🔎🦶Enumeration/Foothold

Previse is a Easy box from HTB and created by m4lwhere. This box features a website where you can bypass the login and access pages directly. You can then send a POST request to register an account. On the dashboard you download a backup file which shows an unsanitized parameter you then use to get onto the box. Once on the box you escalate to root with MySQL credentials and a PATH injection.

I start every CTF style box with a few nmap scans. The first is scan with the -v (verbose) so I can see open ports as they come.

Copy

Well the scan is ongoing I see Ports 22/80 open. Navigating over to Port 80 I see Previse File Hosting with a login. I kick a FeroxBuster and continue poking:

Copy

FeroxBuster comes back with a bunch of directories showing data:

Attempting to visit the site any page redirects me back to the login.php. I open Burp and try to access accounts.php. Rendering the page shows me I have access to the page. I intercept the request so I can begin my attack.

I switch my request to a POST and use the source to build my parameters. I click Send and see a success message:

Registering using Burp and a POST request on HTB Previse.

Registering using Burp and a POST request on HTB Previse.

I login to the Dashboard and see a backup under the Files area. I review the files and notice the following:

Config.phpMySQL Database Credentials

File_Logs.php – Logs area pointing to a logs.php and that hitting the page in Burp Suite shows a parameter called delim=.

Logs.php – The Python being easier comment and the exec syntax

Nice we can execute code using the delim= syntax. I take the intercepted request in Burp and suite a python one-liner to get a shell –

Copy

🔝Escalation to Root

Once on the box I upgrade my shell to a tty:

Copy

I then use the MySQL credentials found earlier to log into the database:

Copy

Once on I grab the tables and the username/password hashes:

Copy

I copy them to my attack VM and use john to crack the hashes:

After getting a hit in john I log into the box. I use sudo -l to see if the user can run anything as ‘root’:

Copy

Reviewing this script I can create a malicious bash script and then symlink my working directory into the PATH so when I execute the access backup it processes the malicious gzip file.

🎯 Victim Machine

Copy

After getting root I grab both the flags:

Copy

Rooted

Published On: January 8th, 2022 / Categories: HTB, Technology / Tags: , , , , , , /

One Comment

  1. Christopher Soehnlein 17th August 2021 at 12:29 pm

    Changed up a lot of workflow/process recently so posts may seem not as detailed. This will change in the next couple of weeks.

Leave A Comment