BOOK HTB

Updated:November 3, 2021 pm

User

All of initial footlhold and user shell is achieved by port 80/http.

Visiting the website we have a login form and a sign up form. From sign up form we can register a user. And then login.
But nothing possible from that. I can signup an admin user by using sql truncation
admin@book.htb. I also add book.htb on /etc/hosts. And then I login on /admin directoy found by gobuster.

Then I use this exploit while I am loged in as admin https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html and then I get id_rsa.

Root

I can get root by exploiting an race condition on exploit and this github repo.. By using this command.

./logrotten -p ./payloadfile ~/backups/access.log but at the same time I give this command : dd if=/dev/urandom of=access.log bs=1 count=200000