Open in app

Sign in

Write

Sign in

Book Writeup — HackTheBox

REBRON SECURITY
4 min readJul 15, 2020

Made by RebornSec ®

Machine Maker(s) :

Overview :

  • Finding the Login page and signup page
  • Testing for SQL truncation attack
  • Login as admin
  • Using xss to read local files
  • Upload our malicious code
  • Getting our ssh key and login as Reader
  • We getUser.txt
  • Enumerating /var/www/html and getting SQL credential
  • Execute ​logrotten ​and write data on the ​access.log file
  • Gaining root_rsa access
  • We get Root.txt

Enumeration phase :

As usual let’s start with the Nmap scan :

[~] Nmap -sC -sV 10.10.10.176

Seems to be 2 ports are open : 80 http and 22 ssh

checking webpage http://book.htb/ :

I got login page and signup page :

Let’s run gobuster in the meanwhile :

Admin directory seems interesting let’s run gobuster on it too :

Back to our login page reading the source code :

Seems to be vulnerable to SQL truncation attack :

SQL Truncation Attack

The SQL Truncation vulnerability is a very interesting flaw in the database. The successful exploitation of this issue…

resources.infosecinstitute.com

So i made a user called admin and password rebornsec and as a result the final email is admin@book.htb, using the vulnerability we add 7 spaces and A to the end of our email :

After login as admin we figure out that our wanted user is Reader so i tried to get ssh key of the user using exploit.js :

After downloading the pdf i got the ssh key :

chmod 600 id_rsa then ssh -i id_rsa reader@10.10.10.176 -v :

And we got our user.txt !

Root phase :

Enumerating /var/www/html/db.php :

We got some credential :

book_admin:I_Hate_Book_Reading in database : book

We got new credential : admin:Sup3r_S3cur3_P455

Actually this credential is only a trap :D

Running pspy64 on the host we get some interesting information :

/usr/sbin/logrotate runs every 5 seconds with the config file /root/log.cfg

If logrotate is executed as root, with option that creates a file ( like create, copy, compress, etc.) and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in any directories and the attacker could elevate his privileges by writing reverse-shells into directories like “/etc/bash_completition.d/”, see more in github project :

whotwagner/logrotten

Contribute to whotwagner/logrotten development by creating an account on GitHub.

github.com

So i uploaded the script to my host and i compile it then i run it triggering it with writing random words in access.log :

And finally it worked after several tries :

if we check /tmp we get our root_rsa :

Login now as root, and we claim our root.txt :

Congratulation we owned BOOK !

Hackthebox
Writeup
Linux
Rebornsec
Book

--

--

REBRON SECURITY

Written by REBRON SECURITY

13 Followers

Cyber Security Specialist

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams