Hackthebox- Writeup Book

Tram Ho

Preamble

Back to the Writeup Hackthebox series, Hackthebox yesterday retired this Book, rated Medium. This article was made on March 24 but is only public now. Let’s find out how this song plays.

Get User

Scanning nmap and see that this server has a website at port 80. If you register, there is no problem, register by mail [email protected] then this account already exists.

Remember the old postbook post then registered correctly according to the admin’s email, then login again will be admin

Here is called SQL truncation attack. Truncate the SQL string to bypass check name.

Register an admin account then look around to see what the function is.

There is a Collection function, which helps to post books, and an admin has a function to view a Collection list.

And this is the content of Collections

Here, the website has a function that is to take the title and author to write to the PDF file with the server-side JS, through which you can use JS to write the local file into the PDF file so that it can be read

Fill in the title with the above payload and get the result

Read the file /etc/passwd , we can read the key file rsa to be able to ssh to the server, there is a reader user, can guess the key directory rsa is /home/reader/.ssh/id_rsa

Obtain the private key file, which can be used to ssh to the server

Since the PDF file does not display the full private key, here use the tool to convert pdf to text to get all the text from the pdf file https://github.com/pdfminer/pdfminer.six/

After obtaining the private key, we can ssh to the server

Get the User flag

Get Root

Run pspy64 to see the processes running on the server and see

Root is running logrotate program to write to log, search on google to see if this program exploits, there is a program here https://github.com/whotwagner/logrotten

Compile gcc logrotten program then push it up on the box, read the instructions on the github page then create a payload file saved to the payloadfile

Then run the program and write to the access.log file found in the user’s backups folder

Open 1 more terminal to write to the access.log file

This time we only have 5s to read the flag, then the connection is closed, at the port 4444 listener, after rooting and then read the flag immediately: v

Conclusion

A post that has quite a bit of technique in it, hopefully everyone can learn something from it. Happy hacking!

Share the news now

Source : Viblo