Help #23 SQL injection, eBPF priv esc (Linux)


Nmap Result:

22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

52838/tcp open  unknown

port 80:

dirsearch result


Links Took me to help.htb so I registered them on /etc/hosts file.

Port 3000:

Node.js Express framework

got a hash: 5d3c93182bb20f07b994a7f617e99cff

Cracked the MD5


Now I'm authenticated, so we can try using the exploit:

The exploit suggests if we submit a ticket with a random file, and click it, we can proceed.

We need to copy the request we make when we click the attachment.

dumping databases with sqlmap -r request.req --batch --dbs

found some database names:

support looks interesting.

❯ sqlmap -r request.req -D support --tables ─

-D database

--dump table names

sqlmap -r request.req -D support -T staff --dump

dumping all the info from the table.

it automatically cracked password that it found.

Administrator : Welcome1

This was the password for the user help


I was also able to get a shell with the following exploit

HelpDeskZ 1.0.2 - Arbitrary File Upload

I uploaded a reverse shell via submitting a ticket and called it

Exploit suggester showing so many options:


dirty cow didn't work for some reason:

Instead, I tried the exploit and it worked.

Last updated