WackyHacker

WackyHacker

Ethical Hacker | CTF challenge player / Red Teamer 🚩󠁵󠁳󠁴󠁸󠁿󠁵󠁳󠁴󠁸󠁿

TheNotebook - HackTheBox

image (35)

I started by doing a scan with Nmap to detect open ports.

┌──(root💀kali)-[/home/wackyh4cker/HTB/TheNotebook]
└─# nmap -sS --min-rate=5000 --open -v -n 10.10.10.230 -oN targeted
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-31 19:12 CEST
Initiating Ping Scan at 19:12
Scanning 10.10.10.230 [4 ports]
Completed Ping Scan at 19:12, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:12
Scanning 10.10.10.230 [1000 ports]
Discovered open port 80/tcp on 10.10.10.230
Discovered open port 22/tcp on 10.10.10.230
Completed SYN Stealth Scan at 19:12, 0.47s elapsed (1000 total ports)
Nmap scan report for 10.10.10.230
Host is up (0.15s latency).
Not shown: 997 closed ports, 1 filtered port
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.73 seconds
       	Raw packets sent: 1014 (44.592KB) | Rcvd: 1009 (40.356KB)

I made another one to detect the version of each open port found.

┌──(root💀kali)-[/home/wackyh4cker/HTB/TheNotebook]
└─# nmap -sC -sV -p22,80 10.10.10.230 -oN webscan             	 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-31 19:12 CEST
Nmap scan report for 10.10.10.230
Host is up (0.069s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh 	OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
|   256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_ 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp open  http	nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.04 seconds

I had two ports open, I started by looking at the web server, this is what I had.

PaginaPrincipal

I signed up and was redirected to this dashboard.

accesoalpanel

I created a note and tried different html and js code injections but it was not vulnerable to XSS or HTMLi, I tried to intercept the request to see how everything goes behind the scenes and I found a cookie that caught my attention.

jwtcookie

It appears to be a JWT or “JSON Web Token”, I copied the cookie and pasted it into jwt.io to see the json format it was being treated in and found the following.

jwtio

It seemed to be communicating with a priv key on localhost, meaning it didn’t have any kind of access to it, so I thought about creating my own with OpenSSL and then going for it by opening a server with Python, I started by creating the private key with the following command.

openssl genrsa -out privKey.key 2048

I opened a python server on the port the victim’s priv key was running on, 7070, and changed to my IP address and put 1 in admin_cap and pasted my priv key down on the left.

code

I copied the string in base64 and replaced it with the cookie that came to me on the page.

paneladminconseguido

And I changed the panel, now there was a section that allowed me to upload files.

uploadfiles

I immediately tried to upload a reverse shell in PHP, I used one from pentestmonkey.

subida

It let me upload it, I hit save with a netcat session running on port ‘443’ and gained access to the machine.

reverseshell (1)

I did some work around with the TTY, doing some research on the machine and found a file called home.tar.gz that caught my eye, so I thought I’d transfer it to my machine with netcat.

transferusingnmap

Unzipping it I saw that it was the home directory, inside I found an SSH private key, an id_rsa, I also had to list the user I had to migrate under and in the path I followed I found a directory called noah.

ypadentroconhome

I gave 600 permissions to the id_rsa and tried connecting to it via SSH using the noah user and it worked.

ssshacceso

I was now able to view the user’s “flag”.

flagdelusuario (3)

ESCALADA DE PRIVILEGIOS

Now all that was missing was the privilege escalation, doing sudo -l I saw that I could run Docker with sudo privileges.

sudoguionele

I ran it by adding bash and got a session with Docker, but this was not escalation as it was just in a container, look at the Docker version.

dockerversion

I searched for an exploit for that version on Google and found the following PoC.

pocdockerexploit

I brought it to my machine and modified the line that executed the code, I put it to give 777 permissions to /etc/passwd.

modificandoetchosts

I compiled the exploit and transferred it to the victim server, specifically in the Docker session, run the exploit by running another Docker session at the same time as the exploit is running.

descargarexploit (1) (1)

I modified the x of /etc/passwd and put a password previously created with OpenSSL, I did sudo su and put the password that OpenSSL created for me and gained access with root, I could now see the “flag”.

bashmenosoe (1)

Leave a comment