Find the /support page for a service called HelpDeskZ
FFUF bruteforce
/support page
Port 3000
Find a GraphQL instance running at /graphql
At first I requested the landing page to receive this message:
I tried to enumerate other pages but didn’t get anywhere. I also tried parameter fuzzing with no success.
After doing some research, I found that port 3000 with a node.js instance can be related to graphql. Hacktricks suggested to try /graphql - which I did with success. It turns out this key term isn’t included in common wordlists, like common.txt or directory-listing-2.3-medium.txt etc.
Enumerate /graphql for a schema
From the last command we got:
It say there’s a missing GET parameter, so I add one:
It says to provide a query string - so I try to add one (using an example query from HackTricks to enumerate the schema (and whilst escaping curly brackets to avoid Bash errors)):
After a few unsuccessful tries, I remove the get parameter and replace it with query, which works:
Find user credentials
Enumerate /graphql to discover user credentials (email:hash)
From the output in the browser, we can more clearly see the schema. It shows a User object with the values Username and Password
HackTricks shows how we can enumerate a objects values:
This exploit suggests we can upload a PHP reverse shell via the Submit Ticket page, and then execute that shell by brute forcing the possible file names. The exploit suggests the uploaded file’s name will be derived from a MD5 hash of the current time combined with the original file name:
Create a PHP reverse shell (Ivan Sincek variant) using revshells.com:
Upload the shell when submitting a support ticket on HelpDeskZ:
I get a File is not allowed error:
I uploaded the file by changing its name from shell.php to shell.txt using Burp, but then could not identify the file afterwards.
I found this exploit, which suggests the files are uploaded to /support/uploads/tickets/:
I run the exploit (having setup a listener) and catch the reverse shell:
There is also an SQLi vulnerability - but not needed
This exploit suggests one of the param[] parameters at
Submit a support ticket and include an attachment (as per the exploit, which says the attachments table needs to be populated for the exploit to work):
I got access to the MySQL DBMS using sqlmap -r request, having captured the GET request that is made when clicking the attachment within the ticket, having viewed the tickets at My Tickets. I won’t detail this path any further because, whilst it did reveal a password for root, I could not use it to SSH into the machine.
Shell access
Obtain user.txt
Root user
Enumeration
The Linux kernel is potentially vulnerable ( 4.4.0-116)
Enumerate the system information:
Find a possible exploit on searchsploit (bottom result):
Kernel exploit
Attempt to transfer a pre-compiled version of the exploit
Having compiled the C code on my attacking machine, I transferred it to the victim and attempted to execute it, but I received an error relating to a missing package of some sort:
This prompted me to see whether I could compile the file on the victim machine instead. Fortunately the victim machine had gcc installed, so I could:
Compile and execute the exploit on the victim to obtain root permissions
Compile the exploit C code and assign the compiled copy executable permissions:
