The Notebook is a Medium machine on the Hack the box. This is the page of the machine. Machine ip address is: 10.10.10.230
As always we have to start our enumeration with nmap scan.
nmap -sC -sV 10.10.10.230
So scan found three services are running. 22 SSH, 80 TCP (Web Server). First, take a look that what kind of page is waiting for us.
This is the main page for the notebook web app. I just tried to register to see if it’s available or not and it worked so we can register to the website and then log in with the credentials.
There is not much option left on the page, we can log out (after login with credentials) and we can add some notes. So I also tried to find some directories with gobuster (bruteforce directory founder) with my cookie. I get my cookie with the help of “burp suite”. Basically, I clicked somewhere after login (even refresh the page) and meanwhile I already opened the intercept proxy option in burp suite so the request was something like
It means we are sending a get request to uuid/notes page and that auth=”” is my cookie. Gobuster command
sudo gobuster dir -u <path> -w <wordlist> -x <what are we looking for> -c <our cookie> -o <output file>
After a while, gobuster also find a path /admin which has 403 http response(Forbidden). Somehow we have to enter that page to create a reverse shell or maybe get rce (remote code execution). I tried few things but none of them worked so finally I decided to check my cookie. I just copy-paste my cookie to jwt.io to see the decoded version of my cookie.
And we can see that our cookie is created with RS256 algorithm, and the private key is taking from localhost:7070/privKey.key, and there is also 3 thing in the payload. Username, email and admin_cap. Most probably if admin_cap is 1 (true) we will be able to open /admin page. But since the private key is in their locale we have to create our own jwt(json web token). I have created a little python script to do that. But before that, we have to create our own rsa-private key with command
openssl genrsa -out private-key.pem 3072
And content of python script is:
Which takes only one parameter, path of our private key and then with new rsa_priv_key it creates a jwt. The important thing in here is we have to change “kid”. So when website try to decode our jwt it’ll use this private-key to open. We just have to give our ip address. After that when we run py script we will have new JWT token to replace cookie.
So we just have to copy-paste that token into our token. Meanwhile, we also have to open a webserver to let thenotebook downloads our private-key.
After taking the new token now we are able to do cookie poisoning the only thing we have to do is change the previous cookie (auth) with our new generated cookie. For that we can again use burpsuite. Basically we have to open intercept on then try to acces /admin page again when request came into the burpsuite we will change cookie auth variable
When we forward the request then we will be able to open admin page
On this page, there is an upload file button that allows us to upload some .php files. So with help of this button, we will upload our reverse.php function. We just have to change the ip address and port in reverse.php, then open a netcat session to listen.
When we upload the reverse.php and open it on the web it gave us to connect opportunity. So now we are in as www-data user. First, we have to be user so I download&run LinEnum.sh file to get some info. After a while, I found that there is a directory called /var/backups
And inside that path, there is a file named “home.tar.gz”. When we unzip it we can see that there is a directory called home and inside it there is private noah/.ssh file. So I copied that ssh key into my computer as id_rsa and now I can connect noah via ssh.
And now we got the user flag! We just have to be root with privelege escalation to finalize the machine. If we run command “sudo -l” we will see that we can run one command as root.
When we use a command
sudo /usr/bin/docker exec -it webapp-dev01 /bin/bash
We will be in a docker container as root. So i tried few ways to escape from docker and I found one thing on page:https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout
That exploit basically overwrites /bin/sh with the given payload. And Github link of that repo is: https://github.com/Frichetten/CVE-2019-5736-PoC
There is only one go file, I copy-paste the file into my locale and changed the payload to get me root.txt
so it basically copies the root/root.txt into home/noah/root.txt. We just have to compile that go code and get in our container with help of wget.
Anddd we have root.txt now.