Previse is a Easy box from HTB and created by m4lwhere. This box features a website where you can bypass the login and access pages directly. You can then send a POST request to register an account. On the dashboard you download a backup file which shows an unsanitized parameter you then use to get onto the box. Once on the box you escalate to root with MySQL credentials and a PATH injection.

I start every CTF style box with a few nmap scans. The first is scan with the -v (verbose) so I can see open ports as they come.

Well the scan is ongoing I see Ports 22/80 open. Navigating over to Port 80 I see Previse File Hosting with a login. I kick a FeroxBuster and continue poking:

FeroxBuster comes back with a bunch of directories showing data:

Attempting to visit the site any page redirects me back to the login.php. I open Burp and try to access accounts.php. Rendering the page shows me I have access to the page. I intercept the request so I can begin my attack.

I switch my request to a POST and use the source to build my parameters. I click Send and see a success message:

Registering using Burp and a POST request on HTB Previse.

I login to the Dashboard and see a backup under the Files area. I review the files and notice the following:

Config.php – MySQL Database Credentials

File_Logs.php – Logs area pointing to a logs.php and that hitting the page in Burp Suite shows a parameter called delim=.

Logs.php – The Python being easier comment and the exec syntax

Nice we can execute code using the delim= syntax. I take the intercepted request in Burp and suite a python one-liner to get a shell –

Once on the box I upgrade my shell to a tty:

I then use the MySQL credentials found earlier to log into the database:

Once on I grab the tables and the username/password hashes:

I copy them to my attack VM and use john to crack the hashes:

After getting a hit in john I log into the box. I use sudo -l to see if the user can run anything as ‘root’:

Reviewing this script I can create a malicious bash script and then symlink my working directory into the PATH so when I execute the access backup it processes the malicious gzip file.

After getting root I grab both the flags: