HackTheBox — TheNotebook

Nmap Scan

We start with nmap to find open ports on the machine.

nmap -sC -sV -oA thenotebook 10.10.10.230

We have Two open ports, ssh on port 22 and http on port 80 and they don’t have any serious vulnerabilities (just google the service version followed by “exploit”) . Nothing to do with ssh as we don’t have any credentials, so lets check port 80.

Enumeration

I checked the page source code but nothing there, i also ran gobuster and found /admin directory that returns 403 forbidden.

Lets register an account and launch our proxy (ZAP or Burp suite) to understand the request being sent.

Then i intercepted the request and found a cookie “auth” which is a JWT token.

So i opened jwt.io and pasted the token to decode it.

The key in kid parameter is used to secure the token header. So i am going to host a new private key on my server and create a new token based on that key.

Initial Foothold

Now lets change the kid parameter value to my private key path and also paste the private key in verify signature section and change admin_cap to 1.

Then copy the token and replace it with ZAP (or firefox developer’s tool) and try to visit /admin.

And we got access to /admin. There is View Notes and Upload Files.

There is a note from the admin says that they have an issue where PHP files are being executed :/. This can be a potential security issue for the server.

Lets try to upload a php reverse shell and run a netcat listener. And the file has been uploaded successfully, now click view.

And we got a shell on the box as www-data.

Lateral Movement

While enumerating the box, i found .bash_history in /var/www/

The owner of the box just did cd /var/backups/ and ran a web server on this directory.

Going to /var/backups/, there is a file that has read permission for anyone home.tar.gz.

So lets do the same as he did, lets download the file to our machine and extract it tar -xzvf home.tar.gz. It is the home directory of user noah, so lets get noah's ssh private key and login with it.

Getting root

Running sudo -l we can run docker exec -it webapp-dev01* as root

Also checking the docker version (18.06.0-ce)

Looking for an exploit for this version, found this github repo.

https://github.com/Frichetten/CVE-2019-5736-PoC

How do i run it?

Modify the code however you see fit and compile it with go build main.go. Move that binary to the container you'd like to escape from. Execute the binary, and then the next time someone attaches to it and calls /bin/sh your payload will fire.

Running the exploit on the docker as described in the repository…

we got that error when trying to run /bin/sh on the docker, and successfully wrote /tmp/shadow.

Now lets modify the main.go to give us a reverse shell instead of copying the shadow file and recompile it again.

Running the exploit again and listening with netcat for incoming connection…

Got a root shell !

If you find it useful, kindly give me a respect

Linkedin | Github

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xEmbo

0xEmbo

15 Followers

I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.