TheNotebook Writeup
Introduction :
TheNotebook is a medium Linux box released back in March 2021.
Part 1 : Initial Enumeration
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.10.14.34/23 ] [ /dev/pts/12 ] [~/HTB/TheNotebook]
→ nmap -vvv -p- 10.129.188.119 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
Discovered open port 80/tcp on 10.129.188.119
Discovered open port 22/tcp on 10.129.188.119
[ 10.10.14.34/23 ] [ /dev/pts/12 ] [~/HTB/TheNotebook]
→ nmap -sCV -p 80,22 10.129.188.119
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 10:05 CEST
Nmap scan report for 10.129.188.119
Host is up (0.027s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_ 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.85 seconds
Part 2 : Getting User Access
Our nmap scan picked up port 80 so let's investigate it:
We can register an account and login:
Once that's done we can create a test note:
So here we're able to create notes and view them, but that's not really useful for us. The trick was to take a look into the cookie storage tab in F12, where we would see our auth token:
We can inspect it using jwt.io
Here we see that there is a Key ID field, pointing to the box's local address on port 7070:
[ 10.10.14.34/23 ] [ /dev/pts/12 ] [~/HTB/TheNotebook]
→ nmap -sCV -p 7070 10.129.188.119
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 10:20 CEST
Nmap scan report for 10.129.188.119
Host is up (0.026s latency).
PORT STATE SERVICE VERSION
7070/tcp closed realserver
It's not available to us, which probably means that it only accepts packets coming from localhost, so we might need to port forward it once we get access to the box later on.
Part 3 : Getting Root Access
the text goes here
Conclusion
Here we can see the progress graph :
Nihilist
8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o
7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 Donate XMR to Nihilist: