# HackTheBox-Notebook ## Rustscan ``` rustscan -a 10.129.84.245 -- -A -sC -sV .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Real hackers hack time ⌛ [~] The config file is expected to be at "/root/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.129.84.245:22 Open 10.129.84.245:80 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZwjrB05nGUvacI81YxNqy+6WpPHhIju6c73aoiru9nW/aVhTmOEsSOGoChEXeQeDN67ZN5QW4LFf0tXeQeJqvgO82HtFkUOiN8tt1RpI98S V+hx8scCzpmtAyu1OJSUM3/cL2tEPTcPHAgHTmroWiXxIMPhTFLIoDVBIqmBrORUIwgjIzFUbEDQJXKPkFciofbowVOkHnT+lv5XokU6571wrX/LRJvTNBEAvbbz0HAfvUkne8ycQsW08qk/Bugi LnJHLg24YryGdHl5RqqW/42fsUADngFLncy2+/XCo8Pe/erO+7Zw6r4n1qVb0W0BZ+lRflcRss3diM/21R6O0z | 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLeuBF/ZBUM0ZBYW4+vgQMhIPWVs2fzv9lmQHoflWFNMP/sFWZDeVneJE0CRSLnYi2y/wwc079 bIsQRibay3Fpg= | 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDg0mzA1xTe9hivlJN4s+7eXaiyIYefpyykHIir3btEA 80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu) |_http-favicon: Unknown favicon MD5: B2F904D3046B07D05F90FB6131602ED2 | http-methods: |_ Supported Methods: GET HEAD OPTIONS |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: The Notebook - Your Note Keeper ``` ## PORT 80 (HTTP) I went to `login` page and tried basic sqli Tried `admin:admin` And got this error so we know that `admin` user exists Then I decide to register an account After registering an account I tried to to do some stuff with HTML but saw couldn't do anything On running `dirsearch` I didn't found anything So I decided to intercept the request with `burp suite` and found a base64 encoded cookie Which I then took it to cyberchef Alternatively it is best to vist https://jwt.io Now we want to create our own key and host it on port 7070 https://gist.github.com/ygotthilf/baa58da5c3dd1f69fae9 Notice we have two keys public and private we want the public to be hosted and rename it to `privKey.key` Notice we have added `admin_cap =true` and changed the `kid` to our machine now copy the whole encoded text and replace it with the cookie Notice we will see `admin panel` I decide to upload `phpbash.php` which give us a nice sessions on the web browser Running linpeas we can see that there's docker installed on the box We can also see IPTABLES have docker rules configured I tried connecting to docker with `docker -H 127.0.0.1:10101`, `127.0.0.1:8080` but was doing it wrong maybe Going back to the website as admin I saw some notes which I was able to view Here Noah says that he has some files in `backups` We can see `home.tar.gz` I started a python server on target machine and transfer that gz archive So we have ssh keys for user `noah` This `*` will accept any argument so let's see if we can run commands on the container Appearently there's a CVE for docker exec https://github.com/Frichetten/CVE-2019-5736-PoC Download the `golang` file and compile it on your machine Set SUID on bash in `payload` Then compile the golang source code with `go build docker.go` transfer that binary to docker container execute it and in the same time execute `sh` on docker Or if we simply want a reverse shell we could use a bash reverse shell payload instead of making /bin/bash a SUID