Hackthebox – SecNotes Writeup

This is a write-up for the Secnotes machine on hackthebox.eu which was retired on 1/19/19!

Summary

Secnotes is a medium difficulty Windows machine which will help you practice some basic SQL injection, explore SMBclient, and use some simple php scripting.

Enumeration

As always, our first step is enumeration. We use the following command in nmap to find open ports (-sV scans for versions, -sC runs some common scripts, and -Pn skips the check to make sure the host is up via Ping):

nmap -sC -sV -Pn 10.10.10.97

After this has been run, I always suggest running a full nmap scan in the background, which will reveal another port 8808 open

nmap -p- -T4 -A -v 10.10.10.97

Sql Injection

We could try to use enum4linux to scan the SMB but instead we will be going straight to the website hosted at 10.10.10.97

We register with a random account and login to try and find some notes, but there are none.

Trying some sql injection on the login page doesn’t seem to work, so we try something called second order sql injection, which is pretty much doing injection on the registration page, hoping that something in the back-end will allow the injection later (in this case, we hope the app will show us someone else’s notes).

In this case, we register with:

username: hello’ or ‘1’=’1
password: password

Logging in with this new account shows us someone else’s notes, interesting:

Reverse Shell for User Flag

Now remember that nmap scan we did at the very start, and we found port 445 open? Let’s use these new creds to try and access a share with smb:

smbclient //10.10.10.97/new-site -U tyler -W secnotes.htb

It will prompt for the password so use the password we got from the notes earlier. Typing “dir” will list the contents, and this looks awfully similar to the output we get from trying to access 10.10.10.97:8808

Let’s go for the reverse shell. We will be using the following php file, make sure to replace the IP with the IP of your kali machine. Name this file php.php or something.

Now, upload the php file we made and nc.exe (we got our here) by downloading it into /www and typing the following commands:

lcd /www
put php.php
put nc.exe

now let’s listen on port 7734

nc -lvnp 7734

Let’s now kick off our php file by browsing to 10.10.10.97:8808/php.php

This should get us a reverse shell like:

Running the command whoami shows that we are tyler, so let’s go to his folder at c:\users\tyler\desktop. Read the user.txt file to get user flag:

Getting Root Flag

We find a weird link to bash.. which is weird since this is a windows machine. When we try to run the link it seems to be a broken link, so let’s find the executable by typing the following commands:

cd c:\
dir /s bash.exe

We find it here so let’s run it:

c:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe

Ah cool.. looks like we have root access to some linux terminal within windows, pretty awesome!

We go to the home directory by using cd ~ and cat the .bash history to find some creds:

Looks like these are the admin creds to the machine. Let’s mount the C drive with smbclient and we will have the root flag:

smbclient -U ‘administrator%u6!4ZwgwOM#^OBf#Nwnh’ //10.10.10.97/c$
lcd /www
cd users/administrator/desktop
get root.txt
exit
cat /www/root.txt

Leave a Reply

Your email address will not be published. Required fields are marked *