BOOK — HTB Machine

Rishabh Rai
6 min readMar 23, 2024

A medium Linux machine is a great way to keep yourself busy on the weekends… let’s get started with the scanning of the IP.

I use my personal script to scan the IP …….

in the fast scan — — i got these two classic ports open

Then I ran a dibuster to find out about the directories and map those ….

To narrow down the places to scan…..

Let’s sign up to login on the page….

Greeted with Library Home Page… Will explore the functionalities available on this page

payload.php was uploaded but there is place to find it, I tried to access docs but it is my permissions are not enough to access and there is no other way i found where the uploaded files are stored.

admin@book.htb — — — ADMIN E-Mail …. can be useful

a edit profile option is also present…

Couldn’t find anything useful related to XSS but only 10 characters are available for username…..
since it is updating value so there might be some way to connect this with database vulnerabilities specially SQL related…

So upon trying several times and reading a java scipt note on the page i found out that

name can be 10 char long
email can be 20 char long

with right number of spaces

I used
admin@book.htb++++++ in place of admin@book.htb

giving me access to the page as admin user!!

this a little bit more extra than the email limit !!

was still signed in as a user so to get the admin access i had to login through the admin portal let’s go

While trying this it is saying Nope So let’s get in via BURP …….

999 tries later ….. We are finally in as admin

Upon loggin in and clicking on collection data we are getting this table and with a little tweaking in the author name we can do this

I have used img tag to direct a request on my IP let’s see if it works

YESS it does…

Now let’s try to exploit this in order to get something useful to get a foothold on the machine

Upon searching Javascript for local file read and XSS for local file read, I found this link helpful :

x=new XMLHttpRequest;

With a script to read etc/passwd, i read this

Now that we have this we can move further to get a reverse shell if possible

x = new XMLHttpRequest();
x.onload = function() {
var content = this.responseText;
var boxedContent = ‘<div style=”border: 1px solid black; padding: 10px; margin: 10px; font-family: monospace; font-size: 12px; max-height: 400px; overflow: auto;”><pre>’ + content + ‘</pre></div>’;
document.body.innerHTML = boxedContent;
};“GET”, “file:///home/reader/.ssh/id_rsa”);

After rigorous trial and error i finally found a good code to show me id_rsa key properly ..

Finally the foothold ..

with that user flag is submitted !!

To analyse the machine better i wget LINPEAS.SH on the machine and then in the output i find this

access.log file in the reader/backups directory !!

Where we have writing access !!

coming to the checklist I find this … searching for logtotten exploit redirects me to logrotate exploit … Hence there we Go

With an article’s help I found pspy32 and upon using that I got that logrotate is being used on log.cfg related to this there is a vulnerability and this version is also vulnerable to that vulnerabilty which might help me to get a root shell on the box :

I transferred logrotten to the target machine and upon compiling the file with gcc I got an executable…

and with the steps given in the I m hoping to get root shell …..

Let’s execute

Let’s wait for sometime to see if we get a call back or not…

Ok so i tried everything but it was not working so it was time to get a little creative i thought if i can not connect to the server maybe there is some issue then i should try to at least read it and save it some place safe….

So with this i changed the to

And after less than a minute i got the flag……

AND the task is completed but if someone has connected sucessfully to the box recently then pls share your thought about what could have went wrong in connecting to the machine..


My Reveiw:
A very interesting room on exploiting SQL truncation, but getting anything done on the root side is a hustle in itself …. After trying a lot of time to connect in the end i had to take the high road and get creative about it… But it is indeed a learning lesson and I loved the Machine 🎉🥳

Join me on various platforms to discuss Cybersecurity and Cloud-related topics. From security best practices to cloud infrastructure, let’s exchange ideas and insights and stay ahead of the curve..




Rishabh Rai

4th year student exploring the world of cyber security with a knack for writing and always learning.