HackTheBox — TheNotebook

Nmap Scan

We start with nmap to find open ports on the machine.

nmap -sC -sV -oA thenotebook

Nmap scan report for
Host is up (0.11s latency).
Not shown: 997 closed ports
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_ 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
10010/tcp filtered rxapi
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds

We have Two open ports, ssh on port 22 and http on port 80 and they don’t have any serious vulnerabilities (just google the service version followed by “exploit”) . Nothing to do with ssh as we don’t have any credentials, so lets check port 80.


I checked the page source code but nothing there, i also ran gobuster and found /admin directory that returns 403 forbidden.

Lets register an account and launch our proxy (ZAP or Burp suite) to understand the request being sent.

Then i intercepted the request and found a cookie “auth” which is a JWT token.

Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6ImVtYm8iLCJlbWFpbCI6ImVtYm9AZW1iby5jb20iLCJhZG1pbl9jYXAiOjB9.DRA8EpL1uaL7OtGuN-mBu3vibT-vJ0UoImc48pwmhzd5IhWUScg1rcj0r2jCjhmyNORJ4Ec0kOpGOoEFi94sVAtbzbd5AYWfO5nHWr87UU88sfjZrGJWtldX1VVTcQ_Yg9nHZwkD4YkbiQZXKaqkhe3n0Kl7hUQ5QV7Jyfn2N6pTEK27dN46HcgaaL8H-wowfsKp0As-HcTuFf6Y2TjfhwYbye7pdzcDXa9v9rzMAXgh4t4P7kyd2JaGP3SRcCKCpYicdZ_awvSdIrH7bf68ljZW0s0-myNiFEI2yjRqYhPBs0YUn5U_Fp932rD-T7QMssUK0hcT3wd-Oqv7JJXltHh6VVNanrWDXZVb2HJaFal-zpIx5ORBRfAqErl9aGesUP-vD0cHuKGErUDjlC_mwgh8RPlOq1hMqBW0UdPjePpB6m_xJGv07gwkVn6WrmPvK_vspuU7qrsDan7lhTgKLb7Jk7yEHzFsryYQH1Xsuposkm3DsvM0rmd11mXXgHUqPQVpkfkcAQvpjb242qoQNK0-nfs1qfiU1AOfQBm6EdBubbbY8HGRqbcJsXk2n1BmGWhrB2EKis_F-fSZM6oKYuOtchmSEbpsQBx09wPeQyMtFdfOM6Z5SKIFaKZ1anxqEocXDobB_W8CaheJZ-wMVXm9iM9YWhkNKxqSChSgOVk; uuid=08bc057c-18c8-4661-b8f8-d3227d0fc4a7

So i opened jwt.io and pasted the token to decode it.

The key in kid parameter is used to secure the token header. So i am going to host a new private key on my server and create a new token based on that key.

openssl genrsa -out privKey.key 2048
python3 -m http.server

Initial Foothold

Now lets change the kid parameter value to my private key path and also paste the private key in verify signature section and change admin_cap to 1.

Then copy the token and replace it with ZAP (or firefox developer’s tool) and try to visit /admin.

And we got access to /admin. There is View Notes and Upload Files.

There is a note from the admin says that they have an issue where PHP files are being executed :/. This can be a potential security issue for the server.

Lets try to upload a php reverse shell and run a netcat listener. And the file has been uploaded successfully, now click view.

And we got a shell on the box as www-data.

Lateral Movement

While enumerating the box, i found .bash_history in /var/www/

The owner of the box just did cd /var/backups/ and ran a web server on this directory.

Going to /var/backups/, there is a file that has read permission for anyone home.tar.gz.

So lets do the same as he did, lets download the file to our machine and extract it tar -xzvf home.tar.gz. It is the home directory of user noah, so lets get noah's ssh private key and login with it.

chmod 600 id_rsa
ssh -i id_rsa noah@

Getting root

Running sudo -l we can run docker exec -it webapp-dev01* as root

Also checking the docker version (18.06.0-ce)

Looking for an exploit for this version, found this github repo.


How do i run it?

Modify the code however you see fit and compile it with go build main.go. Move that binary to the container you'd like to escape from. Execute the binary, and then the next time someone attaches to it and calls /bin/sh your payload will fire.

Running the exploit on the docker as described in the repository…

we got that error when trying to run /bin/sh on the docker, and successfully wrote /tmp/shadow.

Now lets modify the main.go to give us a reverse shell instead of copying the shadow file and recompile it again.

Running the exploit again and listening with netcat for incoming connection…

Got a root shell !

If you find it useful, kindly give me a respect

Linkedin | Github




I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Most Important First Step to Digital Security You Can Take

Data protection across the world

{UPDATE} Legend of Grimrock Hack Free Resources Generator

H@cktivityCon 2021 CTF : The Library (Ret2libc : ASLR bypass)

Podcast with Wenmiao Yu — Quantum Dice

{UPDATE} Murderer Online Hack Free Resources Generator

{UPDATE} Pentix Tournament Hack Free Resources Generator

Try Hack Me Mr. Robot Walkthrough

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.

More from Medium

Simple CTF Walkthrough — TryHackMe

How I was able to takeover accounts in websites deal with Github as a SSO provider

HackTheBox — Monitors

Oh My WebServer CTF