Welcome back! Today's Hack the Box write-up is for the machine Previse. This machine is listed as an easy Linux machine. Let's get to it!
As usual, we start with a full
nmap scan. Here are our results.
Nmap scan report for 10.10.11.104 Host is up (0.048s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA) | 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA) |_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) | http-title: Previse Login |_Requested resource was login.php Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Only two ports available, so it looks like our path with be via web exploit of some type. So we'll load up
Burpsuite and see what's being hosted on port 80.
We see that a basic username / password landing page. Before we start digging into the web requests, we'll try to enumerate any additional files or directories with
gobuster dir -u http://10.10.11.104 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x .php,.old,.bak -t 60 -b 403,404
We see a bunch of files. We check them all and find the
nav.php has some interesting links.
When trying to access all of these resources, we need an account. Luckily for us, we have a create account page! However, the page isn't accessable via the browser. When we view the
HTTP request, we see that is actually something we can access.
Given that we can see the source for this request, we know the parameters we need to
POST in order to create an account.
So we will craft the request we need to supply a
confirmation password. We also need to be sure to add our
application/x-www-form-urlencoded. All together, we have the following request.
We send the request and we get back a success message!
We can now log into the site. When we start looking around we find the file
SITEBACKUP.ZIP in the files section. We download the file and unzip it to find exactly what we think, a backup of the site. We see in
config.php a username and password.
We still need a username to go with the password. Now, if we look around the site a bit more we have a Request Log Data section. If we download the file, we can see the users associated to logging in, this could give us a user to
Unable to login with those credentials. Now as we continue to sift through the files, we find a gem. A
Python exec() call in the
This is not a properly sanatized output, meaning we can leverage it to break things. More on Command Injection here.
The key thing to remember here is that
Python is calling the
exec() function. So any injection we want to do, has to be in 'code'. More on that here.
We will use a
python 'one-liner' to gain a remote shell. Take your pick from here. Just be to use URL encode the request!
Here's our request data being sent.
We sping up a
netcat listener on port
nc -lvnp 4242
Now ww send our request (a few times), and eventually get a response back on our
Before we start enumerating any further, we should check to see if we have
mysql access. We have credentials from before that we should try to leverage and see what we have access to.
mysql -u root -p'mySQL_p@ssw0rd!:)'
Sure enough, we have access! Now we can start sifting through the database.
use previse; show tables; select * from accounts;
Now we see our username and hashes. We'll copy them out to crack, we really just want
m4lwhere in particular.
echo '$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.' > m4lwhere.hash
Now we can run it against
rockyou.txt to see what we might be able to find. In this case I'll use
john -w=/usr/share/wordlists/rockyou.txt m4lwhere.hash --format=md5crypt-long
A few minutes later we get a match
ilovecody1122235!. Now let's see if we can
SSH with this password.
Sure enough, we are in! Let's snag our
user.txt flag and find a way to root! The next thing we check is
It looks like we have the ability to run a backup script.
The problem with this script is that its just saying
gzip. It's not giving a specific path to
gzip. This is
Path Hijacking and it's the reason why you should ensure your paths are explicit and narrow as can be. What we'll do is create our own
gzip file. This will just be a simple file to
cat our the
Step one - create a file in a temporary directory in
tmp. We do it this way so that we don't ruin the box for others.
Step two - create our 'malicous'
echo 'cat /root/root.txt > /tmp/rf/flag.txt' > gzip
chmod +x gzip
Step three - we will add our temporary path to the enviornmental variables.
You can see that our temporary path has been pre-pended to our
PATH. This means that the Linux Operating System will check this path before all others for any executable we are running. In this case, the evil
Now we simply run our privledged script.
We get a text file with the
root.txt flag inside! Feel free to send respect my way if you found this write-up helpful.
HTB Profile - https://app.hackthebox.eu/profile/95635