HackTheBox — TheNotebook

5 min readJul 31, 2021

Nmap Scan

We start with nmap to find open ports on the machine.

nmap -sC -sV -oA thenotebook 10.10.10.230

Nmap scan report for 10.10.10.230
Host is up (0.11s latency).
Not shown: 997 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
|   256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_  256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp    open     http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
10010/tcp filtered rxapi
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds

We have Two open ports, ssh on port 22 and http on port 80 and they don’t have any serious vulnerabilities (just google the service version followed by “exploit”) . Nothing to do with ssh as we don’t have any credentials, so lets check port 80.

Enumeration

I checked the page source code but nothing there, i also ran gobuster and found /admin directory that returns 403 forbidden.

Lets register an account and launch our proxy (ZAP or Burp suite) to understand the request being sent.

Then i intercepted the request and found a cookie “auth” which is a JWT token.

Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6ImVtYm8iLCJlbWFpbCI6ImVtYm9AZW1iby5jb20iLCJhZG1pbl9jYXAiOjB9.DRA8EpL1uaL7OtGuN-mBu3vibT-vJ0UoImc48pwmhzd5IhWUScg1rcj0r2jCjhmyNORJ4Ec0kOpGOoEFi94sVAtbzbd5AYWfO5nHWr87UU88sfjZrGJWtldX1VVTcQ_Yg9nHZwkD4YkbiQZXKaqkhe3n0Kl7hUQ5QV7Jyfn2N6pTEK27dN46HcgaaL8H-wowfsKp0As-HcTuFf6Y2TjfhwYbye7pdzcDXa9v9rzMAXgh4t4P7kyd2JaGP3SRcCKCpYicdZ_awvSdIrH7bf68ljZW0s0-myNiFEI2yjRqYhPBs0YUn5U_Fp932rD-T7QMssUK0hcT3wd-Oqv7JJXltHh6VVNanrWDXZVb2HJaFal-zpIx5ORBRfAqErl9aGesUP-vD0cHuKGErUDjlC_mwgh8RPlOq1hMqBW0UdPjePpB6m_xJGv07gwkVn6WrmPvK_vspuU7qrsDan7lhTgKLb7Jk7yEHzFsryYQH1Xsuposkm3DsvM0rmd11mXXgHUqPQVpkfkcAQvpjb242qoQNK0-nfs1qfiU1AOfQBm6EdBubbbY8HGRqbcJsXk2n1BmGWhrB2EKis_F-fSZM6oKYuOtchmSEbpsQBx09wPeQyMtFdfOM6Z5SKIFaKZ1anxqEocXDobB_W8CaheJZ-wMVXm9iM9YWhkNKxqSChSgOVk; uuid=08bc057c-18c8-4661-b8f8-d3227d0fc4a7

So i opened jwt.io and pasted the token to decode it.

The key in kid parameter is used to secure the token header. So i am going to host a new private key on my server and create a new token based on that key.

openssl genrsa -out privKey.key 2048
python3 -m http.server

Initial Foothold

Now lets change the kid parameter value to my private key path and also paste the private key in verify signature section and change admin_cap to 1.

Then copy the token and replace it with ZAP (or firefox developer’s tool) and try to visit /admin.

And we got access to /admin. There is View Notes and Upload Files.

There is a note from the admin says that they have an issue where PHP files are being executed :/. This can be a potential security issue for the server.

Lets try to upload a php reverse shell and run a netcat listener. And the file has been uploaded successfully, now click view.

And we got a shell on the box as www-data.

Lateral Movement

While enumerating the box, i found .bash_history in /var/www/

The owner of the box just did cd /var/backups/ and ran a web server on this directory.

Going to /var/backups/, there is a file that has read permission for anyone home.tar.gz.

So lets do the same as he did, lets download the file to our machine and extract it tar -xzvf home.tar.gz. It is the home directory of user noah, so lets get noah's ssh private key and login with it.

Getting root

Running sudo -l we can run docker exec -it webapp-dev01* as root

Also checking the docker version (18.06.0-ce)

Looking for an exploit for this version, found this github repo.

https://github.com/Frichetten/CVE-2019-5736-PoC

How do i run it?

Modify the code however you see fit and compile it with go build main.go. Move that binary to the container you'd like to escape from. Execute the binary, and then the next time someone attaches to it and calls /bin/sh your payload will fire.

Running the exploit on the docker as described in the repository…