SECNOTES
- Layout for this exercise:
1 - INTRODUCTION
- The goal for this exercise is to develop a hacking process for the vulnerable machine SecNotes from the Hack The Box pentesting platform:
https://www.hackthebox.eu/
2 - ENUMERATION
- SecNotes' IP is 10.10.10.97:
- Scanning with Nmap:
- Browsing the web server on port 80:
- Registering a new user whitelist:
- Login as the new user whitelist:
- Secure Notes is a notepad application that stores notes and to-do list with secure password protection using AES encryption and providing quick and easy access using a simple password:
- The email tyler@secnotes.htb informs about two details:
- user named tyler
- domain secnotes.htb
- Also, it is interesting the .php extension at the login page, revealing PHP is run by the server.
- Confirming the existence of user tyler with a random password:
- Browsing the other web server at port 8808:
- Viewing the source we find the image iisstart.png:
3 - EXPLOITATION
3.1 - SQL injection
- "Second order" SQL injection attack delays execution until a secondary query, by injecting a query fragment into a query (that’s not necessarily vulnerable to injection), and then have that injected SQL execute in a second query that is vulnerable to SQL injection.
https://portswigger.net/kb/issues/00100210_sql-injection-second-order
https://bertwagner.com/2018/03/20/how-to-steal-data-using-a-second-order-sql-injection-attack/
- Using wfuzz to help us finding a valid SQL injection:
- From the proposed queries the last one ' or 1=1 or ''=' seems easy to apply:
- Entering ' or 1=1 or ''=' as a new user and password, and later login with those credentials:
- Now the home page yields credentials for user tyler at the 3rd note named new site:
3.2 - Exploiting SMB
- Using credentials tyler:92g!mA8BGjOirkL%OG*& to access SMB service on port 445:
- Connecting and listing new-site:
- So we confirm that there is a web service at port 8808 where folder new-site contains the image iisstart.png.
3.3 - Getting a remote shell
- First of all let's download to Kali the Windows Netcat application:
- Also let's create exploit.php, a PHP exploit which goal is to spawn a remote shell with a Netcat connection:
- Transferring nc.exe and exploit.php from Kali to SecNotes:
- The transfer of both files is successful:
- Setting a Netcat listening on port 5555:
- Running exploit.php directly on the browser:
- A remote shell is successfully spawned:
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- Access to Administrator's account is denied, as expected, so we need Privilege Escalation:
- Checking user tyler's Desktop there is a file bash.lnk:
- Windows Subsystem for Linux (WSL) is a compatibility layer for running Linux binary executables (in ELF format) natively on Windows 10 and Windows Server 2019.
https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux
- Reading bash.lnk the path C:\Windows\System32\bash.exe seems to be interesting:
- However the clue is false because there is no bash.exe at C:\Windows\System32:
- Let's find real location for bash.exe:
- Running bash.exe we get a root shell for the Windows Subsystem for Linux (WSL):
- Improving the shell:
- Checking content of root home folder there is the hidden file .bash_history:
- Reading .bash_history credentials for Administrator are available:
- Making use of credentials administrator%u6!4ZwgwOM#^OBf#Nwnh there are two ways of accessing the Administrator's account:
5.1 - Smbclient
- Connecting with the SMB service:
5.2 - Psexec.py
- The Impacket Psexec.py Python script helps to get a remote root shell, just by providing credentials for Administrator:
6 - CAPTURING THE 2nd FLAG
- So we have two options to read root.txt:
- First, transferring root.txt from SecNotes to Kali and reading it locally:
- Second, reading it from the remote root shell: