In this post, I would like to share a walkthrough of the Noter Machine from Hack the Box
This room will be considered a medium machine on Hack The box
What will you gain from the Noter machine?
For the user flag, you will need to abuse the flask cookie which it’s crackable for the machine but i don’t have any credentials to make use. We need to explore the website to find a username and test by generating a bunch of valid cookies.
As for the root flag, you need to find the MySQL that run as root and abuse it by using the Raptor expoit
Information Gathering on Noter Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface by using the port 5000
As a result, let’s access the dashboard using the credentials that we created earlier.
Finally, we got into the Dashboard but nothing interesting to look into.
Therefore, let’s try to investigate the username and the password too
At last, we sighted that blue might be the username
We also can obtain the password using the hash cracked
We have finally access the blue dashboard
There are two notes that we can read and analyze it.
The first note say that we can access their FTP service using the username blue and passwowrd “blue@Noter!”
The second notes look like something like the above.
Therefore, let’s access the FTP service and download the policy.pdf into our machine
There are some clues for another username and password
At last, we can access the FTP service using ftp_admin and ftp_admin@Noter! for the credentials.
Let’s download those two files stored inside the FTP service.
We managed to analyze the first file and notice that there’s MySQL credentials and another directory that we can look into
Let’s access the export_note which we can export the URL from the cloud.
We are required to start our listener on our machine
We also need to start our python proxy so that it will able to catch our reverse shell command on our machine
Let’s retrieve the file using the URL above.
Finally, it has been retrieved on our python proxy
We have successfully obtained the reverse shell connection back to us.
We can finally read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
I was thinking if the exploit is related to the MySQL database, so I do some research and found this exploit
As a result, let’s follow the step that shown on the exploit that we found earlier
The command above will normally compile the c file format
We are required to transfer the file to the victim’s machine
We have sighted that the file is successfully transferred to the victim’s machine
Let’s access the MySQL database using the credentials that we found earlier on the app.py code.
There are a few databases that have been created.
As a result, let’s use the MySQL database and it changed
As shown on the exploit website, we will be following each step like been executed above.
Let’s run the system command such as above and then exit the MySQL database.
Let’s run the bash -p command and it works like a charm
We can read the root flag by typing the “cat root.txt” command
Extra Information
No responses yet