Book Writeup — HackTheBox
Made by RebornSec ®
Machine Maker(s) :
Overview :
- Finding the Login page and signup page
- Testing for SQL truncation attack
- Login as admin
- Using xss to read local files
- Upload our malicious code
- Getting our ssh key and login as Reader
- We get
User.txt
- Enumerating /var/www/html and getting SQL credential
- Execute logrotten and write data on the access.log file
- Gaining root_rsa access
- We get
Root.txt
Enumeration phase :
As usual let’s start with the Nmap scan :
[~] Nmap -sC -sV 10.10.10.176
Seems to be 2 ports are open : 80 http and 22 ssh
checking webpage http://book.htb/ :
I got login page and signup page :
Let’s run gobuster in the meanwhile :
Admin directory seems interesting let’s run gobuster on it too :
Back to our login page reading the source code :
Seems to be vulnerable to SQL truncation attack :
So i made a user called admin and password rebornsec and as a result the final email is admin@book.htb, using the vulnerability we add 7 spaces and A to the end of our email :
After login as admin we figure out that our wanted user is Reader so i tried to get ssh key of the user using exploit.js :
After downloading the pdf i got the ssh key :
chmod 600 id_rsa then ssh -i id_rsa reader@10.10.10.176 -v :
And we got our user.txt !
Root phase :
Enumerating /var/www/html/db.php :
We got some credential :
book_admin:I_Hate_Book_Reading in database : book
We got new credential : admin:Sup3r_S3cur3_P455
Actually this credential is only a trap :D
Running pspy64 on the host we get some interesting information :
/usr/sbin/logrotate runs every 5 seconds with the config file /root/log.cfg
If logrotate is executed as root, with option that creates a file ( like create, copy, compress, etc.) and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in any directories and the attacker could elevate his privileges by writing reverse-shells into directories like “/etc/bash_completition.d/”, see more in github project :
So i uploaded the script to my host and i compile it then i run it triggering it with writing random words in access.log :
And finally it worked after several tries :
if we check /tmp we get our root_rsa :
Login now as root, and we claim our root.txt :
Congratulation we owned BOOK !