HackTheBox Writeup — Book

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is 10.10.10.176

Port Scan

We just get only 2 Open Ports, one for SSH running on Port 22 and other for web running on Port 80

Moving to the web part

Port 80 — Web

Trying default credentials, we don't get any luck so we move towards the Sign Up page

We now put our details to create an account

Now we just signup and then login through the created account

After login, we see that we have a cool website , looking further more

We have something in Contact Us page which leaked the admin email address

We try for SQL Truncation Attack by intercepting the request in Burp

Now we forward the request and then try to login to the admin user

Clicking on Sign In, we see

We don't see any differences here as its looks all the same as a normal user like we created before

Running Gobuster scan, we see a useful directory named /admin

Opening the link, we see that we have a different Admin Sign In Page created for admin

So we now sign in using the credentials we created from SQL Truncation

We logged in successfully as admin and we see completely different stuff from before

Now moving back to the normal user section, and going to the Collections area, we see that we can upload a file with author name and book title

So at first I try to upload a php webshell

We get a popup stating that the admin will evaluate the upload and update the list

On the Admin page area, going to the collections section and downloading the both of the PDF

The users pdf file contains the list of Names and Emails of accounts created on the page

On the Collections PDF file, we see that our file which we uploaded shows here, also you notice that the name and author is also reflecting on the PDF , so we try some HTML Injections

We try the to bold the author name and book title and see the results

We see that our HTML Injection worked, so we will now move into getting XSS which will help us getting local file reads, for which we will use the below command

<script>x=new  XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>

We now try this on both Book Title and Author section and then see the results

We got the contents of /etc/passwd file, we see that there is a user named reader, so we will try to get the ssh keys of it using the below command

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///home/reader/.ssh/id_rsa");x.send();</script>

We got the ssh key for the user read, but when try to copy the key from here , we were having some issues as it wasnt copying in properly format

So we use ghostscript to copy the contents of the pdf into a file

We see we copied the key file along with some unwanted text which we later remove it manually

We connected to user reader and now moving on to get user flag

Privilege Escalation

We found an exploit for it and before that have to prepare our payload

Now we run the exploit and see the backups directly which was in home folder of user reader which contained log files for logrotate

We copied so that it triggers the exploit and then we see

We see that it copied the root ssh key to our created directory and we can read it below

Now we move into connecting to root user

Moving onto getting the root flag

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover