Book Machine Walkthrough

Book Hackthebox Machine Detailed Walkthrough

“There is no friend as loyal as a book.” - Ernest Hemingway

Machine Matrix

Machine Summary

Box has an webapplication running that has two user roles: 1. Normal User 2. Admin. Normal user can suggest a book with book name and author of the book, once the book is submitted the admin would approve it. There is an XSS attack in these fields. Admin can be again registered as a user using SQL Truncation attack. The book and author name entered by the user is processed, generated in a pdf that can be viewed in the Admin panel. We use this attack scenario to read the local system files (/etc/passwd and ssh keys of a user). With this, we can gain the user shell through SSH. Inorder to esclate the privileges to root, we monitor the services that are running in the box using pspy. Logrotate is the process that gets executed every 5 seconds and it as exploit. We use that for privilege escalation

Nmap Scan

I started the enumeration with nmap scan

nmap -sC -sV 10.10.10.10.176

The Box had two ports open

PortService
22SSH
80Apache

Enumeration on port 80

I ran dirbuster on port 80

Running dirbuster revealed certain end points that are accessible other than 302:

/admin/
/index.php
/admin/index.php
/db.php

These didn’t have any kind of juicy data so i started to enumerate on the port 80 I created an account in the application

I enumerated the entire site with the application. There was a functionality (book submission) i can suggest a book and that would be approved by the admin. So i thought i can upload a malicious fight and if i could get or bypass admin authentication then i would possibly approve it and the exploit code running. I also found admin’s mail id in contact us page.

I visited the admin page but it needed admin credentials.

SQL Truncation Attack

On viewing the source of the signup page, length of the name and the email parameters are predefined.

Name: Not more than 10 characters
email: 20 characters

On researching a bit, i came to know i can possible use sql truncation attack to signup as admin user (admin@book.htb)

Local File Read Via XSS

I went to the admin login page and logged in as admin with password that i used during the registration (SQL truncation attack). Collections is the page that is related to the functionality which was discussed earlier in this module. I went on with user module and after enumerating a bit, i found that at book submission book title and Author is vulnerable to some kind of stored xss attack. when i give a script tag in the book title,author and upload a random file. This data is processed and exported as a pdf file that can be viewed in admin panel.

Upon researching, i came to know how xss attack can be used to read the intermal files. Local File Read Via XSS. I used the below script to read the /etc/passwd file present in the machine, from which i can get the list of potential users.

<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script> 

Acquring User Shell

There is only one potential user (user that have home/user are considered as actual users other all are just services like daemon). Now I would try to read the ssh private key present in the .ssh directory of the user, so that i can login into the box using the key. Below is the script for reading the ssh private key of the user reader

<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///home/reader/.ssh/id_rsa");
x.send();
</script> 

Now, I logged in as admin to view the proccessed pdf. I got ssh private key. I copied the entire key to my kali machine and saved it as id_rsa. I set the permissions to the id_rsa file using the below command.

chmod 600 id_rsa

I logged into the machine as user reader and got the user.txt

Privilege escalation

I ran the linpeas it revealed some information that can be liverged to be used for priv-esec, it showed that logrotate is present and it is vulnerable to logrotten exploit.

I also ran pspy to monitor what are the services running in the machine and inorder to check whether there is any service related to logrotate or logrotate process is getting executed.

As expected logrotate is getting executed every 5 seconds. The logrotate utility makes log rotation easy. “Log rotation” refers to the practice of archiving an application’s current log, starting a fresh log, and deleting older logs. The system usually runs logrotate once a day, and when it runs it checks rules that can be customized on a per-directory or per-log basis. so that root part is clear we must use the logrotten exploit (race condition vulnerability) exploit If logrotate is executed as root, with option that creates a file ( like create, copy, compress, etc.) and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in ANY directories Conditions for privilege escalation

  1. Logrotate has to be executed as root
  2. The logpath needs to be in control of the attacker
  3. Any option that creates files is set in the logrotate configuration

All the preconditions are satisfied as the logrotate is executed by root and i had an accessible log file that is /home/reader/backups/access.log I transfered the compiled file of logrotten exploit to the box in /tmp directory as i had access over it completely.

I created the payload file that can grant me root shell through copying the /bin/bash file to /tmp then i executed the exploit

./logrooten -p exp /home/reader/backups/access.log

When i executed the copied file it granted me the root shell

Instead we can also create a payload file that copies the root.txt file directly to the /tmp directory

Happy Hacking !


© 2020. All rights reserved to r3dw0lf_sec.

Powered by Hydejack v9.0.0-rc.6