In this post, i would like to share a walkthrough of TheNotebook Machine.
This room has been considered difficulty rated as a MEDIUM machine
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Information Gathering on TheNotebook
Let’s open the browser and straight into the website interface.
There’s a Register and Login link at the upper menu tab.
Normally, i will try to register to ensure that we can login it later
We managed to login into the dashboard and let’s try to create example notes.
It will look like something as mentioned above. However, there’s nothing that we can use to get a shell here. However, let’s open Developer Tools and click on Storage Tab. There’s an auth cookies that we able to manipulate to get admin access.
After doing some research, i found out that the website has JSON Web Tokens implemented here.
Playing with JSON
I did find out this website jwt.io that allows you to decode and generate JWT code
We copy-paste the existing cookie into encoded field on the left side and it will give us a plain text on the right side.
What we need to do is replace our own cookie with a current cookie. We can get the cookie from the command shown above with the formatting is the second strings.first strings.private key (header.payload.signature)
For us to get the private key to generate, we need to execute the command such as ssh-keygen -t rsa -b 4096 -m PEM -f privKey.key and copy everything inside the file which we will paste on the Private key on the right side.
After all the steps are completed, you can copy everything on the encoded field on the left side and replace it with the current auth cookies
The activity should look like the above and we need to refresh the URL
We will get the website interface shown above once you must refresh the page. You will upload the PHP-reverse-shell file on the Upload File button and need to start NC listener
To get the shell to work, you need to click the view file (the one that appears after we upload the reverse shell) and we should be able to get the connection back to us.
The reverse shell on the thenotebook machine
Normally, the interesting files can be found in/opt or /var directory. Let’s go to /var directory first and i notice that there’s home.tar.gz that looks suspicious to me
We should unzip the file so that we can see what’s stored inside but sadly, we cannot unzip inside the machine.
We need to transfer the file into our own attacker’s machine and uzip over there.
There’s a /.ssh directory that might lead us to id_rsa
I knew it! So, without further edu, let’s try to login the machine via ssh service
We managed to login the machine and let’s get the user flag by cat user.txt
Escalate to Root Privileges Access on Thenotebook machine
We need to do some research on the exploit that we can use. After a while, i found a suitable exploit here
We can download the exploit by executing the command git clone https://github.com/Frichetten/CVE-2019-5736-PoC.git
Once we have successfully downloaded the file on the attacker machine, we can modify the file at the line that contains var payload
- var payload = “#!/bin/bash \n cat /etc/shadow > /tmp/shadow && chmod 777 /tmp/shadow”
- var payload = cat /etc/root/root.txt > /tmp/root/root.txt && chmod 777 /tmp/root/root.txt
- var payload = “#!/bin/bash \n chmod +s /bin/bash”
You can choose either command that i showed above and compile it by executing sudo go build main.go because the file format is go
Once compiled the file, we need to transfer the file to the target’s machine using wget function
We should be giving permission to the main file by running the chmod +x main command and run the ./main file
This progress will not work on the first try and you will need to execute multiple times until you get the root.txt which contains the root flag
Happy Learning Guys!