Previse-HTB Writeup
Level:Easy
Previse is an custom exploit and web based CTF type HTB machine.
Caution:
This writeup only serves as last resort for getting hints for the machine and in no way should be used to just see your way out in gaining points for HTB. The only person you would be cheating would be yourself.
Enumeration
Basic Scanning + Vulnerability analysis through scripts.
I used a enumeration tool called : Autoenum.
Though for this machine it was not much of a help, but normally helps a lot.
On using DIRB, I found out that there are directories which need authentication. So whenever i tried to get this index page, i got redirected to login.php . So I directly curl’ed it. Surprisingly, saw the page loaded in curl’s result.
From here I again curl’ed to accounts.php ,cause I don’t trust my browser no more (JK, cause we don’t have any authentication).
On reading the accounts.php page, i recreated a request using burp-repeater (but sometimes curl worked great for me too).
So first thing I did after getting a login , is download the backup-site code zip.
Note of Caution: Everything in this zip is original and not just a beta version of the original site.
After an hour of researching the php code, i found a basic vulnerability of os-injection .
Created a corrupt request for the injection.
For this use burpsuite-repeater. I would recommend understanding the request thoroughly first.
Before deploying the request , start a reverse shell listener to the PORT specified in the request injection code.
While researching in the site files, Isaw mysql credentials as well as database name.
We use that to get info from table accounts.previse of m4lwhere user.
user:m4lwhere
password-hash:$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
carefull
≡ƒºé = 🧂
Converting the characters while in terminal and mysql, it loses its identity.
actual password-hash:$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
Using John-the-ripper
Note: While cracking machines or ctfs, bruteforcing through rockyou.txt is beneficial as its the mostly used list when creating a learning pentesting environment.
password:ilovecody112235!
Using these credentials to login to SSH.
Reading user.txt.
Privilege Escalation
The foothold was the most toughest in this machine. Priv esc. is pretty easy.
We try numerous techniques, one of it being seeing our sudo permitted scripts/apps
sudo -l
Reading the script
Something looks fishy. The comments surely want to tell us something.
After some analyzing, Ithought that we will use path injection.
export PATH=.:$PATH
OUTPUT:.:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
Now we will create our own gzip named sh script in /tmp.
This is because the script is being executed with root privileges and using a tool called gzip. Normally gzip would found in PATH variable’s element, but here we add a new path to search for a gzip named program. But there’s the catch, the gzip it finds,is a script created by us rather than the original program requested by the access_backup.sh script.
Write a rev shell with RHOST=attacking machine, and save it as gzip in tmp and start a nc listener on the attacking machine.
Then while being in /tmp execute the script using sudo.
P.S: Its important to be INSIDE /tmp as the path means to search for an executable in the current directory of user executing the program.
