Open in app

Sign in

Write

Sign in

Previse HacktheBox Walkthrough

Melih Turhanlar
5 min readJan 8, 2022

Introduction

Today I will write about HackTheBox machine writeup. I hope, this guide will be helpful for those who want to go further in penetration testing and ethical hacker.

Previse is an easy Linux machine. To obtain root, we should create a web user via exploitations vulnerability on accounts.php page, later reaching backup files and exploitinglogs.php page that contains exec() function. Obtaining hash from MySQL and cracking it. On Privilege escalation phase using Sudo and injecting our reverse shell file sudo privileged file.

Nmap

In all boxes, I use some basic tools which give me enumeration results. The first tool which I use is Autorecon. It is a perfect tool that gives lots of enumeration results. During my OSCP exam, I have also used that tool and it made my enumeration process much easier.

Autorecon you lots of results, firstly I look full_tcp results with Nmap. It says 22, 80 ports are open. SSH does not have lots of vulnerabilities, so the attack vector probably will start from the web.

Autorecon

Autorecon gives you lots of directory results from various directory fuzzing tools. So here are the results.

When we want to open the PHP paths from the browser all our requests direct to login.php. So let’s listen with BurpSuite to see what happens. After listening to all PHP files we can see something different in accounts.php. Accounts.php file gives us the ability to add users without login into a web application.

Adding Web User

So let’s change our request to a POST request by clicking right in our repeater section in Burp. We can use parameters that are written in HTML form. After sending parameters, the web application added our user without any error.

We have a login to the system with credentials created.

Here is the first thing We can look for fileupload and sitebackup files. We can test the upload mechanism is working properly or not. I have tested it but couldn't find anything valuable. So let’s examine sitebackup file.

After downloading the php files, we can see config.php and logs.php. In every php web application we should look into config.php files in order to detect if there is database connection credentials or not. So in our box there is root and MySQL password. We can try that password to login with ssh but it don’t work.

<?php

function connectDB(){
$host = ‘localhost’;
$user = ‘root’;
$passwd = ‘mySQL_p@ssw0rd!:)’;
$db = ‘previse’;
$mycon = new mysqli($host, $user, $passwd, $db);
return $mycon;
}

?>

Here is something interesting in log.php exec() function in PHP can be dangerous. As it is seen in php code here logs.php file takes some input with delim parameter and exec function run python.

<?php
session_start();
if (!isset($_SESSION[‘user’])) {
header(‘Location: login.php’);
exit;
}
?>

<?php
if (!$_SERVER[‘REQUEST_METHOD’] == ‘POST’) {
header(‘Location: login.php’);
exit;
}

/////////////////////////////////////////////////////////////////////////////////////
//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER//
/////////////////////////////////////////////////////////////////////////////////////

$output = exec(“/usr/bin/python /opt/scripts/log_process.py {$_POST[‘delim’]}”);
echo $output;

$filepath = “/var/www/out.log”;
$filename = “out.log”;

if(file_exists($filepath)) {
header(‘Content-Description: File Transfer’);
header(‘Content-Type: application/octet-stream’);
header(‘Content-Disposition: attachment; filename=”’.basename($filepath).’”’);
header(‘Expires: 0’);
header(‘Cache-Control: must-revalidate’);
header(‘Pragma: public’);
header(‘Content-Length: ‘ . filesize($filepath));
ob_clean(); // Discard data in the output buffer
flush(); // Flush system headers
readfile($filepath);
die();
} else {
http_response_code(404);
die();
}
?>

So here we can listen the request with burp and send our python reverse shell command. Do not forget the URL encode request. And for creating reverse shell you can use https://www.revshells.com/. Here you can easily create reverse shells.

And we got the shell!

The first thing we should try is to MySQL with credentials we discovered during our enumeration? or not. So we can try and can log into MySQL. Here we can discover databases and tables. In the accounts table, we can discover hashes that are salted.

If we search and look the salted hashes where come from. I comes from the php file with crypt() function. So after some searches we can find the https://infosecwriteups.com/cracking-hashes-with-hashcat-2b21c01c18ec link. And with the command below we can crack it.

hashcat -m 500 -a 0 saltedhashcr /usr/share/wordlists/rockyou.txt

So now we have credentials, using ssh we obtain user.txt

m4lwhere:ilovecody112235!

After it is mostly in the linux machine I run the linpeas.sh. You can reach that GitHub page from this link. https://github.com/carlospolop/PEASS-ng

But before that let’s examine manually. Since we have credentials of m4lwhere user. We can check if the user has sudo ability or not?

sudo -l

Shows us that.

Privilege Escalation

As it is seen in the picture, m4lwhere user can run /opt/scripts/access_backup.sh file.

Let’s check inside of that file. When we examine the file we can understand it is a bash script that runs gzip command. But there is a vulnerability the file doesn’t use a full path so we can change our PATH environment with the file in which we can create a fake executable gzip file (which contains our reverse shell).

Let’s put bash reverse shell to our fake gzip file. Make the file executable. Run our access_backup.sh with sudo.

And whola!! we got the root.

Hackthebox Writeup
Hackthebox Walkthrough
Previse
Penetration Testing
Pentest

--

--

Melih Turhanlar

Written by Melih Turhanlar

14 Followers

Penetration Tester and Vulnerability Researcher

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams