Hack The Box:Previse(Linux)

 

Looking at the nmap scan, we can start by checking out the webpage available to us.

On this webpage we can try some basic things like trying default credentials but nothing works and we don’t have any credentials. We just have M4LWHERE written at the end which also doesn’t help us logging in.

Directory busting shows some pages and when we visit them we get redirected to login.php.

There is one directory of this webpage which is interesting.

But it also does nothing, we can click on different links here and they all lead to login.php. So we can intercept using Burpsuite.

We are supposed to login to go to the other directories but since we don’t have credentials ,we can only create account but that too using burpsuite since we can’t access that page.

Here we just intercept the request for login.php and then we can replace login.php with accounts.php and also add the confirm part and then the account get created which we can use to login now.

After we login we can find a zipped file sitebackup which we can download and check if we can find something interesting there.

When we download this zipped file ,there are a lot of files present inside it and one of them (config.php) has mysql credentials which we can keep in our back pocket.

Other than this file ,there is one which might help us moving forward. In the logs.php file we can see the comment which makes delim our focus and we can see here they are simply posting delim command.

We can try using nc command for delim to get a reverse shell on our system, but we need to make sure we have a netcat listener on our system.

We again used the intercepted request for login.php and replaced it with logs.php and gave delim a value. Once we send this we get a reverse shell.

Now that we got the reverse shell we should try figuring out a way for privilege escalation. We still have the credentials for mysql which we can use to get some information from the database.

We find the database for previse so we try to get data from there and see what tables are present and if any table might be useful to get the credentials.

We got the hash for m4lwhere user we can use john to crack this password.

Now we can use the password and the username to login. So we can simply use switch user command.

Now we can easily get the user flag but we need to work on privilege escalation. We can look for sudo privileges.

We have the access_backup.sh which is using gzip so we can use this for prvilege escaltion.

We can use netcat connection for reverse shell and then run it with sudo. We make sure that the netcat listener is on.

We get the shell and we can easily get the root shell.

Happy coding!!!!

Comments

Post a Comment

Popular posts from this blog

HackTheBox:Blunder(Linux)

Image
  Lets hit this off with nmap scan. nmap scan We see that port 80 is open and certainly that’s where we will start but the site doesn’t have much for us. port 80 So we need to explore this a bit and do the directory busting for this target. directory busting We found the admin page , now again we hit a dead end since we don’t have credentials. login page So we do directory busting again. directory busting The other directories are not so interesting but this todo.txt is promising. todo.txt First thing, its written that they need to update the CMS which means that this version is definitely vulnerable and the other thing is that this fergus user needs to do something about uploading images. So we have a username but no password. For password we can brute force our way in but for that we can’t have a random list so we can use  cewl  tool to generate the wordlist. custom wordlist using cewl Now since we know its Bludit ,we should find some  exploit  which can help ...
Read more

HackTheBox:Tabby(Linux)

Image
  This was an amazing box with lots to learn. So lets start this with nmap scan with this machine. nmap scan Now with this we have a website in which we are not able to access news.php. So lets add megahosting.htb to /etc/hosts . After this when we try to access news.php we are able to do it. website Now the interesting part is the url ,it has file parameter. We can check if this has LFI vulnerability. lfi check This certainly has lfi so we need to see what kind of file might have something important for us. Upon researching about tomcat we get to know that tomcat stores users information in /usr/share/tomcat9/etc/tomcat-users.xml tomcat-users.xml So now we have a username and password and the roles of this user are admin-gui and manager-script. admin-gui is accessible to us but it has nothing to take us forward. So we need to work on manager-script which isn’t accessible directly ,we do directory busting of this directory. directory busting We get manager/text and we search about ...
Read more

Legacy:Hack The Box(Windows)

Image
  The nmap scan for this target shows the open ports and if we perform an aggressive scan we get to know that the target is vulnerable to MS17–010 and MS08–067. nmap scans We have a github  exploit  available for MS08–067. In this exploit we just need to change the payload . So we need to first generate the payload using msfvenom. payload generation We just need to copy and paste the payload in the POC. updating the POC Now we need to open the netcat listener on our machine and run the exploit. netcat connection We got a connection on our machine. And we can easily get the user flag and root flag. Flags Happy Hacking!!!!
Read more