HackTheBox — Previse Writeup

So this is my write-up on one of the HackTheBox machines called Previse. Let’s go!

Initial

As usual first of we start with an NMAP scan.

Port 80 and 22 are open. So, this will be a classic web exploitation box.

Looking at the web page, we can see a login page. We can run SQLMap at the login page in the background and gobuster while enumerating the web further.

Looking at the source, we got nothing interesting except a potential username “m4lwhere”. Perhaps we can also try to brute-force the login page.

SQLMap found nothing, so we can assume that the login page is not vulnerable to SQL Injection. Gobuster found some directories.

We could access most of this if we got our login first. So we have to get the credentials somehow.

I tried to visit all of the pages that won’t redirect us to login.php. It turns out that nav.php is broken and not connected to the index.php page.

We got lots of other menus, but when I tried to open each of them one by one, I kept getting redirected. I decided to intercept the response of each page. It turns out that before we got redirected, we were actually able to visit the page but immediately redirected back to the login page. Here’s an example of when I intercepted the response of the status.php page.

There was something! We can even render the page with Burpsuite.

But even with this insight, we still don’t have a lot of room. So let’s try to create our account. I tried to see the response of the accounts.php page, and we got what we need to register!

We just need to follow what the form wants.

Let’s try to log in. Nope, we can’t. It turns out we can’t do that. We have to find another way. Maybe let’s try to intercept the response and change the 302 to 200 OK, so we don’t get redirected.

Wow, it actually works! Let’s try to register from this page rather than directly send the request. But I was so curious why my previous method didn't work. I tried to intercept the register request..

Turns out the “submit” value needs to be empty.

Now we can log in. Let’s try with our previous method.

Nope, we still can’t log in with the previous method. Oh well, perhaps there’s some kind of validation there.

Now that we are in, we can navigate around the website. There’s a file storing feature where we can download and upload our files. There’s a file called “sitebackup.zip” let’s look at it.

Time to enumerate some more! We can download logs of the site from file_logs.php, there’s also a user named “newguy”.

So it’s true there’s a user named “m4lwhere”. There’s also a “hackerman” user. We can also see the database credentials on the config.php file.

The first thing I will do is to try to SSH all of the four users we found(root, m4lwhere, newguy, and hackerman) using the MySQL password we founded. None of those works. Seems it wasn’t that easy.

Foothold

After reading most of the website source code, I found something interesting in the logs.php file, which is called when we request a log from file_logs.php. We can see that logs.php uses the exec() function to do its duties.

The exec() function is a dangerous function. It could give us a code execution if our input isn’t handled properly. Notice that the exec() function directly accepting input from the user when the user wants to select the delimiter for the log. We could try to input malicious reverse shellcode on the $_POST[‘delim’] parameter.

And yes we got it.

Stabilize our shell and let’s move on.

Getting User

Looking at the home directory there’s only one user called m4lwhere.

We know that m4lwhere is registered on the site, and we already have the database credentials. We could assume that the user uses the same password. So let’s look at the database.

It’s a md5crypt hash. We can crack it with hashcat. It took quite some time but I managed to crack it.

Let’s grab our user flag.

Getting Root

Running sudo -l right away we can see that the user m4lwhere can run /opt/scripts/access_backup.sh as root.

Looking at the script I can directly spot the flaw.

Notice that the script runs the gzip command indirectly. This makes the script vulnerable to $PATH manipulation. We can use this to gain the root shell by manipulating the $PATH variable.

I made a fake binary with the same name as the binary called in the script (gzip). I add /tmp to the $PATH variable, and since $PATH prioritizes from left to right, the script will run the gzip command from the /tmp folder, which will run chmod +s /bin/bash. Now we just execute it.

The bash binary is now SUID and we can grab the root shell and the root flag.

ROOTED!

Thoughts

This machine is not that hard (well, it’s an easy box). The foothold part is very interesting. It teaches us to check everything, even the response of a web request.

Overall it was a good box. Kudos to the creator! Thank you for reading this write-up. Stay safe, everyone.