Wednesday, July 31, 2019



- Layout for this exercise:


- The goal for this exercise is to develop a hacking process for the vulnerable machine SecNotes from the Hack The Box pentesting platform:


- SecNotes' IP is

- Scanning with Nmap:

- Browsing the web server on port 80:

- Registering a new user whitelist:

- Login as the new user whitelist:

- Secure Notes is a notepad application that stores notes and to-do list with secure password protection using AES encryption and providing quick and easy access using a simple password:

- The email tyler@secnotes.htb informs about two details:

  • user named tyler
  • domain secnotes.htb

- Also, it is interesting the .php extension at the login page, revealing PHP is run by the server.

- Confirming the existence of user tyler with a random password:

- Browsing the other web server at port 8808:

- Viewing the source we find the image iisstart.png:


3.1 - SQL injection

- "Second order" SQL injection attack delays execution until a secondary query, by injecting a query fragment into a query (that’s not necessarily vulnerable to injection), and then have that injected SQL execute in a second query that is vulnerable to SQL injection.

- Using wfuzz to help us finding a valid SQL injection:


- From the proposed queries the last one ' or 1=1 or ''=' seems easy to apply:

- Entering ' or 1=1 or ''=' as a new user and password, and later login with those credentials:

- Now the home page yields credentials for user tyler at the 3rd note named new site:

3.2 - Exploiting SMB

- Using credentials tyler:92g!mA8BGjOirkL%OG*& to access SMB service on port 445:

- Connecting and listing new-site:

- So we confirm that there is a web service at port 8808 where folder new-site contains the image iisstart.png.

3.3 - Getting a remote shell

- First of all let's download to Kali the Windows Netcat application:

- Also let's create exploit.php, a PHP exploit which goal is to spawn a remote shell  with a Netcat connection:

- Transferring nc.exe and exploit.php from Kali to SecNotes:

- The transfer of both files is successful:

- Setting a Netcat listening on port 5555:

- Running exploit.php directly on the browser:

- A remote shell is successfully spawned:


- Reading user.txt:


- Access to Administrator's account is denied, as expected, so we need Privilege Escalation:

- Checking user tyler's Desktop there is a file bash.lnk:

- Windows Subsystem for Linux (WSL) is a compatibility layer for running Linux binary executables (in ELF format) natively on Windows 10 and Windows Server 2019.

- Reading bash.lnk the path C:\Windows\System32\bash.exe seems to be interesting:

- However the clue is false because there is no bash.exe at C:\Windows\System32:

- Let's find real location for bash.exe:

- Running bash.exe we get a root shell for the Windows Subsystem for Linux (WSL):

- Improving the shell:

- Checking content of root  home folder there is the hidden file .bash_history:

- Reading .bash_history credentials for Administrator are available:

- Making use of credentials administrator%u6!4ZwgwOM#^OBf#Nwnh there are two ways of accessing the Administrator's account:

5.1 - Smbclient

- Connecting with the SMB service:

5.2 -

- The Impacket Python script helps to get a remote root shell, just by providing credentials for Administrator:


- So we have two options to read root.txt:

- First, transferring root.txt from SecNotes to Kali and reading it locally:

- Second, reading it from the remote root shell: