From nmap, there are http and samba services opened.

Local Picture

Scanning all the ports, I found an extra port 8808 is opened running http.

Local Picture

This is the web page at port 8808.

Local Picture

There is a login portal and sign-up page at port 80.

Local Picture

Local Picture

This is the home page when we login. It mentions tyler@secnotes.htb. I tried to login as tyler, but failed. However, it didn’t say No account found for tyler. This user indeed exists.

Local Picture

Local Picture

Local Picture

There are some functions in the home page. New Note, Change Password, and Contact Us. When I paste the url as message in contact, tyler will access that page.

Local Picture

Local Picture

Local Picture

Local Picture

Local Picture

I changed the original change password request from POST to GET, and it still works. It can be the vulnerability. I post the url for requesting password changing in Contact Us. After tyler access that page, his new password will be password.

Local Picture Local Picture Local Picture Local Picture

I login as tyler with password password, and get another password in the post.

Local Picture

I can access smb with this credential, and it is the directory of port 8808. I upload an invoke reverse shell script and access it from the browser. I got the reverse shell as tyler.

Local Picture

Local Picture

Local Picture

Local Picture

There is a file bash.lnk, which indicates that there may be a Windows Subsystem for Linux (WSL). I tried to find its root directory.

Local Picture

Access to that directory and grep the content of .bash_history. I can get the credential of administrator from a smbclient command.

Local Picture

I used psexec.py from impacket to login as administrator.

Local Picture