OSCP Notes
Help #23 SQL injection, eBPF priv esc (Linux)
Nmap Result:
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
52838/tcp open unknown
port 80:
dirsearch result
Links Took me to help.htb so I registered them on /etc/hosts file.
Port 3000:
Node.js Express framework
got a hash: 5d3c93182bb20f07b994a7f617e99cff
Cracked the MD5
Now I'm authenticated, so we can try using the exploit:
The exploit suggests if we submit a ticket with a random file, and click it, we can proceed.
We need to copy the request we make when we click the attachment.
dumping databases with sqlmap -r request.req --batch --dbs
found some database names:
support looks interesting.
❯ sqlmap -r request.req -D support --tables ─
-D database
--dump table names
sqlmap -r request.req -D support -T staff --dump
dumping all the info from the table.
it automatically cracked password that it found.
Administrator : Welcome1
This was the password for the user help
I was also able to get a shell with the following exploit
HelpDeskZ 1.0.2 - Arbitrary File Upload
I uploaded a reverse shell via submitting a ticket and called it
Exploit suggester showing so many options:
dirty cow didn't work for some reason:
Instead, I tried the exploit and it worked.
eBPF and Analysis of the get-rekt-linux-hardened.c Exploit for CVE-2017-16995
grlh/get-rekt-linux-hardened.c at master · brl/grlh
Copy link