# Hack The Box - Helpline

## Quick Summary

Hey guys today Helpline retired and here’s my write-up about it. I really liked this box because It taught me some interesting stuff about Windows internals. The first shell I got on this box was as nt authority/system which means that I technically rooted the box. But the flags were EFS encrypted so I had to find a way to read them. It’s a Windows box and its ip is 10.10.10.152, I added it to /etc/hosts as helpline.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :

We got http on port 8080 and smb. I tried to list smb shares but I couldn’t authenticate anonymously :

## HTTP Initial Enumeration, Administrative Access

On the http port there was an application called ManageEngine ServiceDesk Plus.

I tried some common credentials like admin:admin and guest:guest which actually worked :

But as guest my capabilities were limited so I had to elevate to an administrative user. I searched for known vulnerabilities for this application and found this authentication bypass vulnerability. However to exploit it I needed a valid username :

luckily there was another user enumeration vulnerability which I could exploit as guest.

Before using wfuzz with a long wordlist I tried some common usernames first, administrator was an existing user :

To exploit the authentication bypass vulnerability we have to login as guest, then navigate to /mc and logout. After that we will login as administrator by using administrator as username and password then return to the index page again and we will be redirected to the dashboard as administrator.

There is also a published exploit that does the same thing automatically :

## RCE

I checked the Admin section and Custom Triggers under Helpdesk Customizer caught my attention.

Description says : “You can define rules to automatically invoke any custom class or script file. The action rules can be applied to a request when it is created, (or received) or edited or both”
I ran a python http server to host nc.exe then I created a trigger that executes :

When a request is created (it must has the word test in the subject).

Last thing to do is to create a request that runs the trigger :

I edited the trigger and made it execute :

Then I created another request and got a reverse shell as nt authority\system :

## Encrypted Flags

Although I was system I couldn’t read the flags :

That’s because the flags are EFS encrypted :

To decrypt them we need Administrator‘s password for root.txt and tolu‘s password for user.txt. First time I solved this box I got the root flag first as it was easier but for the write-up I’ll do user flag first.

## user.txt

Since we need passwords, first thing I did was to put mimikatz on the box and dump the password hashes.
But before that I had to disable :

The only crackable hash was zachary‘s :

But what can we do with zachary ?

zachary is a member of a local group called Event Log Readers, maybe there is something in the event log, I queried the event log with wevtutil and saved the output in a file :

The output was a very long one so I searched for interesting stuff like usernames, by searching for tolu I got this net use command which had tolu's password :

tolu : !zaq1234567890pl!99
tolu is in the Remote Management Users local group :

And winrm‘s port is open :

So I thought of authenticating as tolu to read the flag (I used evilwinrm)

But I still couldn’t read the flag …

I found this guide to decrypt EFS files with mimikatz, by following it I was able to decrypt the user flag.
We need to get the certificate and decrypt the master/private keys (details in the guide mentioned above) :

I used nc to transfer the der and pvk files to my box :

Then I created the pfx with openssl :

And finally I imported it and I was able to read the flag :

I found later that I could also use Invoke-Command as tolu and I would be able to read the flag, still don’t know why I couldn’t read it from a winrm session.

We got user.

## root.txt

There was a file called admin-pass.xml in C:\Users\leo\Desktop

Only leo can read it. leo's hash was uncrackable so I looked for other ways to be leo. I wanted to see if I can impersonate leo‘s token so I created a metasploit payload and got a meterpreter session.

And yes, I could impersonate leo‘s token :

Now we can read admin-pass.xml :

I used Invoke-Command again and used Get-Content to read admin-pass.xml instead of putting the password in a variable.

We owned root !
That’s it , Feedback is appreciated !