Introduction
This is a write-up for the The Notebook (Medium) machine, released on Hack The Box on 06/03/21.
Reconnaissance
Service Enumeration
Ports / Services enumeration
Since there were only 2 exposed services I started by looking at the web server running on port 80/tcp. There was a web application running that allowed a user to register an account and login to take notes.
Web Application (The Notebook)
After registering an account I found that there were very limited options to an unprivileged user. Available Functionalities:
- Submit/Edit notes
Vulnerability Analysis
Authentication
Since there were very few functionalities available to exploit, I started by looking at the authentication portion of the application and noticed it was using a JWT token.
JWT Token
After decoding the token I noticed that the “kid” parameter pointed to an internal address with the private key, used to sign the token.
JWT base64 decode
Objective: Sign the JWT token with a private key hosted in my server and modify the payload to set a regular user as an administrator.
Exploitation
Custom JWT token
I developed a small python script (“jwt-token.py”) to generate a custom JWT token using my private RSA key, to set the current user as an administrator.
“jwt-token.py” source code
Administration Panel
With the generated JWT token I managed to access the administration panel.
“jwt-token.py” generated token
Administration Panel - Web Shell Upload
There was a note created by the administrator saying that PHP file uploads were allowed.
Administration panel note
Getting a reverse shell as “www-data” from the malicious PHP file
Netcat reverse shell
Post-Exploitation
From “www-data” to user (“noah”)
After compromising the system with web server privileges only I executed the LinPEAS enumeration script and noticed that there was a home folder backup in “/var/backups/” directory. The “home.tar.gz” file contained an SSH private key that allowed me to login as the user “noah”.
“noah” user private SSH key
Privilege Escalation
With access to the “noah” via SSH, the only thing left was to get root access to the system, so I executed the LinPEAS script again and noticed that any user could run the command "docker exec -it webappdev01*" as administrator.
Listing user privileges
The container only contained the source code of the application running on port 80/tcp, but the web server was running on the host system. After looking at the source code I found to SHA3-256 hashes for the user “admin” and “noah” but it was not possible to crack them using a regular wordlist.
CVE-2019-5736
With no useful information on the host neither on the container I started searching for Docker container escape vulnerabilities and found the following exploit on Github:
Modifying the Exploit
A few modifications to the exploit were needed to get a reverse shell as root.
Modifying the exploit to get a reverse shell
After transferring the compiled exploit to the target machine and its container, the only thing left was running it.
Running the exploit on the container
Running “docker exec -it webappdev01 /bin/sh” on the host
Success! I was able to get root access on the Netcat listener.
Privileged access to the server (root)