Series of CTF machines Walkthrough #3 Previse From HackTheBox.
Hello Hackers, i hope you are doing well, today we are going to solve the “Previce CTF machine from HackTheBox” which is easy and you learn the different techniques.
As usual scan the network using nmap by using the below command.
nmap -sS -sC -sV -p- 10.10.11.104
Found 2 ports which are Http(80) and SSH(22), copy the IP address and paste it in browser.
Now you can see the login page, nothing found interesting in source page, so lets enumerate directories using “FFUF”
ffuf -w /Common-PHP-Filenames.txt -u http://10.10.11.104/FUZZ
We found 10 /.php files, which are in 302 and 200 status code so lets check one by one in browser.
Found nothing in /.php files, but in the /nav.php file we found some interesting directories but these are redirecting to /login.php.
After some research found that, you can intercept the request in burpsuite and change the status code from 302 to 200, I use the same method in bug-bounty while testing login page.
Open the burpsuite and Intercept the request, when you intercept the request right click > “Do intercept” > “response to the request”.
Now change the Status code from 302 Found to 200 OK. you can see the create account page in browser in the same way you can do to all the files, so lets check one by one.
Intercepted the /files directory, because in files directory always you get something important in these directories.
When you forward the request after changing the status code, in your browser you will find the “SITEBACKUP.zip” file, download and unzip the file.
When you extract the files you can see all the configuration files, you have to check all the files and gather the useful information.
After checking each .php files got useful information from “config.php” file.
In config.php file, we got the credentials of mysql database as you can see in the below image.
Lets go to the management menu > log data, when you go to the log data file you can see the file submit button below the delimeter option.
Click the submit button and log file will be downloaded in the name of “out.log”.
You can see the logs of users, now when you see the http history from burpsuite you can see the “delimeter” tab, this post request will get when you click on the submit button.
Send this request from http history to repeater and add the reverse shell command in the delim parameter, before sending the request open the netcat listener in the terminal.
We got the reverse shell as you can see above, we don't have any kind of user permission to access the files, so as before we got the credentials for “MYSQL” database so lets login to “MYSQL”, using the below command.
To get the password hash of the users use the above commands, copy the password hash of “m4lwhere” in the file and bruteforce the hash password using ‘Hashcat’ or ‘Johntheripper’.
Successfully we brute-forced the hash password of the “m4lwhere” user.
We know that “SSH” port is open by using these credentials we can easily login to ssh and get our first flag.
By using “sudo -l” command lets find out, can we run any root commands. we can see /access_backup.sh file, can run as root. and also you can see the content of shell file. these file is executing the “gzip” command.
Now we will make a script called “reverse” which executes “/bin/bash” shell. after that set the permission to the “reverse” script using “chmod”. By using this method you can easily elevate your privileges to root.