5 min to read
HackTheBox - Book
Hello Guys , I am Faisal Husaini. My username on HTB is hulegu . Also join me on discord.
The IP of this box is 10.10.10.176
Port Scan
Running NMAP full port scan on it , we get
We just get only 2 Open Ports, one for SSH running on Port 22 and other for web running on Port 80
Moving to the web part
Port 80 — Web
Running the IP on the browser, we get
Trying default credentials, we don’t get any luck so we move towards the Sign Up page
We now put our details to create an account
Now we just signup and then login through the created account
After login, we see that we have a cool website , looking further more
We have something in Contact Us page which leaked the admin email address
We try for SQL Truncation Attack by intercepting the request in Burp
Now we forward the request and then try to login to the admin user
Clicking on Sign In, we see
We don’t see any differences here as its looks all the same as a normal user like we created before
Running Gobuster scan, we see a useful directory named /admin
Opening the link, we see that we have a different Admin Sign In Page created for admin
So we now sign in using the credentials we created from SQL Truncation
We logged in successfully as admin and we see completely different stuff from before
Now moving back to the normal user section, and going to the Collections area, we see that we can upload a file with author name and book title
So at first I try to upload a php webshell
We get a popup stating that the admin will evaluate the upload and update the list
On the Admin page area, going to the collections section and downloading the both of the PDF
The users pdf file contains the list of Names and Emails of accounts created on the page
On the Collections PDF file, we see that our file which we uploaded shows here, also you notice that the name and author is also reflecting on the PDF , so we try some HTML Injections
We try the to bold the author name and book title and see the results
We see that our HTML Injection worked, so we will now move into getting XSS which will help us getting local file reads, for which we will use the below command
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>
We now try this on both Book Title and Author section and then see the results
We got the contents of /etc/passwd file, we see that there is a user named reader, so we will try to get the ssh keys of it using the below command
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///home/reader/.ssh/id_rsa");x.send();</script>
We got the ssh key for the user read, but when try to copy the key from here , we were having some issues as it wasnt copying in properly format
So we use ghostscript to copy the contents of the pdf into a file
We see we copied the key file along with some unwanted text which we later remove it manually
We connected to user reader and now moving on to get user flag
Privilege Escalation
Running PSPY , we see that logrotate is being ran by root during few intervals
We found an exploit for it and before that have to prepare our payload
Now we run the exploit and see the backups directly which was in home folder of user reader which contained log files for logrotate
We copied so that it triggers the exploit and then we see
We see that it copied the root ssh key to our created directory and we can read it below
Now we move into connecting to root user
Moving onto getting the root flag
References
Abusing a race condition in logrotate to elevate privileges
Local File Read via XSS in Dynamically Generated PDF
Comments