TheNotebook is an Medium box from HTB and created by mostwanted002. This box features a CSRF exploit via JWT and a docker exploit. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. RustScan with
NMAP filters shows a website with registration available on
NMAP scan shows registration page available.
I register for the site to gain access:
Easy Sign Up registration.
After checking for a
CSRF (Cross-site request forgery) token and running a Dirbuster I notice an auth cookie present. I go to JWT.io and decode the cookie. I can see that a private key is being loaded.
JWT showing the private key pointing to localhost 7070.
ssh-keygen to create a key and added it into the JWT request.
Creating a key with ssh-keygen.
I changed the JWT request to include my Public and Private keys. I then updated the URL to hit my local
python3 webserver and change the
After creating the custom request I paste it into Cookie Editor and save the cookie:
Using the Cookie Editor Mozilla Plugin to save my new auth token.
Refreshing the page after gives me the Admin menu entry –
Receiving the privKey.key via newly created auth token.
I navigate to the Admin Panel and upload a
PHP based web-shell –
WSO PHP based webshell in action.
I use the Network tab to give me a low privilege shell and log into the box. I upgrade my shell and download LinPEAS to the box:
LinPEAS and general enumeration show me some folders in the
var/backups directory. I use the web-shell to download the files to my local machine.
Noticing a home file zipped – home.tar.gz
Going through the
home.tar.gz file shows me noahs home directory and his
SSH key. I save it to my working directory and log into the box.
Once I log into the box I check to see what
sudo commands can be run without a password –
sudo -l shows I can run elevated commands on docker.
Googling ‘docker exec exploit’ gives me the following –
I alter the
payload line to create a reverse shell. I then build the file and start a web server:
⚠ Attack Machine (Tab 1)
Running the Docker exploit.
I launch a secondary
SSH session for the noah user and a reverse shell on my forth tab to
Port 1234 and do the following:
⚠ Attack Machine (Tab 2)
🎯Victim Machine (Tab 1)
🎯Victim Machine (Tab 2)
The session will die shortly after (1min or so). You can switch the
payload line to add your
SSH key or just pull the flag directly for an easier time.
Rooted TheNotebook by HTB.