HTB Previse
HTB Previse Walkthrough
—-Gaining Foothold—-
We can start off by doing a nmap scan like normal
Looks like only 2 ports are open. SSH and HTTP. Lets head over to the website and see what it is.
All we get is A very simple webpage, so lets start up burp and get gobuster going too.
Gobuster brought back a few directories we can check out. Lets go over to nav and see what it is
Looks like we can see the nav bar without being signed in. Lets move over to burp and see what we can see with it.
It looks like Burp has picked up a few php files we can look at. Lets send accounts.php to repeater and see what we can do.
Looks like we can see pages without being logged in. This page looks like we can make a new account. If we can see this page, lets see if we can configure a POST request and make a account
Seccess! We were able to forge a POST request and make an account. Lets login and see what this site looks like.
Logging in and going to files we see a sitebackup.zip Lets download it and see what is inside.
After unzipping it we can see that it is the source code to this site. Lets dig in and see if we can find any vulnerabilities.
Right from the start we can see that config.php has the database user, and password. Lets put this password into our back pocket for later and lets see what the other files have.
In the logs.php file we see this note, and the php function exec() which runs shell code. Lets go to burp and see if we can find where this runs and see if we can get remote code execution.
A easy and safe way to find out if you can get remote code execution is to send a ping request to yourself. So lets start up tcpdump on our machine and see if we can get a ping.
Success! We have found a way to execute commands on the target machine.
Lets craft a payload and see if we can get a shell.
I crafted a simple netcat payload, now lets see if we can get a connection back to us.
Looks like we got lucky and they had a dangerous version of netcat installed on their machine, but we have a shell now!
—-Getting User—-
Lets use that mysql login info we got earlier and see what we can get from it.
Looks like the database contains one other user “m4lwhere” Lets grab that hash, throw it into hashcat and see if we can crack it.
This hash took a bit to crack, but we finally got it. Lets see if we can use that password and ssh into m4lwhere’s account.
Looks like the password worked and we were able to get the user flag.
—-Getting Root—-
Using the command sudo -l we can see we can run a script as root with no password.
Catting out the script we can see that all it does is zips some logs and places them in the backup directory.
There is nothing in this script that we can really exploit, so lets see if we can use PATH to exploit this and gain root.
Lets go to the /dev/shm directory to try and setup our exploit. Lets first start off by adding that directory to PATH
Now lets make a malicious gzip file that will make a connection back to us.
Before we can run the access_backup.sh script, we will need to make the file we just made executable. We can do this by using the command chmod +x gzip
Now that we have everything setup, lets start up a listener and run access_backup as root.
We got a connection back to our machine as root, and are able to get the Root flag.
I ended up creating an exploit that will bypass the foothold enumeration. You can get the code from https://scripts.pentesternotes.com/htb_previse_shell.txt You will just need to copy the code, and put it into a python file and run it.
Filed under: HTB,Non-Metasploit - @ August 8, 2021 4:33 am