HTB-linux-Help.html

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<meta name="theme-color" content="#222"><meta name="generator" content="Hexo 7.3.0">

  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">



<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css" integrity="sha256-dABdfBfUoC8vJUBOwGVdm8L9qlMWaHTIfXt+7GnZCIo=" crossorigin="anonymous">
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.36/fancybox/fancybox.css" integrity="sha256-zM8WXtG4eUn7dKKNMTuoWZub++VnSfaOpA/8PJfvTBo=" crossorigin="anonymous">

<script class="next-config" data-name="main" type="application/json">{"hostname":"owefsad.github.io","root":"/","images":"/images","scheme":"Mist","darkmode":false,"version":"8.23.1","exturl":false,"sidebar":{"position":"right","width_expanded":320,"width_dual_column":240,"display":"post","padding":18,"offset":12},"hljswrap":true,"codeblock":{"theme":{"light":"default","dark":"stackoverflow-dark"},"prism":{"light":"prism","dark":"prism-dark"},"copy_button":{"enable":false,"style":null},"fold":{"enable":false,"height":500},"language":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"stickytabs":false,"motion":{"enable":true,"async":false,"duration":200,"transition":{"menu_item":"fadeInDown","post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"i18n":{"placeholder":"Searching...","empty":"We didn't find any results for the search: ${query}","hits_time":"${hits} results found in ${time} ms","hits":"${hits} results found"}}</script><script src="/js/config.js" defer></script>

    <meta name="description" content="简介help官方评分为4.2, 第一步常规思路扫目录发现helpdeskz, 查找CVE后通过文件上传漏洞+文件名爆破获取webshell获取user.txt, 但是获取root.txt时遇到了问题, suid发现了几个从未遇到的程序, 暂时未利用成功; 文件、配置、服务暂未发现问题. 靶机状态: 已完成">
<meta property="og:type" content="article">
<meta property="og:title" content="HTB_linux_Help">
<meta property="og:url" content="https://owefsad.github.io/HTB-linux-Help.html">
<meta property="og:site_name" content="owefsad">
<meta property="og:description" content="简介help官方评分为4.2, 第一步常规思路扫目录发现helpdeskz, 查找CVE后通过文件上传漏洞+文件名爆破获取webshell获取user.txt, 但是获取root.txt时遇到了问题, suid发现了几个从未遇到的程序, 暂时未利用成功; 文件、配置、服务暂未发现问题. 靶机状态: 已完成">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://owefsad.github.io/HTB-linux-Help/HTB_linux_Help_masscan_nmap.png">
<meta property="og:image" content="https://owefsad.github.io/HTB-linux-Help/HTB_linux_help_webshell.png">
<meta property="og:image" content="https://owefsad.github.io/HTB-linux-Help/HTB_linux_help_userflag.png">
<meta property="og:image" content="https://owefsad.github.io/HTB-linux-Help/HTB_linux_help_suid.png">
<meta property="og:image" content="https://owefsad.github.io/HTB-linux-Help/HTB_linux_help_rootflag.png">
<meta property="article:published_time" content="2019-04-15T15:42:57.000Z">
<meta property="article:modified_time" content="2025-06-21T08:45:38.086Z">
<meta property="article:author" content="owefsad">
<meta property="article:tag" content="privilege_escalation">
<meta property="article:tag" content="cve">
<meta property="article:tag" content="任意文件上传">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://owefsad.github.io/HTB-linux-Help/HTB_linux_Help_masscan_nmap.png">


<link rel="canonical" href="https://owefsad.github.io/HTB-linux-Help.html">


<script class="next-config" data-name="page" type="application/json">{"sidebar":"","isHome":false,"isPost":true,"lang":"en","comments":true,"permalink":"https://owefsad.github.io/HTB-linux-Help.html","path":"HTB-linux-Help.html","title":"HTB_linux_Help"}</script>

<script class="next-config" data-name="calendar" type="application/json">""</script>
<title>HTB_linux_Help | owefsad</title>
  

  <script src="/js/third-party/analytics/baidu-analytics.js" defer></script>
  <script async src="https://hm.baidu.com/hm.js?2a72b138b6ef81ae123fcd18e91fa843"></script>







  
  <script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.1/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous" defer></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/fancyapps-ui/5.0.36/fancybox/fancybox.umd.js" integrity="sha256-hiUEBwFEpLF6DlB8sGXlKo4kPZ46Ui4qGpd0vrVkOm4=" crossorigin="anonymous" defer></script>
<script src="/js/utils.js" defer></script><script src="/js/motion.js" defer></script><script src="/js/sidebar.js" defer></script><script src="/js/next-boot.js" defer></script>

  



  <script src="/js/third-party/fancybox.js" defer></script>



  





