CTF-Writeups/HackTheBox/Notebook.md
2021-08-01 08:00:43 +05:00

6.6 KiB

HackTheBox-Notebook

Rustscan

rustscan -a 10.129.84.245 -- -A -sC -sV                                                       
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.                  
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |                  
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |                  
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'                                                                                            
The Modern Day Port Scanner.                                                                                                                        
________________________________________                                                                                                            
: https://discord.gg/GFrQsGy           :                                                                                                            
: https://github.com/RustScan/RustScan :                                                                                                            
 --------------------------------------                                                                                                             
Real hackers hack time ⌛                
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.129.84.245:22                
Open 10.129.84.245:80                
PORT   STATE SERVICE REASON         VERSION                               
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                    
| ssh-hostkey:                                                            
|   2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZwjrB05nGUvacI81YxNqy+6WpPHhIju6c73aoiru9nW/aVhTmOEsSOGoChEXeQeDN67ZN5QW4LFf0tXeQeJqvgO82HtFkUOiN8tt1RpI98S
V+hx8scCzpmtAyu1OJSUM3/cL2tEPTcPHAgHTmroWiXxIMPhTFLIoDVBIqmBrORUIwgjIzFUbEDQJXKPkFciofbowVOkHnT+lv5XokU6571wrX/LRJvTNBEAvbbz0HAfvUkne8ycQsW08qk/Bugi
LnJHLg24YryGdHl5RqqW/42fsUADngFLncy2+/XCo8Pe/erO+7Zw6r4n1qVb0W0BZ+lRflcRss3diM/21R6O0z
|   256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLeuBF/ZBUM0ZBYW4+vgQMhIPWVs2fzv9lmQHoflWFNMP/sFWZDeVneJE0CRSLnYi2y/wwc079
bIsQRibay3Fpg=
|   256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDg0mzA1xTe9hivlJN4s+7eXaiyIYefpyykHIir3btEA
80/tcp open  http    syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: B2F904D3046B07D05F90FB6131602ED2
| http-methods:                      
|_  Supported Methods: GET HEAD OPTIONS                                   
|_http-server-header: nginx/1.14.0 (Ubuntu)                               
|_http-title: The Notebook - Your Note Keeper                             

PORT 80 (HTTP)

I went to login page and tried basic sqli

Tried admin:admin

And got this error so we know that admin user exists

Then I decide to register an account

After registering an account I tried to to do some stuff with HTML but saw couldn't do anything

On running dirsearch I didn't found anything

So I decided to intercept the request with burp suite and found a base64 encoded cookie

Which I then took it to cyberchef

Alternatively it is best to vist https://jwt.io

Now we want to create our own key and host it on port 7070

https://gist.github.com/ygotthilf/baa58da5c3dd1f69fae9

Notice we have two keys public and private we want the public to be hosted and rename it to privKey.key

Notice we have added admin_cap =true and changed the kid to our machine

now copy the whole encoded text and replace it with the cookie

Notice we will see admin panel

I decide to upload phpbash.php which give us a nice sessions on the web browser

Running linpeas we can see that there's docker installed on the box

We can also see IPTABLES have docker rules configured

I tried connecting to docker with docker -H 127.0.0.1:10101, 127.0.0.1:8080 but was doing it wrong maybe

Going back to the website as admin I saw some notes which I was able to view

Here Noah says that he has some files in backups

We can see home.tar.gz

I started a python server on target machine and transfer that gz archive

So we have ssh keys for user noah

This * will accept any argument so let's see if we can run commands on the container

Appearently there's a CVE for docker exec

https://github.com/Frichetten/CVE-2019-5736-PoC

Download the golang file and compile it on your machine

Set SUID on bash in payload

Then compile the golang source code with go build docker.go transfer that binary to docker container execute it and in the same time execute sh on docker

Or if we simply want a reverse shell we could use a bash reverse shell payload instead of making /bin/bash a SUID