Hack The Box :: Book
#ArbitraryFileRead #ServerSideXSS #DynamicPDF #logrotate #RaceCondition
Book is a Medium Linux box created by MrR3boot. It was released on February 22nd, 2020 and retired on July 11th, 2020. The users rated the difficulty 6.2/10 and gave an appreciation score of 4.1/5.
TL;DR
We access a virtual library where we can download, upload and comment books. The account registration flow contains a vulnerability that allows overwriting any user’s password. We overwrite the admin’s and to access the admin panel. There, we can download a PDF file containing the list of the books of the virtual library. There is a Server-Side XSS vulnerability during the generation of PDFs. From a user account, we can inject some XSS code to read local files that will be executed server-side when we generate a PDF as admin. We leak the user reader SSH private key this way and grab the user flag. The server uses a version of logrotate vulnerable to a Race Condition. As it is run as a cronjob as root, we can elevate our privileges and get the root flag.
Note: unless otherwise stated, all commands and scripts you will find below are run on…
