Bookworm starts with a gnarly exploit chain combining cross-site scripting, insecure upload, and insecure direct object reference vulnerabilities to identify an HTTP endpoint that allows for file download. In this endpoint, I’ll find that if multiple files are requested, one can attack a directory traversal to return arbitrary files in the returned Zip archive. I’ll use that to leak database creds that also work for SSH on the box. The next user is running a dev webserver that manages ebook format conversion. I’ll abuse this with symlinks to get arbitrary write, and write an SSH public key and get access. For root, I’ll abuse a SQL injection in a label creating script to do PostScript injectin to read and write files as root. In Beyond Root, I’ll look at the Express webserver from the foothold and how it was vulnerable and where it wasn’t.

0xdf hacks stuff

Bookworm is a vulnerable application that has a gnarly exploit chain involving multiple vulnerabilities such as cross-site scripting, insecure upload, and insecure direct object reference. It allows for file download and traversal. It also has a dev webserver and vulnerable SQL injection.

HTB: Bookworm