<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Helpdeskz on appl3b0y</title>
    <link>https://appl3b0y.com/tags/helpdeskz/</link>
    <description>Recent content in Helpdeskz on appl3b0y</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Thu, 04 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://appl3b0y.com/tags/helpdeskz/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Help</title>
      <link>https://appl3b0y.com/writeups/help/</link>
      <pubDate>Thu, 04 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/help/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Help&lt;/strong&gt; is an easy Linux box, but it packs in more real-world lessons than most: a &lt;strong&gt;GraphQL&lt;/strong&gt; endpoint that leaks credentials through introspection, a &lt;strong&gt;HelpDeskZ 1.0.2&lt;/strong&gt; install with two known bugs whose public exploits are both broken (so you fix them yourself), a bit of &lt;strong&gt;password reuse&lt;/strong&gt;, and an old &lt;strong&gt;kernel&lt;/strong&gt; that falls to a public CVE.&lt;/p&gt;&#xA;&lt;p&gt;The path: port 3000 runs a Node/Express GraphQL API that all but invites you to query it, and doing so leaks an MD5 hash we crack. Those credentials log us into the HelpDeskZ ticketing app on port 80. HelpDeskZ 1.0.2 has both an authenticated &lt;strong&gt;SQL injection&lt;/strong&gt; and an &lt;strong&gt;arbitrary file upload&lt;/strong&gt;; the Exploit-DB PoCs for both fail on modern Python, so the real work is reading them and reproducing them manually. The SQLi dumps an admin password that is &lt;strong&gt;reused&lt;/strong&gt; for SSH as &lt;code&gt;help&lt;/code&gt;, and the file upload gives a shell directly. Either way we land as &lt;code&gt;help&lt;/code&gt;, and the ancient &lt;strong&gt;4.4.0-116&lt;/strong&gt; kernel gives up root to &lt;strong&gt;CVE-2017-16995&lt;/strong&gt;.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
