All of initial footlhold and user shell is achieved by port 80/http.

Visiting the website we have a login form and a sign up form. From sign up form we can register a user. And then login. But nothing possible from that. I can signup an admin user by using sql truncation admin@book.htb. I also add book.htb on /etc/hosts. And then I login on /admin directoy found by gobuster.

Then I use this exploit while I am loged in as admin and then I get id_rsa.


I can get root by exploiting an race condition on exploit and this github repo.. By using this command.

./logrotten -p ./payloadfile ~/backups/access.log but at the same time I give this command : dd if=/dev/urandom of=access.log bs=1 count=200000

The quieter you become, the more you are able to hear.