Previse is one of challenge on HTB that already very long. It also categorized as easy. In the end more than 14K Players have solved the user and the root flag and given 30 points.
First of all I need to scan open ports that Available in the machine Target.
In this case I am going to use nmap to scan open targets with the commmands
nmap -sV -O -p-
-sV = scan services
-O = Scan OS version
-p = Scan ports range , when - is entered , the port ranging from 0 to 65500
After that the results shown like picture below
As you can see, there is ssh and site protocol. To make it easier to work with, I will add the IP from the image to /etc/hosts
Since I am on HTTP, it means I assume this as website.
Next, I am going to do directory busting on the websites. You can use any tools, from dirbuster,gobuster,ffuf. But in this case, I will use ffuf since it's much faster than dirbuster.
In this type , I am going to use FFUF with dictionary wordlist from dirbuster/directory-2.3-medium.txt
There is one thing that interesting which is accounts.php, maybe this is redirect to credential mechanism or something. Turns out , everytime that I visit that, it automatically redirects to login.php. Which means there is some redirections happen here.
In this part , I am going to do some exploitation. There is two flags, User Flag and System Flag. User Flag is flag that come when you can get into the system. System flag is the flag that when you are successfully set yourself as a root / Administrator.
Based on HTB Documentation, user flag located in /home/{user}/
Meanwhile root flag is located in /root.
As I know, 302 Requests it means redirections. So I need to change the response header to 200 OK. We am going to use burpsuite for changing the redirection. By going to Match and Replace.
and then I add the rules to change any redirection to OK by add this rules.
After I add those rules, then I can see the real accounts.php. In this section I am seeing account registration that seems show that only the person who have admin can access the website.
I will try to create one account and suddenly account creation was successful. It means I can turn off site redirections.
After that I can login to the credential that I already created.
After exploring the sites , I found something interesting it's called sitesbackup.zip which I think it's a source code of the websites.
I analyze the source code and found interesting findings.
It's the SQL Credential, we are going to keep that on a side.
After digging entire source code, I found there is a potential RCE (Remote Code Execution)
The code exec() it means execute and there isn't any sanitation in the code that could lead to RCE. If you wonder, where this is happened. Turns out it happened in delimeter in logging actions.
It means I can execute RCE by interecepting the data sent using burpsuite and then before the delimter response is send, I add the Reverse shell.
and we got the RCE
First I am trying to access the SQL server that we find previously, after that we successfully login to the SQL Database server. Before that , I need to see the database that available on the system.
show databases;
As I can see there are some databases. I am going to see previse database by using this command
use previse;
After that I can go to see the table list that available in the database.
As you can see there is two tables accounts and files, since we are going to see the acccounts file I am going to execute this command.\
SELECT * FROM accounts;
We get the credential but it hashed. So I am going to dehashed the password.
Based on this CheatSheet Algorithm Hash I am seeing this as MD5 crypt. So by using hashcat, I am going to guess the password.
In this case, I am going to use rockyou wordlist since it's listed the most used password.
After executing using hashcat, I finally got the password for m4lwhere.
Based on HTB documentation , the flag for user flag is always in /home/{user}/user.txt
So I can cd /home and found m4lwhere folder which is the user is m4lwhere. Trying to use the credential that we already dehashed and we successfully logged in.
after that I Successfullly found the FLAG for user FLAG.
First of all , I am going to check if there is anything that m4lwhere available to run as sudo by typing sudo -l.
This file is not supposed to be run as root. Let's see what is contain from access_backup.sh
As I can see, it's executing gzip. This is bad practice as you should not executing based on the process name but based on the file location.
We can achieve this by creating fake gzip that create reverse shell (again) and then connect to my second reverse shell.
First I create reverse shell program that executing reverse shell. After that , set chmod +x to the gzip that I already create. After that, create Environment path by executing export PATH=$(pwd):$PATH
After that , I executing the access_backup.sh with sudo in the same folder with gzip. Don't forget to prepare the netcat for listener to the reverse shell.
Access Obtained!
After that we are go to /root and we find the FLAG! SOLVED!
