Wednesday, July 31, 2019

SecNotes


SECNOTES

- Layout for this exercise:





1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine SecNotes from the Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

- SecNotes' IP is 10.10.10.97:



- Scanning with Nmap:








- Browsing the web server on port 80:




- Registering a new user whitelist:





- Login as the new user whitelist:




- Secure Notes is a notepad application that stores notes and to-do list with secure password protection using AES encryption and providing quick and easy access using a simple password:





- The email tyler@secnotes.htb informs about two details:

  • user named tyler
  • domain secnotes.htb

- Also, it is interesting the .php extension at the login page, revealing PHP is run by the server.


- Confirming the existence of user tyler with a random password:







- Browsing the other web server at port 8808:




- Viewing the source we find the image iisstart.png:





3 - EXPLOITATION

3.1 - SQL injection

- "Second order" SQL injection attack delays execution until a secondary query, by injecting a query fragment into a query (that’s not necessarily vulnerable to injection), and then have that injected SQL execute in a second query that is vulnerable to SQL injection.

https://portswigger.net/kb/issues/00100210_sql-injection-second-order


https://bertwagner.com/2018/03/20/how-to-steal-data-using-a-second-order-sql-injection-attack/


- Using wfuzz to help us finding a valid SQL injection:

 

- From the proposed queries the last one ' or 1=1 or ''=' seems easy to apply:




- Entering ' or 1=1 or ''=' as a new user and password, and later login with those credentials:







- Now the home page yields credentials for user tyler at the 3rd note named new site:







3.2 - Exploiting SMB

- Using credentials tyler:92g!mA8BGjOirkL%OG*& to access SMB service on port 445:





- Connecting and listing new-site:









- So we confirm that there is a web service at port 8808 where folder new-site contains the image iisstart.png.


3.3 - Getting a remote shell


- First of all let's download to Kali the Windows Netcat application:










- Also let's create exploit.php, a PHP exploit which goal is to spawn a remote shell  with a Netcat connection:




- Transferring nc.exe and exploit.php from Kali to SecNotes:




- The transfer of both files is successful:




- Setting a Netcat listening on port 5555:




- Running exploit.php directly on the browser:




- A remote shell is successfully spawned:







4 - CAPTURING THE 1st FLAG

- Reading user.txt:





- PRIVILEGE ESCALATION

- Access to Administrator's account is denied, as expected, so we need Privilege Escalation:




- Checking user tyler's Desktop there is a file bash.lnk:





- Windows Subsystem for Linux (WSL) is a compatibility layer for running Linux binary executables (in ELF format) natively on Windows 10 and Windows Server 2019.

https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux


- Reading bash.lnk the path C:\Windows\System32\bash.exe seems to be interesting:




- However the clue is false because there is no bash.exe at C:\Windows\System32:




- Let's find real location for bash.exe:




- Running bash.exe we get a root shell for the Windows Subsystem for Linux (WSL):




- Improving the shell:




- Checking content of root  home folder there is the hidden file .bash_history:




- Reading .bash_history credentials for Administrator are available:




- Making use of credentials administrator%u6!4ZwgwOM#^OBf#Nwnh there are two ways of accessing the Administrator's account:


5.1 - Smbclient

- Connecting with the SMB service:










5.2 - Psexec.py


- The Impacket Psexec.py Python script helps to get a remote root shell, just by providing credentials for Administrator:




6 - CAPTURING THE 2nd FLAG

- So we have two options to read root.txt:

- First, transferring root.txt from SecNotes to Kali and reading it locally:






- Second, reading it from the remote root shell: