6.6 KiB
HackTheBox-Notebook
Rustscan
rustscan -a 10.129.84.245 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.129.84.245:22
Open 10.129.84.245:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZwjrB05nGUvacI81YxNqy+6WpPHhIju6c73aoiru9nW/aVhTmOEsSOGoChEXeQeDN67ZN5QW4LFf0tXeQeJqvgO82HtFkUOiN8tt1RpI98S
V+hx8scCzpmtAyu1OJSUM3/cL2tEPTcPHAgHTmroWiXxIMPhTFLIoDVBIqmBrORUIwgjIzFUbEDQJXKPkFciofbowVOkHnT+lv5XokU6571wrX/LRJvTNBEAvbbz0HAfvUkne8ycQsW08qk/Bugi
LnJHLg24YryGdHl5RqqW/42fsUADngFLncy2+/XCo8Pe/erO+7Zw6r4n1qVb0W0BZ+lRflcRss3diM/21R6O0z
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLeuBF/ZBUM0ZBYW4+vgQMhIPWVs2fzv9lmQHoflWFNMP/sFWZDeVneJE0CRSLnYi2y/wwc079
bIsQRibay3Fpg=
| 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDg0mzA1xTe9hivlJN4s+7eXaiyIYefpyykHIir3btEA
80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: B2F904D3046B07D05F90FB6131602ED2
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
PORT 80 (HTTP)
I went to login page and tried basic sqli
Tried admin:admin
And got this error so we know that admin user exists
Then I decide to register an account
After registering an account I tried to to do some stuff with HTML but saw couldn't do anything
On running dirsearch I didn't found anything
So I decided to intercept the request with burp suite and found a base64 encoded cookie
Which I then took it to cyberchef
Alternatively it is best to vist https://jwt.io
Now we want to create our own key and host it on port 7070
https://gist.github.com/ygotthilf/baa58da5c3dd1f69fae9
Notice we have two keys public and private we want the public to be hosted and rename it to privKey.key
Notice we have added admin_cap =true and changed the kid to our machine
now copy the whole encoded text and replace it with the cookie
Notice we will see admin panel
I decide to upload phpbash.php which give us a nice sessions on the web browser
Running linpeas we can see that there's docker installed on the box
We can also see IPTABLES have docker rules configured
I tried connecting to docker with docker -H 127.0.0.1:10101, 127.0.0.1:8080 but was doing it wrong maybe
Going back to the website as admin I saw some notes which I was able to view
Here Noah says that he has some files in backups
We can see home.tar.gz
I started a python server on target machine and transfer that gz archive
So we have ssh keys for user noah
This * will accept any argument so let's see if we can run commands on the container
Appearently there's a CVE for docker exec
https://github.com/Frichetten/CVE-2019-5736-PoC
Download the golang file and compile it on your machine
Set SUID on bash in payload
Then compile the golang source code with go build docker.go transfer that binary to docker container execute it and in the same time execute sh on docker
Or if we simply want a reverse shell we could use a bash reverse shell payload instead of making /bin/bash a SUID