  <noscript>
    <link rel="stylesheet" href="/css/noscript.css">
  </noscript>
</head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <div class="column">
      <header class="header" itemscope itemtype="http://schema.org/WPHeader"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="Toggle navigation bar" role="button">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <i class="logo-line"></i>
      <p class="site-title">owefsad</p>
      <i class="logo-line"></i>
    </a>
      <p class="site-subtitle" itemprop="description">owefsad page</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger" aria-label="Search" role="button">
    </div>
  </div>
</div>



<nav class="site-nav">
  <ul class="main-menu menu"><li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a></li><li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a></li><li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>Categories</a></li><li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>Tags</a></li><li class="menu-item menu-item-resume"><a href="/resume/" rel="section"><i class="fa fa-user fa-fw"></i>resume</a></li>
  </ul>
</nav>




</header>
        
  
  <aside class="sidebar">

    <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
      <ul class="sidebar-nav">
        <li class="sidebar-nav-toc">
          Table of Contents
        </li>
        <li class="sidebar-nav-overview">
          Overview
        </li>
      </ul>

      <div class="sidebar-panel-container">
        <!--noindex-->
        <div class="post-toc-wrap sidebar-panel">
            <div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%96%87%E7%AB%A0%E7%9B%AE%E5%BD%95"><span class="nav-number">1.</span> <span class="nav-text">文章目录</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#helpdeskz"><span class="nav-number">2.</span> <span class="nav-text">helpdeskz</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%8F%90%E6%9D%83"><span class="nav-number">3.</span> <span class="nav-text">提权</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Kernel"><span class="nav-number">4.</span> <span class="nav-text">Kernel</span></a></li></ol></div>
        </div>
        <!--/noindex-->

        <div class="site-overview-wrap sidebar-panel">
          <div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">owefsad</p>
  <div class="site-description" itemprop="description">分享安全、AI漏洞分析、漏洞研究、技术分享、开源工具</div>
</div>
<div class="site-state-wrap animated">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
        <a href="/archives/">
          <span class="site-state-item-count">93</span>
          <span class="site-state-item-name">posts</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
          <a href="/categories/">
        <span class="site-state-item-count">6</span>
        <span class="site-state-item-name">categories</span></a>
      </div>
      <div class="site-state-item site-state-tags">
          <a href="/tags/">
        <span class="site-state-item-count">173</span>
        <span class="site-state-item-name">tags</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author animated">
      <span class="links-of-author-item">
        <a href="https://github.com/exexute" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;exexute" rel="noopener me" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:1547147759@gmail.com" title="E-Mail → mailto:1547147759@gmail.com" rel="noopener me" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
      </span>
  </div>

        </div>
      </div>
    </div>

    
  </aside>


    </div>

    <div class="main-inner post posts-expand">


  


<div class="post-block">
  
  

  <article itemscope itemtype="http://schema.org/Article" class="post-content" lang="en">
    <link itemprop="mainEntityOfPage" href="https://owefsad.github.io/HTB-linux-Help.html">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="owefsad">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="owefsad">
      <meta itemprop="description" content="分享安全、AI漏洞分析、漏洞研究、技术分享、开源工具">
    </span>

    <span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
      <meta itemprop="name" content="HTB_linux_Help | owefsad">
      <meta itemprop="description" content="">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          HTB_linux_Help<a href="https://github.com/owefsad/blog/tree/main/source/_posts/HTB-linux-Help.md" class="post-edit-link" title="Edit this post" rel="noopener" target="_blank"><i class="fa fa-pen-nib"></i></a>
        </h1>

        <div class="post-meta-container">
          <div class="post-meta">
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar"></i>
      </span>
      <span class="post-meta-item-text">Posted on</span>

      <time title="Created: 2019-04-15 23:42:57" itemprop="dateCreated datePublished" datetime="2019-04-15T23:42:57+08:00">2019-04-15</time>
    </span>
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-folder"></i>
      </span>
      <span class="post-meta-item-text">In</span>
        <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
          <a href="/categories/CTF/" itemprop="url" rel="index"><span itemprop="name">CTF</span></a>
        </span>
    </span>

