Buy Me A Coffee


->Book




1->Run Nmap Scan , We can see 80 and 22 are open






2->Go to the website we can see the login page and signup page






3->Read the source code , we can see the 'name' should not be more than 10 character
and email should not be 20 character






4->Create a test account and login to the site, the home page is given below






5->While Enumerating web site we got admin mail ID






6->Run Dirsearch to find the directories, we got 3 directories






7->Go the 'admin' directory we can see a web login page






8->Now i think,Should i can create a new admin@book.htb account and login using admin page ? .
We Know the email field must be less than 20 character.
So Run Burpsuite and intercept the request and make a 20 spaces after admin@book.htb and type something and forward request






9->Now the Login page From home directory is this






10->I tried to login with the creadentials, which we created now of admin@book.htb.com .
And i got admin priviliage to the website






11->Now Go to collection, we can see the collections which are uploaded by the customers






12->For Creating PDF file i converted a image file to pdf by the Magic Number








->Then i searched , how to read local files using pdf, And we got something from this article






13->I uploaded the file and in the name field i type the code we saw from the Blog and opened from admin page






14->Then i opened the pdf and i got /etc/passwd file and we can see, reader user available in the system






15->Now i changed the 'etc/passwd' file to '/home/reader/.ssh/id_rsa'
and i got the file, But unfortunately the file is correpted by the larger size of output






16->Then i changed the payload to show the output in small size






17->Now got the output in small size and save it in a file and login to reader, i got reader shell






18->Now Upload pspy64 to check the background processes








19->We can see the logrotate is running






20->Search for logrotate exploit in github and found a exploit






21->Now upload logrotten exploit to the server






22->And add reverse shell payload to a file and run logrotate .
Then add a note to '/backup/access.log' and we got a shell. Now we can read root.txt