🔎🦶Enumeration/Foothold

TheNotebook is an Medium box from HTB and created by mostwanted002. This box features a CSRF exploit via JWT and a docker exploit. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. RustScan with NMAP filters shows a website with registration available on Port 80.

NMAP scan shows registration page available.

NMAP scan shows registration page available.

I register for the site to gain access:

Easy Sign Up registration.

Easy Sign Up registration.

After checking for a CSRF (Cross-site request forgery) token and running a Dirbuster I notice an auth cookie present. I go to JWT.io and decode the cookie. I can see that a private key is being loaded.

JWT showing the private key pointing to localhost 7070.

JWT showing the private key pointing to localhost 7070.

I used ssh-keygen to create a key and added it into the JWT request.

Creating a key with ssh-keygen.

Creating a key with ssh-keygen.

Copy

I changed the JWT request to include my Public and Private keys. I then updated the URL to hit my local python3 webserver and change the admin_cap to 1.

After creating the custom request I paste it into Cookie Editor and save the cookie:

Using the Cookie Editor Mozilla Plugin to save my new auth token.

Using the Cookie Editor Mozilla Plugin to save my new auth token.

Refreshing the page after gives me the Admin menu entry –

Receiving the privKey.key via newly created auth token.

Receiving the privKey.key via newly created auth token.

I navigate to the Admin Panel and upload a PHP based web-shell –

WSO PHP based webshell in action.

WSO PHP based webshell in action.

🔝Escalation

I use the Network tab to give me a low privilege shell and log into the box. I upgrade my shell and download LinPEAS to the box:

Copy

LinPEAS and general enumeration show me some folders in the var/backups directory. I use the web-shell to download the files to my local machine.

Noticing a home file zipped - home.tar.gz

Noticing a home file zipped – home.tar.gz

Going through the home.tar.gz file shows me noahs home directory and his SSH key. I save it to my working directory and log into the box.

Copy

Once I log into the box I check to see what sudo commands can be run without a password –

sudo -l shows I can run elevated commands on docker.

sudo -l shows I can run elevated commands on docker.

Googling ‘docker exec exploit’ gives me the following –

I alter the payload line to create a reverse shell. I then build the file and start a web server:

⚠ Attack Machine (Tab 1)

Copy
Running the Docker exploit.

Running the Docker exploit.

I launch a secondary SSH session for the noah user and a reverse shell on my forth tab to Port 1234 and do the following:

⚠ Attack Machine (Tab 2)

Copy

🎯Victim Machine (Tab 1)

Copy

🎯Victim Machine (Tab 2)

Copy

The session will die shortly after (1min or so). You can switch the payload line to add your SSH key or just pull the flag directly for an easier time.

Copy
Rooted TheNotebook by HTB.

Rooted TheNotebook by HTB.

Rooted

Published On: July 30th, 2021 / Categories: HTB, Technology / Tags: , , , , , , /

Leave A Comment