  
</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody"><p>简介<br>help官方评分为4.2, 第一步常规思路扫目录发现helpdeskz, 查找CVE后通过文件上传漏洞+文件名爆破获取webshell获取user.txt, 但是获取root.txt时遇到了问题, suid发现了几个从未遇到的程序, 暂时未利用成功; 文件、配置、服务暂未发现问题.</p>
<p>靶机状态: 已完成</p>
<span id="more"></span>
<h2 id="文章目录"><a href="#文章目录" class="headerlink" title="文章目录"></a>文章目录</h2><ul>
<li>helpdeskz</li>
<li>Kernel</li>
</ul>
<p>端口扫描之后发现开放22、80、3000三个端口, 80和3000分别是apache和nodejs, 均有利用价值.<br><img src="/HTB-linux-Help/HTB_linux_Help_masscan_nmap.png" alt="masscan_nmap"></p>
<h2 id="helpdeskz"><a href="#helpdeskz" class="headerlink" title="helpdeskz"></a>helpdeskz</h2><p>访问80端口发现是一个<code>helpdeskz</code>的开源程序, 查exploit-db后发现在2016和2017年分别发现任意文件上传、sql注入和文件下载漏洞, 根据任意文件上传poc中的提示上传文件后提示<strong>文件不被允许</strong>. 此时已经<strong>想放弃</strong>了, 然后在官网论坛中得到一个提示: 不要用exploit-db中公开的poc脚本, 仔细阅读源码。 于是下载对应版本的helpdeskz程序, 开始查看提交tickets处的代码, 发现虽然提示文件不被允许但是文件已经被上传到服务器中, 可通过exploit-db中提供的poc脚本爆破文件名. 然后得到webshell<br><img src="/HTB-linux-Help/HTB_linux_help_webshell.png" alt="web_shell"></p>
<p>然后获得<code>user.txt</code>, 拿到用户flag.<br><img src="/HTB-linux-Help/HTB_linux_help_userflag.png" alt="user.txt"></p>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>这个靶机中上传的webshell会被定期清理掉, 因此很难维持访问.<br>提权思路:</p>
<ul>
<li>文件(硬编码、suid)</li>
<li>计划任务</li>
<li>配置(sudoers)</li>
<li>服务（mysql、redis等）</li>
<li>进程</li>
</ul>
<p>提权的时候可以说是绞尽脑汁, 获取webshell后先查suid文件, 发现几个可疑的suid文件<br><img src="/HTB-linux-Help/HTB_linux_help_suid.png" alt="suid_file"></p>
<p>然后线索断掉了, 始终未找到提权的方法.</p>
<h2 id="Kernel"><a href="#Kernel" class="headerlink" title="Kernel"></a>Kernel</h2><p>仔细看一下上面的提权步骤就可以发现, 本渣忘记做内核提权的检查了.<br><strong>方法</strong> 进入靶机, 通过<code>uname -a</code>查看内核信息, 然后把这对信息丢到google上搜索, 直接看到<code>CVE-2017-16995</code>, 在靶机上编译exp即可实现提权.<br><strong>tips</strong> exp原意是产生一个root shell的, 但是运行之后发现并没有shell产生, 于是修改exp将运行bash的命令改为读取root.txt的命令, 成功拿到flag<br><img src="/HTB-linux-Help/HTB_linux_help_rootflag.png" alt="root_flag"></p>

    </div>

    
    
    

    <footer class="post-footer">
          <div class="followme">
  <span>Welcome to my other publishing channels</span>

  <div class="social-list">

      <div class="social-item">
          <span class="social-link">
            <span class="icon">
              <i class="fab fa-weixin"></i>
            </span>

            <span class="label">WeChat</span>
          </span>

          <img class="social-item-img" src="/uploads/wechat-qcode.jpg">
      </div>

      <div class="social-item">
          <a target="_blank" class="social-link" href="/uploads/avatar.gif">
            <span class="icon">
              <i class="fab fa-qq"></i>
            </span>

            <span class="label">QQ</span>
          </a>
      </div>
  </div>
</div>

          <div class="post-tags">
              <a href="/tags/privilege-escalation/" rel="tag"># privilege_escalation</a>
              <a href="/tags/cve/" rel="tag"># cve</a>
              <a href="/tags/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0/" rel="tag"># 任意文件上传</a>
          </div>

        

          <div class="post-nav">
            <div class="post-nav-item">
                <a href="/Malware-analysis-php.html" rel="prev" title="Malware_analysis_php">
                  <i class="fa fa-angle-left"></i> Malware_analysis_php
                </a>
            </div>
            <div class="post-nav-item">
                <a href="/HTB-linux-chaos.html" rel="next" title="HTB-Linux-Chaos">
                  HTB-Linux-Chaos <i class="fa fa-angle-right"></i>
                </a>
            </div>
          </div>
    </footer>
  </article>
</div>






</div>
  </main>

  <footer class="footer">
    <div class="footer-inner">

  <div class="copyright">
    &copy; 2017 – 
    <span itemprop="copyrightYear">2025</span>
    <span class="with-love">
      <i class="fa fa-heart"></i>
    </span>
    <span class="author" itemprop="copyrightHolder">owefsad</span>
  </div>

    </div>
  </footer>

  
  <div class="toggle sidebar-toggle" role="button">
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
  </div>
  <div class="sidebar-dimmer"></div>
  <div class="back-to-top" role="button" aria-label="Back to top">
    <i class="fa fa-arrow-up fa-lg"></i>
    <span>0%</span>
  </div>

  <a href="https://github.com/exexute" class="github-corner" title="Follow me on GitHub" aria-label="Follow me on GitHub" rel="noopener" target="_blank"><svg width="80" height="80" viewBox="0 0 250 250" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a>

<noscript>
  <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>

</body>
</html>