System Summary
Initial Enumeration
It's a Linux box so the first step is nmap but this only shows port 22 and port 80.
The web site looks a gallery/library site.
Here's the login page:
With a scanner like dirb or dirbuster I can find an administration URL: http://10.10.10.176/admin
The interesting part here is the registration form n the main page:
There is a check that the name and email fields must be shorter than 10 and 20 characthers respectively.
After some tentatives with varius tecniques like SQL injection, I came across the "SQL Truncation" vulnerability, which I've never encountered before.
If we try to register an existing account (like admin@book.htb 😃) we get the error "User Exists!", which is good.
But we can fool this registration form and we can change the password of the existing user.
The idea is to add spaces to name and email filed to reach the length limit plus one character.
Example:
- name: admin 1 (note the 5 spaces to reach a total lenght of 11)
- email: admin@book.htb 1 (note the 6 spaces to reach a lenght of 21)
This will foll the SQL select clause to check existance of admin@book.htb due to spaces and characters.
But the following SQL insert clause will ignore the last character and then will strip out the trailing spaces, effectively overwriting the data of admin@book.htb record.
Unfortunately the web form is not usable because it doesn't accept spaces in the email field: we have to use Burp Repeater.
We can simulate a registration and then send the POST to Burp Repeater module and add the spaces in the email field (line 14 of the image below)
With this we can reset the admin@book.htb password to test123
And we can login to the admin section:
Initial Foothold and User flag
Now that we have two way of access we can use- standard user to upload malicious things in the coll
- admin user (admin@book.htb) to download a PDF containing
Standard User can upload files here:
Admin user can download a PDF of all the collections (the already populated plus the ones generated by user uploads) here:
The second PDF link will generate the PDF below (the fith element was generated by user upload):
Might wonder if we can upload some php file with reverse shell or other things to pop a shell
I tried many things for hours with no luck.
Finally I got he solution which is not related to the file but to the title or Author field.
It is interpreted as HTML, so we can inject a script.
The solution is to paste a code like this in the book title or author:
We can collect the PDF in the admin portal and see:
And this PDF output:
This key can be converted to text with pdftotext and then used for accessing the box:
Root Flag
Upon enumerating we can discover some weird processes that runs periodically (around 4 minutes)- a custom logrotate service that rotates files in /home/reader/backup/access.log
- an automated ssh session to localhost as root that last a few seconds
- a reset script that cleans up /home/reader/backup/
I believe that box creator wanted the users to exploit the race condition in logrotate as explained in https://github.com/whotwagner/logrotten
There is a race condition in logrotate that gives a way to write files in privileged folder
We just have to create a script in bash (payload) and run the exploit present in the github repo
The exploit is configured to take the payload file and move it to /etc/bash_completion.d/
So the payload will run as a script as soon as a user logs in
Now let's create a script that copies the root flag (it could a reverse shell or other commands). Be sure to make it run only if current user is root (the sense of `id -u` -eq 0)
if [ `id -u` -eq 0 ]; then (/bin/cat /root/root.txt >> /tmp/flag &); fi
After the automated ssh session by root the flag is copied in the desired location :
Please be aware that this is a race condition and it can be difficult to trigger if many users are trying to exploit it at the same time
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.