# HackTheBox-Notebook
## Rustscan
```
rustscan -a 10.129.84.245 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.129.84.245:22
Open 10.129.84.245:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZwjrB05nGUvacI81YxNqy+6WpPHhIju6c73aoiru9nW/aVhTmOEsSOGoChEXeQeDN67ZN5QW4LFf0tXeQeJqvgO82HtFkUOiN8tt1RpI98S
V+hx8scCzpmtAyu1OJSUM3/cL2tEPTcPHAgHTmroWiXxIMPhTFLIoDVBIqmBrORUIwgjIzFUbEDQJXKPkFciofbowVOkHnT+lv5XokU6571wrX/LRJvTNBEAvbbz0HAfvUkne8ycQsW08qk/Bugi
LnJHLg24YryGdHl5RqqW/42fsUADngFLncy2+/XCo8Pe/erO+7Zw6r4n1qVb0W0BZ+lRflcRss3diM/21R6O0z
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLeuBF/ZBUM0ZBYW4+vgQMhIPWVs2fzv9lmQHoflWFNMP/sFWZDeVneJE0CRSLnYi2y/wwc079
bIsQRibay3Fpg=
| 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDg0mzA1xTe9hivlJN4s+7eXaiyIYefpyykHIir3btEA
80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: B2F904D3046B07D05F90FB6131602ED2
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
```
## PORT 80 (HTTP)
I went to `login` page and tried basic sqli
Tried `admin:admin`
And got this error so we know that `admin` user exists
Then I decide to register an account
After registering an account I tried to to do some stuff with HTML but saw couldn't do anything
On running `dirsearch` I didn't found anything
So I decided to intercept the request with `burp suite` and found a base64 encoded cookie
Which I then took it to cyberchef
Alternatively it is best to vist https://jwt.io
Now we want to create our own key and host it on port 7070
https://gist.github.com/ygotthilf/baa58da5c3dd1f69fae9
Notice we have two keys public and private we want the public to be hosted and rename it to `privKey.key`
Notice we have added `admin_cap =true` and changed the `kid` to our machine
now copy the whole encoded text and replace it with the cookie
Notice we will see `admin panel`
I decide to upload `phpbash.php` which give us a nice sessions on the web browser
Running linpeas we can see that there's docker installed on the box
We can also see IPTABLES have docker rules configured
I tried connecting to docker with `docker -H 127.0.0.1:10101`, `127.0.0.1:8080` but was doing it wrong maybe
Going back to the website as admin I saw some notes which I was able to view
Here Noah says that he has some files in `backups`
We can see `home.tar.gz`
I started a python server on target machine and transfer that gz archive
So we have ssh keys for user `noah`
This `*` will accept any argument so let's see if we can run commands on the container
Appearently there's a CVE for docker exec
https://github.com/Frichetten/CVE-2019-5736-PoC
Download the `golang` file and compile it on your machine
Set SUID on bash in `payload`
Then compile the golang source code with `go build docker.go` transfer that binary to docker container execute it and in the same time execute `sh` on docker
Or if we simply want a reverse shell we could use a bash reverse shell payload instead of making /bin/bash a SUID
