Previse hack the box walkthrough

WRITER HACK THE BOX MACHINE WALKTHROUGH

https://tamilcodeoffical.blogspot.com/2021/08/writer-hack-box-walkthrough.html

So load the IP In the browser

Join in the membership

https://tamilcodeoffical.blogspot.com/p/tamilcode-membership-program.html

ENUMERATION 

So first we going to take the Nmap scan 

STEP 1: nmap -sC -sV 10.10.11.104

The result has been shown below

So in this Nmap scan, I have found some interesting port which is 22 SSH

So next I have tried the directory brute force using gobuster.

STEP 2: gobuster -u http://10.10.11.104 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php

by emulating this directory I founded a lot of directories which are shown below.

Further, analyzing this report I have found an interesting directory which is nav.php.

So in this directory, I have found that create an account.

which is able to create an account on this website. but this page has been redirected to login.php

So I have used tricks to create an account so let I will explain to you.

First, I have opened the burpsuite tool to capture the request.

So I have captured the request... next right-click the mouse you get the do intercept option and click the response to this request ( shown below image)

And the send request to response 

Now you get the response in the burpsuit and change status code which 302 to 200 ok 

use this trick to change 302 to 200 in request and send the response to the browser 

Now you can able to see that we can create the account on the website.

Now create a username and password it only your wish. username test123 password test321

Next, we going to login into the website using a username and password

Now we are successfully login into the site 

Next click the file menu we got the one interesting file which is sitebackup.zip

So download the file and extract it.

We got some interesting PHP files.

Further analyzing this I got two interesting files which are config.php and logs.php.

In this config.php we got the username and password for the MySQL database.

Next to another file is logs.php in this file I got the one vulnerability which is os command injection.

In this PHP file, the developer has been returned in python you can able to see the below image.

In the file, there is a delimiter and not sanitized properly which we can able to perform the os command injection.

You can study os command injection on this website.

So first go to that website and click the management menu and there is a file log.

Enter to file log you can able to see the delimiter. so capture this request in a burpsuit.

Now we going to inject the payload you can able download using the below link

Before that start the netcat

STEP 3: nc -lvp 7070

So injected the downloaded payload in the delimiter which is shown in the image.

Now you get the shell in the netcat.

Next, we going to search username and password in the MySQL database 

We got one interesting file in the site backup folder which is config.php

In this file, there is a username and password, and a database also.

STEP 4: mysql -u root -D previse

Now it will ask the password so enter the password mySQL_p@ssw0rd!:)

Now you can able to enter it into in MySQL database.

STEP 5: show tables;

Now it shows the tables ( shown below image)

STEP 6: select from * account

Now it will show the account and password.

So the username is m4lwhere and the password is in the hash format.

Next, we going to crack the password using hashcat ( shown below image)

use the wordlist rockyou.txt

So the password is ilovecody112235!

Next, we going to enter into the SSH port which we have found in the Nmap scan.

Now we get the shell user shell

Booooooooooooooooooooom!!!!!

Now we get the user.txt which is the user flag.

So next we going to take over the root flag using privilege escalation

PRIVILEGE ESCALATION 

STEP 7: sudo -l

Now it will ask for the password so enter the password ilovecody112235!

Now it will show something ( shown in the below image)

If you want to analyze you can able to cat the file 

STEP 8: cat 

Further analyzing the file I have found a vulnerability which is path injection

So now enter into the tmp folder.

transfer the payload and the payload should be in the name of gzip.

You can able download the payload using the below link

before that set the listener in your local machine

STEP 9: nc -lvp 7071

Next, go to the machine and enter the below command

 

First, enter the downloaded payload shown in the below image

STEP 10: chmod 777 gzip

STEP 11: export PATH=/tmp:$PATH

Next, run the binary shown in the below image.

And see the netcat you got the shell.

Next, go to the back directory using the cd .. command 

STEP 12: cd root

boooooooooooooooooooooooooom !!!!!!

We got the root flag which is root.txt

STEP 13: cat root.txt

Watch the video for the root flag of previse hack the box machine