Help #23 SQL injection, eBPF priv esc (Linux)
Help:
Nmap Result:
port 80:
dirsearch result
/support
Links Took me to help.htb so I registered them on /etc/hosts file.
Port 3000:
helpme@helpme.com
got a hash: 5d3c93182bb20f07b994a7f617e99cff
Cracked the MD5
godhelpmeplz
Now I'm authenticated, so we can try using the exploit:
The exploit suggests if we submit a ticket with a random file, and click it, we can proceed.
We need to copy the request we make when we click the attachment.
dumping databases with sqlmap -r request.req --batch --dbs
found some database names:
support looks interesting.
❯ sqlmap -r request.req -D support --tables ─
-D database
--dump table names
sqlmap -r request.req -D support -T staff --dump
dumping all the info from the table.
it automatically cracked password that it found.
Administrator : Welcome1
This was the password for the user help
---
I was also able to get a shell with the following exploit
HelpDeskZ 1.0.2 - Arbitrary File Upload
I uploaded a reverse shell via submitting a ticket and called it
Exploit suggester showing so many options:
dirtycow:
dirty cow didn't work for some reason:
Instead, I tried the exploit and it worked.
Last updated