In this post, i would like to share a walkthrough of TheNotebook Machine.

This room has been considered difficulty rated as a MEDIUM machine

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Information Gathering on TheNotebook

Let’s open the browser and straight into the website interface.

There’s a Register and Login link at the upper menu tab.

Normally, i will try to register to ensure that we can login it later

We managed to login into the dashboard and let’s try to create example notes.

It will look like something as mentioned above. However, there’s nothing that we can use to get a shell here. However, let’s open Developer Tools and click on Storage Tab. There’s an auth cookies that we able to manipulate to get admin access.

After doing some research, i found out that the website has JSON Web Tokens implemented here.

Playing with JSON

I did find out this website that allows you to decode and generate JWT code

We copy-paste the existing cookie into encoded field on the left side and it will give us a plain text on the right side.

What we need to do is replace our own cookie with a current cookie. We can get the cookie from the command shown above with the formatting is the second strings.first strings.private key (header.payload.signature)

For us to get the private key to generate, we need to execute the command such as ssh-keygen -t rsa -b 4096 -m PEM -f privKey.key and copy everything inside the file which we will paste on the Private key on the right side.

After all the steps are completed, you can copy everything on the encoded field on the left side and replace it with the current auth cookies

The activity should look like the above and we need to refresh the URL

We will get the website interface shown above once you must refresh the page. You will upload the PHP-reverse-shell file on the Upload File button and need to start NC listener

To get the shell to work, you need to click the view file (the one that appears after we upload the reverse shell) and we should be able to get the connection back to us.

The reverse shell on the thenotebook machine

Normally, the interesting files can be found in/opt or /var directory. Let’s go to /var directory first and i notice that there’s home.tar.gz that looks suspicious to me

We should unzip the file so that we can see what’s stored inside but sadly, we cannot unzip inside the machine.

We need to transfer the file into our own attacker’s machine and uzip over there.

There’s a /.ssh directory that might lead us to id_rsa

I knew it! So, without further edu, let’s try to login the machine via ssh service

We managed to login the machine and let’s get the user flag by cat user.txt

Escalate to Root Privileges Access on Thenotebook machine

We need to do some research on the exploit that we can use. After a while, i found a suitable exploit here

We can download the exploit by executing the command git clone

Once we have successfully downloaded the file on the attacker machine, we can modify the file at the line that contains var payload

  1. var payload = “#!/bin/bash \n cat /etc/shadow > /tmp/shadow && chmod 777 /tmp/shadow”
  2. var payload = cat /etc/root/root.txt > /tmp/root/root.txt && chmod 777 /tmp/root/root.txt
  3. var payload = “#!/bin/bash \n chmod +s /bin/bash”

You can choose either command that i showed above and compile it by executing sudo go build main.go because the file format is go

Once compiled the file, we need to transfer the file to the target’s machine using wget function

We should be giving permission to the main file by running the chmod +x main command and run the ./main file

This progress will not work on the first try and you will need to execute multiple times until you get the root.txt which contains the root flag


Happy Learning Guys!

Leave a Reply

Your email address will not be published. Required fields are marked *