In this post, I would like to share a walkthrough of the Noter Machine from Hack the Box

This room will be considered a medium machine on Hack The box

What will you gain from the Noter machine?

For the user flag, you will need to abuse the flask cookie which it’s crackable for the machine but i don’t have any credentials to make use. We need to explore the website to find a username and test by generating a bunch of valid cookies.

As for the root flag, you need to find the MySQL that run as root and abuse it by using the Raptor expoit

Information Gathering on Noter Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface by using the port 5000

There is nothing much to see except for Register and Login

As a result, let’s access the dashboard using the credentials that we created earlier.

Finally, we got into the Dashboard but nothing interesting to look into.

Therefore, let’s try to investigate the username and the password too

At last, we sighted that blue might be the username

We also can obtain the password using the hash cracked

We have finally access the blue dashboard

There are two notes that we can read and analyze it.

The first note say that we can access their FTP service using the username blue and passwowrd “blue@Noter!”

The second notes look like something like the above.

Therefore, let’s access the FTP service and download the policy.pdf into our machine

There are some clues for another username and password

At last, we can access the FTP service using ftp_admin and ftp_admin@Noter! for the credentials.

Let’s download those two files stored inside the FTP service.

We managed to analyze the first file and notice that there’s MySQL credentials and another directory that we can look into

Inside the other file, there’s a username and password for MySQL which is give us a different value.

Let’s access the export_note which we can export the URL from the cloud.

We are required to start our listener on our machine

We also need to start our python proxy so that it will able to catch our reverse shell command on our machine

Let’s retrieve the file using the URL above.

Finally, it has been retrieved on our python proxy

We have successfully obtained the reverse shell connection back to us.

We can finally read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

I was thinking if the exploit is related to the MySQL database, so I do some research and found this exploit

As a result, let’s follow the step that shown on the exploit that we found earlier

The command above will normally compile the c file format

We are required to transfer the file to the victim’s machine

We have sighted that the file is successfully transferred to the victim’s machine

Let’s access the MySQL database using the credentials that we found earlier on the code.

There are a few databases that have been created.

As a result, let’s use the MySQL database and it changed

As shown on the exploit website, we will be following each step like been executed above.

Let’s run the system command such as above and then exit the MySQL database.

Let’s run the bash -p command and it works like a charm

We can read the root flag by typing the “cat root.txt” command

Extra Information

Leave a Reply

Your email address will not be published. Required fields are marked *