php = md5hash.php

We Need To Modify Our Python Exploit

Modified Expolit

import hashlib
import time
import sys
import requests

helpdeskzBaseUrl = "http://10.10.10.121/support/uploads/tickets/"
fileName = "thehackingtutorials.php"

currentTime = int(time.time())

for x in range(0, 1000):
    plaintext = fileName + str(currentTime - x) 
    md5hash = hashlib.md5(plaintext).hexdigest()
    url = helpdeskzBaseUrl+md5hash+'.php'

    print md5hash+'.php'

Now our modified exploit will show lots of filename save them all in a file and run gobuster against it this will show your uploded file

Now our go buster will find our shell and we’ll visit the link to have our shell

READING USER FLAG

Privilege Escalation

Help Box is vulnerable of kernel exploit

Exploit link : https://www.exploit-db.com/exploits/44298

Steps to exploit:

  • Download the exploit
  • transfer exploit to victim box
  • compile the exploit (because its “c” exploit)
  • Run the exploit

I downloaded this exploit to help machine

Now lets compile the exploit

Command : gcc 44298.c -o exploit

Becoming root

We successfully compiled the exploit now lets run the exploit

Reading root flag

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: