Previse Walkthrough
Hey guys!! We will see here how to break in for user and system flag in previse from HTB. Let’s jump in :) .
This box’s methodology is simple , we have a hidden directory from which we will pave our path inside and we will further escalate privileges.
Now let’s see the above process in the practical.
First step is to enumerate the target, so after running the nmap scans, we get the target to be particularly a web application having running services on port 80 and 22 as evident from the below snap of nmap results.
Now as soon as we hop into the http://<IP> we get a login webpage.
Now in this case as our target is web application and we have a limited attack surface as of now, so we run gobuster to enumerate more directories and increase our attack surface. After waiting a while we see a bunch of directories with several response codes (errors and redirections also), but we primarily focus on outputs with 200 code(requests accepted by sever, which leaves us with a limited number of directories.)
Now we can go from one directory to another to check what they contain but my mind stikes for /nav.php to be something juicy, and why ? the reason is simple , it is a unique directory and we can have a good guess to find a path to move ahead as the name of directory is /nav (probably hinting towards navigation {HINT} ). We try and boom we get a page from which we can create a user.
So let’s create a user but we do not succeed ,why? because the request isn’t approved to be authentic, and to evade this we will change the response to the user creation request from server to target web application to appear legit to the target and let us create a user of our own. To do so we enter the user credentials and just manipulate the response and forward it using Do Intercept option, by changing 300 Found to 200 OK using burp.
As soon as target application receives the response , a new page loads and we are greeted with the user account creation page.
Now we create our user, here my user is kali8infantry with a standard password.
After successful user account creation we are redirected to default login page. We enter our earlier created user account credentials, now we are inside the target system but no significant access available till now, let’s see available options to proceed further, and one such important option to check is files, & why? cuz it’s a web application and has most probable chances to find either some important file or we can upload our payload to exploit. And we find a sitBackup.zip .
Now after downloading it and unzipping we find many files, all with php extension.
But we will focus on those files which were earlier inaccessible due to redirection, why? cuz they definitely contain something that is to kept hidden from others or else can lead to sensitive information disclosure and another question is how we can be sure about this ? It’s simple, cuz other files like nav.php, login.php,etc were accessible from outside without valid login and the rest remaining files aren’t explored as they were protected by page redirection.
So there are two important files to look one is logs.php and other is config.php.
After prinitng the contents of both files we get the following output.
These files disclosed two most important information, first is about the output produced by logs.php with ‘delim’ and the other is password of mysql of root user .
Now we have credentials to sql database, let’s try to access it, for this purpose we will need a shell so that we can can access the database inside it.
But before that we need to find one more thing that is needed to join it’s the file delimeter here, which can be accessed through https://10.10.11.104/file_logs.php and it is found to be ‘comma’
Now we again use burp and intercept the request sent after clicking the submit button. And append a reverse shell by pentest monkey.
After that we encode the reverse shell script.
After that we launch a netcat instance at port 8888 to receive the reverse shell and proceed with following commands as shown in snapshot to access the sql database.
We now access the accounts info and in which our account info should also exist as we are user (kali8fantry)
And it is there, kali8fantry is present along with other users, We will use the hashed password of m4lware, even when we have access to the password of admin, why? the reason is this whole infrastructure has been developed by the m4lware as evident from the first landing login page. So at any time in future we may require to execute commands that may be restricted by lack of privileges of admin user, so we go with the profile of m4lware.
After that we crack the password obtained from above either by hashcat or john.
Now if we again recall the results of nmap we have a ssh connection available. And now as we have credentials , so lets jump in and grab the users flag !!!
As soon as we enter password cracked earlier, we try to check the permissions we can run, and we get the following output
We first cat /opt/scripts/access_backup.sh and we get the following output
As clear we see that this script is a part of cron job (any task(s) that is repeated in a fix interval of time.) So we now know that if we can run this script as elevated root, then we can issue a reverse shell which would be automatically a root shell. So we move to temp folder and found a file named gzip.
We will also ready a netcat listner on port 8888 (port should be same since beginning)
Here we will use a bash reverse shell from pentestmonkey and put it in gzip and then try to escalate the privileges and run the above default cron script.
and after this we shall get a connection on our netcat listener activated earlier. And as we are root now, we search for the root flag
and the PREVISE IS HAKCKED!!! we have complete access to all its internal and external databases and accounts.
If you liked this article then don’t forget to show support to this article.
And also you can connect with me on linkdein
Any suggestions/corrections are welcome :D
Thanks for reading ❤