So it seems we can access parts of the site with a fwe tricks. Testing further showed I can capture the request from nav.php and then change the response from a 302 to 200 to access the account page.
Clicking on Do Intercept > Response to this request.
Change the 302 to 200
Create a new user and use the same tatics for capturing the request and editing the response.
<?php if (!$_SERVER['REQUEST_METHOD'] == 'POST') { header('Location: login.php'); exit; }
///////////////////////////////////////////////////////////////////////////////////// //I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER// /////////////////////////////////////////////////////////////////////////////////////
In logs.php we can see the developer had to use python instead of PHP for the delimiters for ease of use and this also looks vunerable to command injection.
User
Reverse shell.
To get a reverse shell. Login as your new user, goto the Management menu > logs. Capture the request in burp and add a python reverse shell to the delim attribute.
┌──(root💀kali)-[~/hackthebox/machine/previse] └─# ssh m4lwhere@10.10.11.104 m4lwhere@10.10.11.104's password: Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sun Aug 8 14:40:53 UTC 2021 System load: 0.0 Processes: 174 Usage of /: 49.3% of 4.85GB Users logged in: 0 Memory usage: 29% IP address for eth0: 10.10.11.104 Swap usage: 0% 0 updates can be applied immediately. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Sun Aug 8 12:54:42 2021 from 10.10.14.31 m4lwhere@previse:~$ id uid=1000(m4lwhere) gid=1000(m4lwhere) groups=1000(m4lwhere) m4lwhere@previse:~$ \whoami m4lwhere m4lwhere@previse:~$ cat user.txt a8d88d4c17d4b65e6875b1f9ef2aee31
Root
1 2 3 4 5 6 7 8 9 10 11 12 13 14
m4lwhere@previse:~$ sudo -l [sudo] password for m4lwhere: User m4lwhere may run the following commands on previse: (root) /opt/scripts/access_backup.sh m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh #!/bin/bash
# We always make sure to store logs, we take security SERIOUSLY here
# I know I shouldnt run this as root but I cant figure it out programmatically on my account # This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time