Buy Me A Coffee


1->Run Nmap Scan , We can see 80 and 22 are open

2->Go to the website we can see the login page and signup page

3->Read the source code , we can see the 'name' should not be more than 10 character
and email should not be 20 character

4->Create a test account and login to the site, the home page is given below

5->While Enumerating web site we got admin mail ID

6->Run Dirsearch to find the directories, we got 3 directories

7->Go the 'admin' directory we can see a web login page

8->Now i think,Should i can create a new admin@book.htb account and login using admin page ? .
We Know the email field must be less than 20 character.
So Run Burpsuite and intercept the request and make a 20 spaces after admin@book.htb and type something and forward request

9->Now the Login page From home directory is this

10->I tried to login with the creadentials, which we created now of .
And i got admin priviliage to the website

11->Now Go to collection, we can see the collections which are uploaded by the customers

12->For Creating PDF file i converted a image file to pdf by the Magic Number

->Then i searched , how to read local files using pdf, And we got something from this article

13->I uploaded the file and in the name field i type the code we saw from the Blog and opened from admin page

14->Then i opened the pdf and i got /etc/passwd file and we can see, reader user available in the system

15->Now i changed the 'etc/passwd' file to '/home/reader/.ssh/id_rsa'
and i got the file, But unfortunately the file is correpted by the larger size of output

16->Then i changed the payload to show the output in small size

17->Now got the output in small size and save it in a file and login to reader, i got reader shell

18->Now Upload pspy64 to check the background processes

19->We can see the logrotate is running

20->Search for logrotate exploit in github and found a exploit

21->Now upload logrotten exploit to the server

22->And add reverse shell payload to a file and run logrotate .
Then add a note to '/backup/access.log' and we got a shell. Now we can read root.txt